nat traversal or something else

Discussion in 'Cisco' started by cci admin, Apr 22, 2004.

  1. cci admin

    cci admin Guest

    Hello all

    Cisco support didn't know how to answer me but i am sure there is some kind
    of workaround.

    This is the how our network is setup:
    PIX 506E ==> Cisco 801 ISDN Router -------- (internet) ----- Netgear
    PIX is behind NAT on 801 isdn router.

    I have created a site-to-site VPN between Cisco PIX 506E and Netgear FVS318
    Firewall.
    On debugging I can see that the IKE and SAs all getting successfully
    initiated and VPN link status is working. That is because IKE is using udp
    port 500.
    However no traffic can pass through the tunnel. Cannot ping or anything
    else.

    I have noticed that the problem lies in the following:
    Apparently VPN is not going to work behind NAT because you can't really NAT
    protocols other than tcp or udp,
    and we do need to pass through esp and gre protocols.

    Here are the questions ------:
    1. Is it possible to setup Cisco 801 to pass through esp, ah protocols
    whether it is by means of NAT or something else?
    2. If not, is it possible to setup Cisco 801 as a bridge and have PIX
    controlling ISDN? (I doubt that.)
    3. Will NAT traversal work well in this situation to encapsulate everything
    in port 4500? (I haven't tried becoz i only have 6.2 pix.ios)
    4. If i do use NAT traversal, can it be only used between PIX and PIX with
    both using port 4500, or , can I use NAT traversal with PIX and the netgear
    firewall with the settings i already had(it doesn't support NAT traversal).


    Thank you so much!
    It'd be great to see if anyone has achieved something similar to this.
     
    cci admin, Apr 22, 2004
    #1
    1. Advertising

  2. In article <aoHhc.5862$>,
    cci admin <> wrote:
    :This is the how our network is setup:
    :pIX 506E ==> Cisco 801 ISDN Router -------- (internet) ----- Netgear
    :pIX is behind NAT on 801 isdn router.

    :3. Will NAT traversal work well in this situation to encapsulate everything
    :in port 4500? (I haven't tried becoz i only have 6.2 pix.ios)

    NAT traversal would probably solve your problem. It does not, though,
    encapsulate everything onto port 4500: it uses UDP 4500 to negotiate
    a port to use.

    :4. If i do use NAT traversal, can it be only used between PIX and PIX with
    :both using port 4500, or , can I use NAT traversal with PIX and the netgear
    :firewall with the settings i already had(it doesn't support NAT traversal).

    I think NAT traversal needs to be supported on both ends, but it has
    been awhile since I looked at the technical document.
    --
    Warning: potentially contains traces of nuts.
     
    Walter Roberson, Apr 22, 2004
    #2
    1. Advertising

  3. cci admin

    cci admin Guest

    Thank you!'

    So i guess no choise but to either buy a another PIX for second branch or.
    ...
    Is there a way to configure Cisco 801 to forward everything onto PIX, like a
    DMZ situation?


    "cci admin" <> wrote in message
    news:aoHhc.5862$...
    > Hello all
    >
    > Cisco support didn't know how to answer me but i am sure there is some

    kind
    > of workaround.
    >
    > This is the how our network is setup:
    > PIX 506E ==> Cisco 801 ISDN Router -------- (internet) ----- Netgear
    > PIX is behind NAT on 801 isdn router.
    >
    > I have created a site-to-site VPN between Cisco PIX 506E and Netgear

    FVS318
    > Firewall.
    > On debugging I can see that the IKE and SAs all getting successfully
    > initiated and VPN link status is working. That is because IKE is using udp
    > port 500.
    > However no traffic can pass through the tunnel. Cannot ping or anything
    > else.
    >
    > I have noticed that the problem lies in the following:
    > Apparently VPN is not going to work behind NAT because you can't really

    NAT
    > protocols other than tcp or udp,
    > and we do need to pass through esp and gre protocols.
    >
    > Here are the questions ------:
    > 1. Is it possible to setup Cisco 801 to pass through esp, ah protocols
    > whether it is by means of NAT or something else?
    > 2. If not, is it possible to setup Cisco 801 as a bridge and have PIX
    > controlling ISDN? (I doubt that.)
    > 3. Will NAT traversal work well in this situation to encapsulate

    everything
    > in port 4500? (I haven't tried becoz i only have 6.2 pix.ios)
    > 4. If i do use NAT traversal, can it be only used between PIX and PIX with
    > both using port 4500, or , can I use NAT traversal with PIX and the

    netgear
    > firewall with the settings i already had(it doesn't support NAT

    traversal).
    >
    >
    > Thank you so much!
    > It'd be great to see if anyone has achieved something similar to this.
    >
    >
    >
     
    cci admin, Apr 22, 2004
    #3
  4. cci admin

    Rik Bain Guest

    On Wed, 21 Apr 2004 23:03:08 -0500, Walter Roberson wrote:

    > NAT traversal would probably solve your problem. It does not, though,
    > encapsulate everything onto port 4500: it uses UDP 4500 to negotiate a
    > port to use.
    >


    Is that new? Since I have been using NAT-T it will switch from UDP/500
    to UDP/4500 as soon as nat is detected and encapsulate all traffic on
    4500.

    I have configured PIX firewalls behind other PAT devices who only forward
    UDP/500 and UDP/4500 and established l2l tunnels with no problems.

    Rik Bain
     
    Rik Bain, Apr 22, 2004
    #4
  5. cci admin

    cci admin Guest

    Oh not bad!

    Is confguraiton any different for NAT-T than NAT?
    or is it a new kind of NAT on latest routers?



    "Rik Bain" <> wrote in message
    news:408753bf$0$4857$...
    > On Wed, 21 Apr 2004 23:03:08 -0500, Walter Roberson wrote:
    >
    > > NAT traversal would probably solve your problem. It does not, though,
    > > encapsulate everything onto port 4500: it uses UDP 4500 to negotiate a
    > > port to use.
    > >

    >
    > Is that new? Since I have been using NAT-T it will switch from UDP/500
    > to UDP/4500 as soon as nat is detected and encapsulate all traffic on
    > 4500.
    >
    > I have configured PIX firewalls behind other PAT devices who only forward
    > UDP/500 and UDP/4500 and established l2l tunnels with no problems.
    >
    > Rik Bain
     
    cci admin, Apr 22, 2004
    #5
  6. cci admin

    cci admin Guest

    Oh Okay, you meant Nat-t as in nat traversal, but I have already mentioned
    that was one of alternatives. See the problem is I cannot use Nat traversal
    as one of the firewalls does not support it.



    "cci admin" <> wrote in message
    news:4DJhc.5869$...
    > Oh not bad!
    >
    > Is confguraiton any different for NAT-T than NAT?
    > or is it a new kind of NAT on latest routers?
    >
    >
    >
    > "Rik Bain" <> wrote in message
    > news:408753bf$0$4857$...
    > > On Wed, 21 Apr 2004 23:03:08 -0500, Walter Roberson wrote:
    > >
    > > > NAT traversal would probably solve your problem. It does not, though,
    > > > encapsulate everything onto port 4500: it uses UDP 4500 to negotiate a
    > > > port to use.
    > > >

    > >
    > > Is that new? Since I have been using NAT-T it will switch from UDP/500
    > > to UDP/4500 as soon as nat is detected and encapsulate all traffic on
    > > 4500.
    > >
    > > I have configured PIX firewalls behind other PAT devices who only

    forward
    > > UDP/500 and UDP/4500 and established l2l tunnels with no problems.
    > >
    > > Rik Bain

    >
    >
     
    cci admin, Apr 22, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    2
    Views:
    1,672
  2. LLFF

    ISAKMP nat-traversal ?

    LLFF, Nov 28, 2005, in forum: Cisco
    Replies:
    1
    Views:
    9,661
    Walter Roberson
    Nov 28, 2005
  3. Sako

    doubts about nat-traversal

    Sako, Feb 6, 2006, in forum: Cisco
    Replies:
    2
    Views:
    1,224
    Walter Roberson
    Feb 7, 2006
  4. =?ISO-8859-2?Q?Micha=B3_Iwaszko?=

    NAT Traversal.

    =?ISO-8859-2?Q?Micha=B3_Iwaszko?=, Feb 21, 2006, in forum: Cisco
    Replies:
    4
    Views:
    13,523
    Walter Roberson
    Feb 22, 2006
  5. Bohdan Yaremko

    VPN tunnel with NAT traversal

    Bohdan Yaremko, Mar 31, 2006, in forum: Cisco
    Replies:
    1
    Views:
    3,684
    Walter Roberson
    Mar 31, 2006
Loading...

Share This Page