https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696985#M1035338 <P>I am using a FWSM in transparent mode on a 6509 and I am running into issues using the Microsoft VPN client with NAT. Currently, I have NAT setup on my router and when I try to VPN to an outside VPN server I cannot get authenticated. If I try the same VPN server using a public IP behind the same context it works no problem. I know this is an issue with NAT not knowing how to get back to the 192.168.x.x address but I do not know how to resolve the issue. I am using NAT overload so I would need to get back to the address (source) without doing a 1 to 1 NAT. Any ideas? Thanks </P> Mon, 11 Mar 2019 08:59:00 GMT jbanker 2019-03-11T08:59:00Z https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696985#M1035338 <P>I am using a FWSM in transparent mode on a 6509 and I am running into issues using the Microsoft VPN client with NAT. Currently, I have NAT setup on my router and when I try to VPN to an outside VPN server I cannot get authenticated. If I try the same VPN server using a public IP behind the same context it works no problem. I know this is an issue with NAT not knowing how to get back to the 192.168.x.x address but I do not know how to resolve the issue. I am using NAT overload so I would need to get back to the address (source) without doing a 1 to 1 NAT. Any ideas? Thanks </P> Mon, 11 Mar 2019 08:59:00 GMT https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696985#M1035338 jbanker 2019-03-11T08:59:00Z https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696986#M1035341 <HTML><HEAD></HEAD><BODY><P>If the NAT works fine VPN needs to work.Make sure when the packet goes out it gets a public ip address from the NAT configuration.Because private internet address do not have routing in the internet.</P></BODY></HTML> Mon, 27 Nov 2006 20:31:14 GMT https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696986#M1035341 bstremp 2006-11-27T20:31:14Z https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696987#M1035344 <HTML><HEAD></HEAD><BODY><P>If you can reach the VPN server and cannot authenticated,most vpn client will fail probably because the vpn ports are taken by another vpn session or the NAT process dynamic port assignment is conflict with ports required to a vpn tunnel. A one to one static NAT should solve this issue.</P><P></P><P>Thanks</P><P>Karar</P></BODY></HTML> Tue, 28 Nov 2006 02:38:45 GMT https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696987#M1035344 ksudi 2006-11-28T02:38:45Z https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696988#M1035348 <HTML><HEAD></HEAD><BODY><P>Hi .. when trying to stablish a VPN from behind a device which does NAT /PAT you need to enable nat traversal on the device terminating the VPN in this case the VPN server. Also the VPN client needs to be configured for NAT-transparency .. on cisco clients this is normally done by encapsulating ESP on UDP 4500 .. This allows the NAT /PAT otherwise you will have problems mainly because ESP and NAT/PAT are not compatible. You also need to make sure that UDP 4500 and UDP 500 can traverse the device doing NAT/PAT by checking the access lists aplpied to it.</P><P></P><P>I hope it helps .. please rate if it does.</P></BODY></HTML> Tue, 28 Nov 2006 03:44:25 GMT https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696988#M1035348 Fernando_Meza 2006-11-28T03:44:25Z https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696989#M1035351 <HTML><HEAD></HEAD><BODY><P>Thanks for the info! The VPN Server we are currently connecting to uses PPTP. I can reach the VPN Server but not authenticate. I will contact the owner and see if Nat-T is setup on his end. Thanks</P></BODY></HTML> Tue, 28 Nov 2006 16:28:15 GMT https://community.cisco.com/t5/network-security/firewall-services-mod-transparent-mode-vpn-issues/m-p/696989#M1035351 jbanker 2006-11-28T16:28:15Z