Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
1
Replies

IPSec behind Firewall with PAT

abhijeet.ghodke
Level 1
Level 1

‎06-01-2018 05:41 AM - edited ‎03-08-2019 05:31 PM

Hello Experts,

 

I am planning to set up IPsec connection from client location to our DC cisco ASR router.

 

Client has cisco router from where IPsec connections built, this router sits behind Firewall which has single internet gateway IP.

 

All the traffic behind the firewall overloaded to single public IP, similar case is for cisco router where IPsec terminates.

 

I referred few article for this scenario, which says with PAT , IPsec connections will not be established due to source port changed from 4500 to random port.

 

now,  I am curious to know if we can use PAT on the firewall to build the IPsec connectivity to our core DC router.

 

set up is like this..

 

customer LAN -->CIsco router (IPsec)192.168.1.1-->Firewall (PAT enable) (ex. 55.55.55.65)--Internet -->DC core Cisco ASR

 

 

Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎08-01-2018 12:02 PM

You could make port 4500 work, but ESP would fail since it is not NAT'd. You're best bet is to enable NAT-T on the firewall and/or do a full NAT on the firewall, to the IPSec router behind it.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card