Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
2
Replies

NAT traversal to a PIX not supporting NAT-T

alan.morris
Level 1
Level 1

‎07-04-2004 12:56 AM - edited ‎02-20-2020 11:29 PM

Scenario:

Cisco VPN client through a PIX501 6.3(3) doing NAT to a PIX which does not support NAT-T {6.2(2)}. The VPN client is set to use tranparent tunneling.

The local pix has does not have fixup for ESP/IKE and has explicit access lists to allow ESP and ISAKMP traffic from designated hosts. This traffic going through a static nat.

Even so...I thought that the fact that NAT (albeit a static NAT) was supposed to prevent IPSEC from working. Can anyone explain to me why this works?

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎07-04-2004 03:40 PM

IPSec and NAT (one-to-one address mapping) works fine, which I assume is what you're doing.

IPsec and PAT (one-to-many address mapping) is what doesn't work very well. This is because the IPSec ESP packets are not UDP or TCP packets, ESP sits right on top of IP and therefore doesn't have a TCP/UDP port number to use with the PAT'ing. A lot of PAT devices don't like this and drop the packets.

0 Helpful

alan.morris
Level 1
Level 1
In response to gfullage

‎07-05-2004 12:45 AM

Glenn, Makes sense, thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card