Re: NAT-T is supported by cisco 831?

Discussion in 'Cisco' started by bod43, Feb 2, 2009.

  1. bod43

    bod43 Guest

    On 1 Feb, 16:31, Andrew <> wrote:
    > Hi guys,
    > sorry for my question but I'm newbie with Cisco routers ..
    > I have to make a IPSEC VPN with two firewall Fortinet, among the
    > firewall there is a Cisco router 831 with NAT. I know that IPSEC is work
    > fine only if router support nat-t and i would like to know if i need
    > confgigure something on 831 for make compliant.


    Hmmm. I did not know that NAT-T required special support
    in the NATing router. Seems that it might well.

    http://www.cisco.com/en/US/technolo...technologies_white_paper09186a00801af2b9.html

    Best to check the feature navigator against your version.
    If you post the version someone might check.
     
    bod43, Feb 2, 2009
    #1
    1. Advertising

  2. bod43

    bod43 Guest

    On 2 Feb, 17:52, Andrew <> wrote:
    > bod43 ha scritto:
    >
    > > On 1 Feb, 16:31, Andrew <> wrote:
    > >> Hi guys,
    > >> sorry for my question but I'm newbie with Cisco routers ..
    > >> I have to make a IPSEC VPN with two firewall Fortinet, among the
    > >> firewall there is a Cisco router 831 with NAT. I know that IPSEC is work
    > >> fine only if router support nat-t and i would like to know if i need
    > >> confgigure something on 831 for make compliant.

    >
    > > Hmmm. I did not know that NAT-T required special support
    > > in the NATing router. Seems that it might well.

    >
    > >http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologie...

    >
    > > Best to check the feature navigator against your version.
    > > If you post the version someone might check.

    >
    > thanks, seems nat-t supported by my IOS 12.3(8r) version.
    > Unfortunately VPN does not works,only with cisco router that among the
    > firewall, the others vpn works fine  :(
    >
    > But there is a strange thing, I've seen in a table nat that VPN nat-t
    > does not connect with port 4500 but only on 500:
    >
    > Pro Inside global      Inside local       Outside local
    > udp 88.xx.41.xx:500   172.16.10.250:500  79.xx.158.xx:500
    >
    > Outside
    > 79.xx.158.xx:500
    >
    > Others VPN connect to udp port 4500
    >
    > :(


    Without NAT.
    UDP:500 is used for IKE then IP type 50 for ESP traffic

    With NAT - ie NAT-T configured on IPSEC peers (Fortigate)
    and NATter detected in path
    UDP:500 is used for IKE then UDP:4500 for ESP traffic

    You usually need to enable NAt-T on the firewalls.
    On cisco PIX/router it has to be specifically enabled.
    I forget the default on checkpoint but you can turn it off
    I think.

    It seems that IKE detects the presence of a NATter
    and then chooses UDP:4500 if required.

    I have used NAt-T a few times and it has just worked.
    It does seem as if complications might arise however.

    http://tools.ietf.org/html/rfc3947
    "IPsec-aware NATs can cause problems "


    http://en.wikipedia.org/wiki/NAT-T
    This page is effectively a nice list of links.

    I would:-
    - Recheck the configuration
    - Have a shot at a software upgrade since there is
    no doubt that cisco have been fiddling with this. 12.3(8r)
    will be pretty old now.
    - debug ip nat on the cisco is nice, log for every packet
    might just show up an anomaly.
     
    bod43, Feb 2, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jimmyzshack
    Replies:
    1
    Views:
    534
    Claude LeFort
    Nov 19, 2003
  2. Fred Atkinson

    Config 831 for a Home Network with NAT

    Fred Atkinson, Feb 29, 2004, in forum: Cisco
    Replies:
    1
    Views:
    426
    Jeff C
    Mar 2, 2004
  3. Deepster

    Cisco 831 NAT

    Deepster, Dec 2, 2004, in forum: Cisco
    Replies:
    2
    Views:
    3,972
    Erik Freitag
    Dec 4, 2004
  4. mfiendd

    Cisco 831 Nat Issues

    mfiendd, Aug 31, 2006, in forum: Hardware
    Replies:
    0
    Views:
    679
    mfiendd
    Aug 31, 2006
  5. Jens Bretschneider

    Cisco 831 NAT/PAT Problem

    Jens Bretschneider, Jan 27, 2008, in forum: Cisco
    Replies:
    0
    Views:
    810
    Jens Bretschneider
    Jan 27, 2008
Loading...

Share This Page