Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1989
Views
0
Helpful
2
Replies

Cisco IPSec VTI VPN Behind a NAT Device

mrmadgig
Level 1
Level 1

‎04-01-2021 10:25 AM

Hello,

 

I have a few questions pertaining to the title of the post.

 

Are VTI VPN on Cisco Router capable of being behind another PAT / NAT device? AKA Router.

If so.... on the Tunnel interface of the router behind the nat device with a private IP do you set the tunnel source to private IP interface? Or the public of the nat router? 

I am new at the NAT-T config and not being very successful with this config so I wanted to ask if this version VPN will work or do  I need policy based.

 

Thank you

Joseph

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎04-01-2021 12:04 PM

Hello,

 

the tunnel source needs to be the outgoing interface (private IP address).

 

Have a look at the link below, which has a pretty comprehensive sample configuration:

 

IPSec VPNs on Cisco routers when both are behind NAT

 

https://layer77.net/2019/07/12/ipsec-vpns-on-cisco-routers-when-both-are-behind-nat/comment-page-1/

0 Helpful

mrmadgig
Level 1
Level 1
In response to Georg Pauwen

‎04-05-2021 12:25 PM - edited ‎04-05-2021 12:26 PM

Wow thanks fort the response. I never got a notification. This is why I it took so long for reply.

 

I have not read the doc yet but I will here shortly. I have been having issues with both a Router isr4331 and and ASA that I put between these routers and not one will let go of the ports 500 or 4500 always get error that Either reserved by the system or cannot reserve ports.

 

So not sure how I am going to nat this. Also what is weird when I debug crypto isakmp the output never shows NAT detected and never  switches to port 4500

 

So to be clear is this correct?

This is the Tunnel interface of the router behind the ASA. Please note that I had this same situation with a isr4331 before I decided to try with an ASA and I still get no tunnel up

So you saying to change the tunnel source to the private ip? Of what the WAN private IP of the VPN router ? the WAN ip of this router is 192.168.117.254 

 

 

interface Tunnel1
ip address 172.16.200.2 255.255.255.252
zone-member security MAIN-LAN
tunnel source 73.xxx.160.27
tunnel mode ipsec ipv4
tunnel destination 50.xxx.102.118
tunnel protection ipsec profile protect-VTI

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card