12-28-2013 11:21 PM
Hi ALL,
I have the below setup:
Internal hosts --> ISA server --> Edge router <<-------------------------->> Remote router --> remote server
Internet
Our ISA is doing PAT and hiding all the internal clients behind the IP "192.168.0.1". I ineed to initiate VPN tunnel between two hosts behind the ISA which are: 10.0.0.221/32 and 10.0.0.224/32 that need to communicate with remote server on the other side with IP 10.128.241.50/32
I was able to get the VPN up and ping from the left side (host that resides behind ISA) to the remote server 10.128.241.50. But the ping from the other side is not working. I know it's because we have a PAT device behind our internal servers on the left and to get a two-sided VPN tunnel, I need to create static NAT entries on the ISA for the two servers 10.0.0.221, 10.0.0.224 but unfortunately, that's not doable at the meantime since these servers are participating in other VPN connections.
My question: Is there any workaround to be applied here without the need of creating static NAT entries and keeping the ISA doing PAT as expected?
Appreciated.
01-03-2014 04:20 AM
You have to enable the nat-tranperancy feature so the traffic would be encapsulated by UDP 4500 (NAT-T) and overcome the PAT issue with ESP.
It must be enabled by default on both routers, so you need to check, do the following:
crypto ipsec nat-transparency udp-encapsulation
regards,
Tariq
01-03-2014 05:12 AM
Thanks Tariq,
So, even if we have devices residing behind the ISA on the 10 subnet, if we enable NAT-T on the edge router (which is our VPN gateway) that would do the job?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide