Pix-to-Pix VPN - BOTH BOXES BEHIND NAT!!!

Discussion in 'Cisco' started by Michael Gorsuch, Oct 23, 2003.

  1. I am considering a configuration for my site - can anyone here offer
    any suggestions?

    I have two sites, both sit behind CPE's configured w/ NAT via the ISP.

    I would like to install two Cisco Pix boxes (each behind a NAT
    device), one at each site and enable VPN connectivity between the two.
    I've read in multiple places that 6.3 now supports NAT Traversal, but
    I'd like to here it from you all as I've read many conflicting
    reports.

    If anyone can point me to specific configuration examples, it would be
    much appreciated.

    Thank you in advance,

    Michael
     
    Michael Gorsuch, Oct 23, 2003
    #1
    1. Advertising

  2. In article <>,
    Michael Gorsuch <> wrote:
    :I am considering a configuration for my site - can anyone here offer
    :any suggestions?

    :I have two sites, both sit behind CPE's configured w/ NAT via the ISP.

    :I would like to install two Cisco Pix boxes (each behind a NAT
    :device), one at each site and enable VPN connectivity between the two.
    : I've read in multiple places that 6.3 now supports NAT Traversal, but
    :I'd like to here it from you all as I've read many conflicting
    :reports.

    Can you configure the CPE to forward all ESP packets to the
    PIX? And all UDP 500? If you can do that, then just go ahead and
    configure the PIXes, but make sure you don't configure AH.

    If you can't forward ESP to the PIX then you will have to see if
    you can get NAT-T to work. I believe you'll need UDP 4500 as well
    as UDP 500 for that, and you'll have to configure
    isakmp nat-traversal

    http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-07.txt

    I am a bit confused by section 7 of the draft,
    "Recovering from the expiring NAT mappings"
    That section (and one of the paragraphs under 8. Security Considerations)
    appears to assume that one of the ends will not be NAT'ing. This
    does not seem to fit in with the other paragraphs: the protocol otherwise
    assumes that both ends might be NAT'ed.

    Anyhow, this section just might give you trouble in your situation
    where you have NAT on both ends.
    --
    Can a statement be self-referential without knowing it?
     
    Walter Roberson, Oct 24, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jose
    Replies:
    3
    Views:
    1,952
  2. Replies:
    3
    Views:
    1,341
  3. Replies:
    0
    Views:
    342
  4. Tomi
    Replies:
    3
    Views:
    1,954
  5. teodor
    Replies:
    0
    Views:
    1,521
    teodor
    Aug 20, 2009
Loading...

Share This Page