Solved: VPN bewtween 2 PIX's - 1 behind a NAT router.

rate · ‎08-24-2005

Hi there,

I've set up 2 PIX's with a VPN tunnel between them and it worked. Thsi was during a test though before one of the PIX's was shipped to the location where it has been set up (of course with the new IP addresses etc.)

Now, this PIX is placed behind a Zyxel router which is running NAT, and the tunnel simply won't come up. It never gets any further than the "mm_sa_setup" state.

I'm aware that the only thing which is different from when it worked is the damn NAT-router, so is there anything that I should be aware of in that router? I'm going nuts :0)

Oh, and btw. I'm using ESP-3des-sha.

Thanks in advance,

Rasmus

mehrdad · ‎08-24-2005

When you enable NAT-T, the Cisco PIX automatically opens port 4500 on all IPSec enabled interfaces so you should be sure that UDP port 4500 is not blocked between two PIX.

Regards,

Mehrdad

View solution in original post

mehrdad · ‎08-24-2005

Hi,

If you are using software version 6.3 or higher you can enable NAT-T feature on your PIX with below command :

isakmp nat-traversal

it lets IPSec peers establish a connection through a NAT device.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080450b73.html#wp1052899

Regards,

Mehrdad

rate · ‎08-24-2005

OK, so it is something that needs to be done at the end vpn nodes and nothing needs to be done on the nat router in the middle?

Rgds,

Rasmus

mehrdad · ‎08-24-2005

When you enable NAT-T, the Cisco PIX automatically opens port 4500 on all IPSec enabled interfaces so you should be sure that UDP port 4500 is not blocked between two PIX.

Regards,

Mehrdad