Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN site to site behind PAT device

Hi ALL,

I have the below setup:

Internal hosts --> ISA server --> Edge router <<-------------------------->> Remote router --> remote server

                                                                           Internet

Our ISA is doing PAT and hiding all the internal clients behind the IP "192.168.0.1". I ineed to initiate VPN tunnel between two hosts behind the ISA which are: 10.0.0.221/32 and 10.0.0.224/32 that need to communicate with remote server on the other side with IP 10.128.241.50/32

I was able to get the VPN up and ping from the left side (host that resides behind ISA) to the remote server 10.128.241.50. But the ping from the other side is not working. I know it's because we have a PAT device behind our internal servers on the left and to get a two-sided VPN tunnel, I need to create static NAT entries on the ISA for the two servers 10.0.0.221, 10.0.0.224 but unfortunately, that's not doable at the meantime since these servers are participating in other VPN connections.

My question: Is there any workaround to be applied here without the need of creating static NAT entries and keeping the ISA doing PAT as expected?

Appreciated.

Everyone's tags (1)
2 REPLIES
New Member

VPN site to site behind PAT device

You have to enable the nat-tranperancy feature so the traffic would be encapsulated by UDP 4500 (NAT-T) and overcome the PAT issue with ESP.

It must be enabled by default on both routers, so you need to check, do the following:

crypto ipsec nat-transparency udp-encapsulation

regards,

Tariq

New Member

VPN site to site behind PAT device

Thanks Tariq,

So, even if we have devices residing behind the ISA on the 10 subnet, if we enable NAT-T on the edge router (which is our VPN gateway) that would do the job?

237
Views
0
Helpful
2
Replies