VPN client and NAT

dedube23 · ‎03-03-2003

Hello I am having a major problem with Nat and the CIsoc vpn client 3.63 and a PIX 515 with version 6.14. WE have the clients terminating on the Pix but what is happenting is if the client is behind a firewall or nat network they can connect to the network but they can not acces any resources. This is extermely fustrating and I can not figure out why. Any help would be appreciated. IF they are not behind the Firewall or NAT device there are no problems.

Thanks

David

gfullage · ‎03-03-2003

This is caused by the fact that IPSec and NAT don't get along well. DEvices that NAT (or more specifically PAT) internal hosts to one external address keep track of the individual sessions by also changing the UDP or TCP source port to a specific number. IPSec however, sits right on top of IP, it is not a TCP/UDP protocol, and therefore has no port information. A lot of NAT/PAT devices and firewalls (including the PIX) will drop these packets cause they can't process them properly.

To get around this problem the VPN3000 client and concentrator have a feature called IPSec over UDP or TCP, where they encapsulate their IPSec packets in TCP/UDP packets, which a NAT device can then NAT properly. Unfortunately, the PIX doesn't support this feature.

A standard has recently been finalised called NAT-T, or NAT Transparency, where VPN end devices (both clients and termination points such as routers, concentrators and firewalls) will determine automatically during tunnel startup that there is a NAT device in between them and they'll encapsulate everything in UDP port 4500 packets. The VPN client supports this feature automatically from v3.6 onwards. The PIX supports it in v6.3 which is due out late this month/early April hopefully. This code is in open beta, so if you open a TAC case, ask nicely and promise to send us a report of how you go ( and you don't mind running beta code on your production PIX), all your problems will be solved :-)