VPN tunnel with NAT traversal

Discussion in 'Cisco' started by Bohdan Yaremko, Mar 31, 2006.

  1. Hi everyone,

    I recently upgraded a PIX 501 from version 6.2.x to version 6.3.4 in order
    to take advantage of the NAT-T ability when setting up an IPSec VPN. It
    seems that all there is to it is the "isakmp nat-traversal" command, but I
    still can't get it to work. Is there any way to customize the NAT
    transparency, such as changing the UDP port of the encapsulation? Will
    NAT-T get applied if the PIX is set up as a hardware VPN client? I have
    been playing around with setting up a PIX-to-Concentrator VPN connection,
    where the PIX is sitting behind another PIX doing NAT/PAT, but have not been
    able to establish the tunnel. The exact same setup works if using a
    software VPN client, however (the Concentrator reports the software
    connection as "IPSec/NAT-T"). The Concentrator's log during the
    establishment of the tunnel shows no activity, so is there any way to do a
    "debug icmp trace" or any other similar debug command on the Concentrator?

    My apologies for leaving out the gory details of the setups, but I think
    that I am missing something conceptually, not technically.

    I would be very grateful for any insight someone might offer.

    Thanks,

    Bohdan
     
    Bohdan Yaremko, Mar 31, 2006
    #1
    1. Advertising

  2. In article <nz2Xf.4579$-nyc.rr.com>,
    Bohdan Yaremko <> wrote:
    >I recently upgraded a PIX 501 from version 6.2.x to version 6.3.4 in order
    >to take advantage of the NAT-T ability when setting up an IPSec VPN. It
    >seems that all there is to it is the "isakmp nat-traversal" command, but I
    >still can't get it to work. Is there any way to customize the NAT
    >transparency, such as changing the UDP port of the encapsulation?


    No.

    >Will
    >NAT-T get applied if the PIX is set up as a hardware VPN client?


    Yes.

    >I have
    >been playing around with setting up a PIX-to-Concentrator VPN connection,
    >where the PIX is sitting behind another PIX doing NAT/PAT, but have not been
    >able to establish the tunnel. The exact same setup works if using a
    >software VPN client, however (the Concentrator reports the software
    >connection as "IPSec/NAT-T").


    The VPN client will try TCP 10000 (I think it is) as well as
    the now-standardized ports.

    For standardized NAT-T, UDP 500 and UDP 4500 must be permitted as
    destinations. Note, though, that if there is not NAT detected
    then the standard IPSec will be used -- UDP 500, and IP protocol 50
    (ESP) and potentially IP protocol 51 (AH).
     
    Walter Roberson, Mar 31, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,187
  2. Trouble
    Replies:
    0
    Views:
    788
    Trouble
    Aug 4, 2006
  3. Trouble
    Replies:
    1
    Views:
    594
  4. Replies:
    2
    Views:
    4,371
    Kitingfox
    Sep 20, 2006
  5. pasatealinux

    PIX 515 v6.3 & VPN nat-traversal

    pasatealinux, Mar 25, 2008, in forum: Cisco
    Replies:
    0
    Views:
    987
    pasatealinux
    Mar 25, 2008
Loading...

Share This Page