nat traversal or something else

Discussion in 'Cisco' started by cci admin, Apr 22, 2004.

  1. cci admin

    cci admin Guest

    Hello all

    Cisco support didn't know how to answer me but i am sure there is some kind
    of workaround.

    This is the how our network is setup:
    PIX 506E ==> Cisco 801 ISDN Router -------- (internet) ----- Netgear
    PIX is behind NAT on 801 isdn router.

    I have created a site-to-site VPN between Cisco PIX 506E and Netgear FVS318
    Firewall.
    On debugging I can see that the IKE and SAs all getting successfully
    initiated and VPN link status is working. That is because IKE is using udp
    port 500.
    However no traffic can pass through the tunnel. Cannot ping or anything
    else.

    I have noticed that the problem lies in the following:
    Apparently VPN is not going to work behind NAT because you can't really NAT
    protocols other than tcp or udp,
    and we do need to pass through esp and gre protocols.

    Here are the questions ------:
    1. Is it possible to setup Cisco 801 to pass through esp, ah protocols
    whether it is by means of NAT or something else?
    2. If not, is it possible to setup Cisco 801 as a bridge and have PIX
    controlling ISDN? (I doubt that.)
    3. Will NAT traversal work well in this situation to encapsulate everything
    in port 4500? (I haven't tried becoz i only have 6.2 pix.ios)
    4. If i do use NAT traversal, can it be only used between PIX and PIX with
    both using port 4500, or , can I use NAT traversal with PIX and the netgear
    firewall with the settings i already had(it doesn't support NAT traversal).


    Thank you so much!
    It'd be great to see if anyone has achieved something similar to this.
     
    cci admin, Apr 22, 2004
    #1
    1. Advertisements

  2. :pIX 506E ==> Cisco 801 ISDN Router -------- (internet) ----- Netgear
    :pIX is behind NAT on 801 isdn router.

    :3. Will NAT traversal work well in this situation to encapsulate everything
    :in port 4500? (I haven't tried becoz i only have 6.2 pix.ios)

    NAT traversal would probably solve your problem. It does not, though,
    encapsulate everything onto port 4500: it uses UDP 4500 to negotiate
    a port to use.

    :4. If i do use NAT traversal, can it be only used between PIX and PIX with
    :both using port 4500, or , can I use NAT traversal with PIX and the netgear
    :firewall with the settings i already had(it doesn't support NAT traversal).

    I think NAT traversal needs to be supported on both ends, but it has
    been awhile since I looked at the technical document.
     
    Walter Roberson, Apr 22, 2004
    #2
    1. Advertisements

  3. cci admin

    cci admin Guest

    Thank you!'

    So i guess no choise but to either buy a another PIX for second branch or.
    ...
    Is there a way to configure Cisco 801 to forward everything onto PIX, like a
    DMZ situation?
     
    cci admin, Apr 22, 2004
    #3
  4. cci admin

    Rik Bain Guest

    Is that new? Since I have been using NAT-T it will switch from UDP/500
    to UDP/4500 as soon as nat is detected and encapsulate all traffic on
    4500.

    I have configured PIX firewalls behind other PAT devices who only forward
    UDP/500 and UDP/4500 and established l2l tunnels with no problems.

    Rik Bain
     
    Rik Bain, Apr 22, 2004
    #4
  5. cci admin

    cci admin Guest

    Oh not bad!

    Is confguraiton any different for NAT-T than NAT?
    or is it a new kind of NAT on latest routers?
     
    cci admin, Apr 22, 2004
    #5
  6. cci admin

    cci admin Guest

    Oh Okay, you meant Nat-t as in nat traversal, but I have already mentioned
    that was one of alternatives. See the problem is I cannot use Nat traversal
    as one of the firewalls does not support it.
     
    cci admin, Apr 22, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.