Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
3
Replies

VPN NAT Traversal for Private Networks

jsmall123
Level 1
Level 1

‎09-25-2006 11:47 AM

I have noticed the following behavior with the Cisco VPN Client (4.x).

Conditions - Start a Remote Access Client IPSec Tunnel to a Cisco Firewall (PIX/ASA 6.x/7.x)

The Cisco Firewall is the perimeter firewall for a company network and has a public IP. It is also serving as a VPN Headend.

The Client is coming from a remote network using private IP addressing.

There are two cases to this:

Case 1 - Client is attached to a router/firewall that does NAT. The router/firewall has a public IP on the Internet. The client is directly behind the router/firewall on a single, flat network (typically 192.168.1.0/24). In this situation, the client can VPN to the remote PIX/ASA/Cisco firewall even without NAT-Traversal enabled and everything works fine.

Case 2 - Now if we take a similar situation - client is on a private network behind a router/firewall that is on the Internet with a public IP. However, now the client has one or more routers between itself and the router/firewall with the public IP. In this case, the client can initiate a VPN connection to the remote PIX/ASA/Cisco firewall and successfully authenticate. However, the client will be unable to pass traffic to the networks behind the firewall. If we enable NAT-Traversal, the problems go away and everything works great. (Requires 6.3+ for PIX/ASA).

My question is, why does Case 1 work? Shouldn't they both fail without NAT-T enabled?

I run into this all the time and tell my clients. They do it and see that it works but they always want to know why and I'm not sure!

Any explanations would be greatly appreciated.

Thanks,

--Jim

Labels:
0 Helpful
3 Replies 3

mcat84
Level 1
Level 1

‎10-01-2006 07:17 PM

My understanding is,

As long as you don't have one to one NAT, you will need NAT traversal.

My situation is simple, i have one third party broadband router and two pc and home. If my office firewall doesn't enable NAT-T, i will not able to pass traffic.

What i do is on my Broadband router, i do one to one NAT to one of my PC...and the traffic will pass. However, PC 2 will not able to pass any traffic although the VPN client get establish.

Enable NAT-T at Firewall will allow both pc to pass traffic.

0 Helpful

ajagadee
Cisco Employee
Cisco Employee

‎10-01-2006 08:56 PM

Jim,

Couple of possibilities for Case 1 to work.

1. One to One Static Translation for the VPN Client.

2. Router/Firewall supports IPSEC PASSTHROUGH.

Let me know if it helps.

Regards,

Arul

0 Helpful

dleduc
Level 1
Level 1

‎10-04-2006 04:14 PM

Just a thought, are the vpn clients getting an IP address from an ip pool on the pix? If so, do the additional routers behind the nat router with the public IP know how to route the address from the ip pool back to the client? Could be a routing issue.

0 Helpful
Customers Also Viewed These Support Documents