Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
2
Replies

How come it works VPN behind PAT

Go to solution
dumlutimuralp
Level 1
Level 1

‎09-15-2005 04:33 AM

Hi,

Everywhere it says, " if PAT is applied when a client tries to make a VPN connection to a remote site you need to enable IPSEC over UDP over TCP or NAT-T . The thing is I use an ADSL modem at home. And even when I disable transparent tunnelling on my Cisco VPN Client software the VPN connection works ok ? How can this be possible. Isnt it known as IPSEC packets can not be PATed ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎09-15-2005 05:55 PM

MOST devices have trouble PAT'ing IPSec packets, simply becuase there is no TCP or UDP port number to base the PAT on. It isn't that the packets cannot be PAT'd, it's just that most devices aren't smart enough to be able to do it, and therefore you need to encapsulate your IPSec packets into UDP or TCP.

I would simply say your ADSL modem is smart enough to figure out you're using IPSec and it will PAT it based on some other value in the packet. You may have issues starting two clients from behind this device, as the PAT device will quite often be only able to handle one.

Cisco routers have been able to do this since 12.2(15)T code, so it's not unusual that it does work.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎09-15-2005 05:55 PM

MOST devices have trouble PAT'ing IPSec packets, simply becuase there is no TCP or UDP port number to base the PAT on. It isn't that the packets cannot be PAT'd, it's just that most devices aren't smart enough to be able to do it, and therefore you need to encapsulate your IPSec packets into UDP or TCP.

I would simply say your ADSL modem is smart enough to figure out you're using IPSec and it will PAT it based on some other value in the packet. You may have issues starting two clients from behind this device, as the PAT device will quite often be only able to handle one.

Cisco routers have been able to do this since 12.2(15)T code, so it's not unusual that it does work.

0 Helpful

Go to solution
m.batts
Level 4
Level 4
In response to gfullage

‎09-27-2005 06:06 AM

Hi,

I had the same query.It turned out that the Netgear routers we were using support VPN passthrough which stops the router from messing with the vpn packets and hence NAT-T or such like is not needed.

mark

0 Helpful
Customers Also Viewed These Support Documents