Re: VPN from client to 3000 through NAT

jrackelmann · ‎02-23-2001

For cost reasons, we desire to have individual VPN clients on a remote office LAN for connecting to corporate network. For example, if the office has a DSL connection to the Internet, where the (cheap) DSL router is running NAT, only one client can get through the VPN (whoever was last to establish the tunnel). What options, costly or otherwise, do I have?

jomccloud · ‎02-28-2001

Hmm. I might be able to help you out if I had info on the NAT device you are using. Some basic issues you must deal with are whether the device is running NAT or NAT overload (PAT). For PAT to work correctly you must use the NAT transparency setting in the VPN 3000 client/concentrator. If you like, you may e-mail me directly at jmccloud@cisco.com to provide further info.

jhamm · ‎03-02-2001

With regards to the "NAT transparency setting", is this something that will allow a VPN client behind a generic firewall running PAT to establish an IPSec tunnel with a PIX box?

jomccloud · ‎03-02-2001

No. Though the PIX supports tunnel termination for the VPN 3000 client (as of PIX OS 5.2[1]), it does not support NAT transparency (PAT, in reality). Only the VPN 3000/5000 series offer this capability today. It is on the roadmap for future PIX release (post 6.0).

chemdex · ‎03-23-2001

Hi.

Alot of my users are using NAT translator at home and they are having problem seeing our network using the personal router configuring DHCP. I turn on the IPSEC through NAT in the Cicso VPN 3015 already and enable the NAT in the traffic management and also the rules for TCP/UDP. But I am unable to see our network through the NAT translator router.

a.loomis · ‎03-01-2001

Are you using IPSec? You could check the "Allow IPSec through NAT" in Configuration>User Management>Groups>Modify>IPSec tab....look near the bottom of the page.