Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN tunnel with NAT traversal

Reply
Thread Tools

VPN tunnel with NAT traversal

 
 
Bohdan Yaremko
Guest
Posts: n/a
 
      03-31-2006
Hi everyone,

I recently upgraded a PIX 501 from version 6.2.x to version 6.3.4 in order
to take advantage of the NAT-T ability when setting up an IPSec VPN. It
seems that all there is to it is the "isakmp nat-traversal" command, but I
still can't get it to work. Is there any way to customize the NAT
transparency, such as changing the UDP port of the encapsulation? Will
NAT-T get applied if the PIX is set up as a hardware VPN client? I have
been playing around with setting up a PIX-to-Concentrator VPN connection,
where the PIX is sitting behind another PIX doing NAT/PAT, but have not been
able to establish the tunnel. The exact same setup works if using a
software VPN client, however (the Concentrator reports the software
connection as "IPSec/NAT-T"). The Concentrator's log during the
establishment of the tunnel shows no activity, so is there any way to do a
"debug icmp trace" or any other similar debug command on the Concentrator?

My apologies for leaving out the gory details of the setups, but I think
that I am missing something conceptually, not technically.

I would be very grateful for any insight someone might offer.

Thanks,

Bohdan


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      03-31-2006
In article <nz2Xf.4579$(E-Mail Removed)-nyc.rr.com>,
Bohdan Yaremko <(E-Mail Removed)> wrote:
>I recently upgraded a PIX 501 from version 6.2.x to version 6.3.4 in order
>to take advantage of the NAT-T ability when setting up an IPSec VPN. It
>seems that all there is to it is the "isakmp nat-traversal" command, but I
>still can't get it to work. Is there any way to customize the NAT
>transparency, such as changing the UDP port of the encapsulation?


No.

>Will
>NAT-T get applied if the PIX is set up as a hardware VPN client?


Yes.

>I have
>been playing around with setting up a PIX-to-Concentrator VPN connection,
>where the PIX is sitting behind another PIX doing NAT/PAT, but have not been
>able to establish the tunnel. The exact same setup works if using a
>software VPN client, however (the Concentrator reports the software
>connection as "IPSec/NAT-T").


The VPN client will try TCP 10000 (I think it is) as well as
the now-standardized ports.

For standardized NAT-T, UDP 500 and UDP 4500 must be permitted as
destinations. Note, though, that if there is not NAT detected
then the standard IPSec will be used -- UDP 500, and IP protocol 50
(ESP) and potentially IP protocol 51 (AH).
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 v6.3 & VPN nat-traversal pasatealinux Cisco 0 03-25-2008 12:41 AM
VPN Nat Traversal Through Watchguards foxx0171@yahoo.com Cisco 2 09-20-2006 06:35 PM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM



Advertisments