IPSEC over NAT will work?

Discussion in 'Cisco' started by ambient, Oct 18, 2003.

  1. ambient

    ambient Guest

    Hi;

    i currently doing some proj using VPN concentrator 3015. will VPN client
    be able to establish a session with the concentrator over NAT on Cisco 827
    ADSL ??

    what does multiple IPSEC pass-thru andNAT Transversal NAT-T means?
     
    ambient, Oct 18, 2003
    #1
    1. Advertising

  2. ambient

    Rik Bain Guest

    On Sat, 18 Oct 2003 22:08:35 +0600, ambient wrote:

    > Hi;
    >
    > i currently doing some proj using VPN concentrator 3015. will VPN
    > client
    > be able to establish a session with the concentrator over NAT on Cisco
    > 827 ADSL ??
    >
    > what does multiple IPSEC pass-thru andNAT Transversal NAT-T means?


    If you enable NAT-T or transparent tunneling on the client AND
    the concentrator, you should be OK.

    Also, the 800, running recent code (12.2(13)T IIRC) will support
    RAW IPSEC through PAT.

    Rik Bain
     
    Rik Bain, Oct 19, 2003
    #2
    1. Advertising

  3. The problem with IPSec is that it uses the IP-ESP protocol natively. This
    protocol doesn't have "port-numbers" like TCP and UDP do. So NAT does not
    know how to translate the traffic because NAT/PAT is based on port numbers.
    This is where IPSec Pass-thru and NAT-T come into the picture.
    IPSec pass-thru tells the NAT software to send all ESP traffic to one
    certain host. This also means only one host can use ipsec pass-thru at a
    time (there is only room for one translation for esp in nat).
    To overcome this limitation IPSec traffic can be encapsulated in UDP
    packets. UDP packets travel through nat without a problem. This is called
    NAT-T.

    So in your setup, you'll have to configure the 3015 to accept IPSec over UDP
    connections to overcome the NAT limitations.

    Erik

    "ambient" <> wrote in message
    news:bmrnlj$s4n$...
    > Hi;
    >
    > i currently doing some proj using VPN concentrator 3015. will VPN client
    > be able to establish a session with the concentrator over NAT on Cisco 827
    > ADSL ??
    >
    > what does multiple IPSEC pass-thru andNAT Transversal NAT-T means?
    >
    >
     
    Erik Tamminga, Oct 19, 2003
    #3
  4. In article <bmu3i9$ct4$1.nb.home.nl>,
    Erik Tamminga <> wrote:
    :The problem with IPSec is that it uses the IP-ESP protocol natively. This
    :protocol doesn't have "port-numbers" like TCP and UDP do. So NAT does not
    :know how to translate the traffic because NAT/PAT is based on port numbers.

    PAT is based upon port numbers, but standard NAT is not.

    One-to-one NAT has no problems with ESP.
    --
    I wrote a hack in microcode,
    with a goto on each line,
    it runs as fast as Superman,
    but not quite every time! -- Dave Touretzky and Don Libes
     
    Walter Roberson, Oct 19, 2003
    #4
  5. Hi Walter,

    Correct, standard NAT is one-to-one and doesn't give any problems. I was
    assuming the question involved a PAT setup as most people tend to speak
    about NAT when they're actually talking about PAT.

    Erik

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bmudv8$l25$...
    > In article <bmu3i9$ct4$1.nb.home.nl>,
    > Erik Tamminga <> wrote:
    > :The problem with IPSec is that it uses the IP-ESP protocol natively. This
    > :protocol doesn't have "port-numbers" like TCP and UDP do. So NAT does not
    > :know how to translate the traffic because NAT/PAT is based on port

    numbers.
    >
    > PAT is based upon port numbers, but standard NAT is not.
    >
    > One-to-one NAT has no problems with ESP.
    > --
    > I wrote a hack in microcode,
    > with a goto on each line,
    > it runs as fast as Superman,
    > but not quite every time! -- Dave Touretzky and Don

    Libes
     
    Erik Tamminga, Oct 19, 2003
    #5
  6. ambient

    CybrSage Guest

    On the 827, you will need to add the following lines:
    ip nat inside source static udp inside_ip_address_of_3500 4500
    outside_ip_address 4500 extendable
    ip nat inside source static udp inside_ip_address_of_3015 500
    outside_ip_address 500 extendable

    I am not sure about the 3015, but on a PIX, you would need to add the
    following line:
    isakmp nat-transversal 20

    Michael Barnhart

    "ambient" <> wrote in message
    news:bmrnlj$s4n$...
    > Hi;
    >
    > i currently doing some proj using VPN concentrator 3015. will VPN client
    > be able to establish a session with the concentrator over NAT on Cisco 827
    > ADSL ??
    >
    > what does multiple IPSEC pass-thru andNAT Transversal NAT-T means?
    >
    >
     
    CybrSage, Oct 21, 2003
    #6
  7. ambient

    Geert Nijs Guest

    If you are running the latest version of IOS code -> YES.

    >>>>Multiple IPSEC pass-thru = Multiple IPSEC Tunnels from 2 internal PCs

    will traverse the NAT router without any problem.
    >>>>NAT recognizes the two different IPSEC tunnels and keeps them apart (was

    not in previous versions of IOS).
    >>>>Or even multiple IPSEC tunnels from ONE PC :)


    >>>> NAT-T ?? I don't know :)


    >>>> Watch out with IPSEC because NOT all IPSEC Modes are NAT compatible (i

    believe only IPSEC Tunnel Mode, with ESP is NAT compatible,
    >>>> check the documentation to be sure....


    "ambient" <> schreef in bericht
    news:bmrnlj$s4n$...
    > Hi;
    >
    > i currently doing some proj using VPN concentrator 3015. will VPN client
    > be able to establish a session with the concentrator over NAT on Cisco 827
    > ADSL ??
    >
    > what does multiple IPSEC pass-thru andNAT Transversal NAT-T means?
    >
    >
     
    Geert Nijs, Nov 4, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    791
  2. AM
    Replies:
    0
    Views:
    669
  3. AM
    Replies:
    1
    Views:
    593
  4. AM
    Replies:
    0
    Views:
    477
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    1,025
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page