Re: Cisco VPN client sat behind NATed router

shawn.wilkin · ‎08-30-2005

Hi,

We are trying to use the Cisco VPN client version 4.6.04.0043 behind a NATed Cisco router. The client states that it is connected, but traffic will not pass over the tunnel. I have read on some of the Cisco articles that using a Cisco VPN in a NATed environment cannot be done. Can someone confirm this for me please?

shijogeorge · ‎08-30-2005

Hi,

Cisco VPN client can work in NATed environments if you enable NAT-T at the VPN gateway.

What is the VPN gateway that is used at the client end?

Regards,

Shijo George.

shawn.wilkin · ‎08-30-2005

Hi, thanks for your reply.

The client goes out via a Cisco 837 router. It is worth noting that the router also performs site to site VPN tunneling.

shijogeorge · ‎08-30-2005

Not sure if I made it clear... NAT-T has to be enabled on the remote VPN device to which you are connecting using the VPN client.

shawn.wilkin · ‎08-30-2005

the remote device is a PIX that I do not have access to. I will certainly ask. Is there anything else I can do this end? I have fould this on Cisco's site, but it did not work:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00800bd98c.html#wp1172854

I have tried to use a dial up modem from the same machine and the Client works fine. Any suggestions would be greatly appreciated. I will call the end point now (VPN end point).

shijogeorge · ‎08-30-2005

Hi,

The document mentions about enabling NAT-T at the client end. But this has to be enabled at the VPN gateway (PIX in your case) also for this feature to work.

If the client end PIX is running code later that 6.3 the following command will enable NAT-T

isakmp nat-traversal

HTH

Regards,

Shijo George.

shawn.wilkin · ‎08-30-2005

Hi,

Many thanks for your reply. I have left a message for the person at the PIX site to call me. I will post a reply when I have more info.

Thanks again.