Re: IPSec Passthrough

database · ‎05-24-2002

Hi,

My problem is as follows.

User is connecting to Internet using an 803 router over ISDN. The Ip address is assigned by the ISP to the BRI0 and the router is doing NAT. User has the VPN client and wants to create a VPN from his PC, which has a private network address, into the Head Office Network. The VPN device at the Head Office network is a Nortel Contivity Extranet Switch. This device supports IPSec passthrough.

My question is:

How do I configure the 803 to allow the IPsec traffic to pass through it without it being NATted, as this is causing my IPSec headers to become corrupted.

Any help would be greatly appreciated.

Lee

vijkrish · ‎05-26-2002

Note: This question was answerd on the forum few days back. Pls. search the archives in general.

To answer your question:

Yes, it is possible. No config is needed on the router (other than NAT).

See notes below from URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/800/rn800xi.htm

IP Security Through Network Address Translation Support

Cisco IOS Release 12.2(2)XI IP Security (IPSec) supports clients that do not use TCP wrapping or UDP wrapping. On Cisco 80-804 routers and Cisco 806 routers, this feature allows clients

that have wrapping disabled, or clients that do not support wrapping, to use IPSec. Each client creates an IPSec tunnel, and NAT translates the private IP addresses of these packets to public

IP addresses.

On the Cisco 801, 802, 803 or 804 routers, you must enter the following global configuration mode command for this feature to work:

ip nat inside source list number interface bri number overload

In this command, number refers to the source list number, and the basic rate interface number, respectively. The document at the following URL contains an example configuration: