04-18-2006 11:16 AM - edited 02-21-2020 02:22 PM
i am trying to get ipsec protocol 50/51 to work on a 2811 router that is doing nat. i have created an acl to allow esp/ah on the in/out int but still not working. is there anything else required to allow ipsec to work with nat.
04-18-2006 12:22 PM
Hi
If you are trying to terminate the ipsec on a device behind the nat router, then you will have to configure a static on the router.
04-18-2006 12:36 PM
what i am trying to do is allow a visitor/vendor to phone home using ipsec vpn client on a router that is running nat/overload. i have the following configured in the router and applied to the internal(private)and external(internet facing) interfaces.
ip access-list extended ipsec
remark SDM_ACL Category=4
permit esp any any
permit ahp any any
i am running sdm (security device mgr on the 2811)
thanks for your support.
05-03-2006 03:58 AM
Am I getting this right?
- You have a visitor inside your network using a VPN Client.
- He has a IPSEC router with IPSEC NAT Transparrancy enabled at home.
- Your router is doing FW / NAT / PAT in between
If this is the case you should permit UDP IKE-NONE500 (i believe it is port 4500 (or 10000)) to travel through your router..
When using NAT Traversal, ESP is encaptulated i a UDP packet to be able to travel trough the NAT devices.
Hope This Helps
Greetings
Jarle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide