Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1578
Views
0
Helpful
0
Comments

Only one VPN Client with NAT connects to the VPN tunnel

TCC_2
Level 10
Level 10

on ‎06-22-2009 04:02 PM

Core issue

If two clients behind the same Network Address Translation (NAT) router try to access the PIX/ASA Firewall for VPN access, only the first one gets a working tunnel.

Resolution

You must configure NAT Transparency on the PIX/ASA.

The IPsec NAT Transparency feature introduces support for IPsec traffic to travel through NAT or Point Address Translation (PAT) points in the network and addresses many known incompatabilites between NAT and IPsec.

NAT Transparency uses User Datagram Protocol (UDP) port 4500 in order to encapsulate IPsec packets. By default, PIX/ASA drops all inbound connections that come from the outside. You must open this port in order for NAT Transparency to work.

Issue this command: 

Pix#configure terminal
Pix(config)#isakmp nat-traversal

Refer to IPSec NAT Transparency for more information.

NAT Traversal is a feature that is auto-detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS  Software Release 12.2(13)T and later. If both VPN devices are NAT Transparency capable, NAT Traversal is auto-detected and auto-negotiated.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents