WebVPN NAT-T

Discussion in 'Cisco' started by arplabs@gmail.com, Aug 11, 2006.

  1. Guest

    Upon reading Release Notes for Cisco VPN 3000 Series Concentrator,
    Release 4.7; Cisco SSL VPN Client, Release 1.0, I bumped into this
    sentence:

    "When using WebVPN with NAT-T, do not set the NAT-T port to 443. We
    recommend using port 80 for NAT-T, as firewalls should allow this."

    WebVPN with NAT-T?!?!
    WebVPN is SSL based. It doesn't touch layer 3. Why would I need a NAT
    transparency feature? Plus, NAT-T uses a fixed port (UDP 4500), you
    can't change it under Cisco IOS or PIX Finesse or VPN Concentrator
    OS...

    I just can't figure out what Cisco means by that sentence!!
    Can someone shed some light on this?

    Deeply appreciated!

    http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/47con3k.htm#wp524890

    Aless Pereira
    ARP Labs
    , Aug 11, 2006
    #1
    1. Advertising

  2. <> wrote in message
    news:...
    > Upon reading Release Notes for Cisco VPN 3000 Series Concentrator,
    > Release 4.7; Cisco SSL VPN Client, Release 1.0, I bumped into this
    > sentence:
    >
    > "When using WebVPN with NAT-T, do not set the NAT-T port to 443. We
    > recommend using port 80 for NAT-T, as firewalls should allow this."
    >
    > WebVPN with NAT-T?!?!
    > WebVPN is SSL based. It doesn't touch layer 3. Why would I need a NAT
    > transparency feature? Plus, NAT-T uses a fixed port (UDP 4500), you
    > can't change it under Cisco IOS or PIX Finesse or VPN Concentrator
    > OS...
    >
    > I just can't figure out what Cisco means by that sentence!!
    > Can someone shed some light on this?
    >
    > Deeply appreciated!
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/47con3k.htm#wp524890
    >


    to my knowlegde, you can run webVPN in several senarioes. One being the SSL,
    other being you have SSL-VPN client that you need to install first.
    This is infact a VPN client, hence NAT Traversal should be in place.
    HTH
    Martin Bilgrav


    > Aless Pereira
    > ARP Labs
    >
    Martin Bilgrav, Aug 11, 2006
    #2
    1. Advertising

  3. Guest

    Yes, there're actually 3 options on a WebVPN solution:
    - Clientless, mainly for web browsing and file sharing at the most;
    - Thin Client, where you get an applet downloaded to your box and the
    ability to forward arbitrary network connections over the encrypted SSL
    connection over port 443
    - Tunnel Mode, aka SVC "SSL VPN Client", where you also download this
    app and get full tunnel capability, much like IPSEC.

    I have access to equipment capable of handling the first two, so I know
    how they work in detail. The BIG question is the Tunnel Mode. Still
    being an SSL tunnel and not an IPSEC one, I wonder if everything gets
    tunneled over port TCP 443 or if it requires other ports to happen.

    Has anybody tested or used SVC out there?

    Aless Pereira
    ARP Labs
    -
    Martin Bilgrav wrote:
    > <> wrote in message
    > news:...
    > > Upon reading Release Notes for Cisco VPN 3000 Series Concentrator,
    > > Release 4.7; Cisco SSL VPN Client, Release 1.0, I bumped into this
    > > sentence:
    > >
    > > "When using WebVPN with NAT-T, do not set the NAT-T port to 443. We
    > > recommend using port 80 for NAT-T, as firewalls should allow this."
    > >
    > > WebVPN with NAT-T?!?!
    > > WebVPN is SSL based. It doesn't touch layer 3. Why would I need a NAT
    > > transparency feature? Plus, NAT-T uses a fixed port (UDP 4500), you
    > > can't change it under Cisco IOS or PIX Finesse or VPN Concentrator
    > > OS...
    > >
    > > I just can't figure out what Cisco means by that sentence!!
    > > Can someone shed some light on this?
    > >
    > > Deeply appreciated!
    > >
    > > http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/47con3k.htm#wp524890
    > >

    >
    > to my knowlegde, you can run webVPN in several senarioes. One being the SSL,
    > other being you have SSL-VPN client that you need to install first.
    > This is infact a VPN client, hence NAT Traversal should be in place.
    > HTH
    > Martin Bilgrav
    >
    >
    > > Aless Pereira
    > > ARP Labs
    > >
    , Aug 12, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Adam
    Replies:
    1
    Views:
    564
    Rutger Blom
    May 20, 2004
  2. Rick B.

    Cisco WebVPN Problem

    Rick B., Feb 12, 2004, in forum: Cisco
    Replies:
    2
    Views:
    6,406
    Eric Sorenson
    Feb 24, 2004
  3. NS
    Replies:
    2
    Views:
    1,779
  4. Jacques Virchaux

    WebVPN maximum sessions

    Jacques Virchaux, Feb 27, 2004, in forum: Cisco
    Replies:
    1
    Views:
    591
    Mike Gallagher
    Feb 27, 2004
  5. Joe Steeb

    Cisco WebVPN cifs problem

    Joe Steeb, Aug 4, 2004, in forum: Cisco
    Replies:
    1
    Views:
    2,226
    Joe Steeb
    Aug 13, 2004
Loading...

Share This Page