Greg,
Sure you can get an IPSEC tunnel to work through a router doing NAT. The
problem that normally arises is with PAT. ISAKMP uses UDP port 500 for the
source and destination. PAT screws this up, by translating the source port
from 500 to something else and this is invalid. You also have to configure
passing IPSEC, IP protocols 50 and 51, if you are using any access-lists to
restrict traffic or to define the interesting traffic to the NAT process.
I've done this many times in the past. Through routers, PIX, Raptor
Firewalls, and Check Point Firewalls. It's becoming more common that more
organizations are implementing firewalls and require a particular client and
do not allow server to server tunnels for security reasons.
Rodgers Moore
""Greg Smythe"" <[EMAIL PROTECTED]> wrote in message
001701bfca7b$d76398c0$020b010a@ei">news:001701bfca7b$d76398c0$020b010a@ei...
> So I can't make a VPN connection to my NT box over NAT.. Well that sucks.
> Thanks for the info!
>
> Greg
> ----- Original Message -----
> From: "Ric Messier" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, May 30, 2000 2:01 PM
> Subject: Re: VPN through NAT
>
>
> VPNs don't typically work through NAT. The reason is that the packet is
> altered by the router on the way through the network. As a result, the
> signature is altered and the packet is discarded as being corrupt. The
> originating IP is used as part of the authentication mechanism for the
> packets coming through. It's a security feature.
>
> Ric
>
> ----- Original Message -----
> From: "Balharek, Peter" <[EMAIL PROTECTED]>
> To: "Greg Smythe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Tuesday, May 30, 2000 4:31 PM
> Subject: RE: VPN through NAT
>
>
> > Try a crazy search on CCO.
> >
> > Type in "nat vpn".
> > Select to search in support.
> >
> > Ohhh.
> >
> > Rtfm
> >
> >
> >
> > -----Original Message-----
> > From: Greg Smythe [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, May 30, 2000 12:55 PM
> > To: [EMAIL PROTECTED]
> > Subject: VPN through NAT
> >
> > Hello --
> >
> > Has anyone done this before? I'm trying to get a VPN
> > connection to work over
> > NAT. I see the translation happening, but my PC gets as far
> > as "verifying
> > username/pass" and then it errors out saying the server
> > didn't respond
> > (timeout).
> > show ip nat tra:
> >
> > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723
> > 1.1.1.1:1723
> >
> > 3.3.3.3 is the IP of my router's internet interface.
> > 102.153.102.251 is my
> > inside IP of my pc. 1.1.1.1 is my VPN server on the
> > internet.
> >
> > If I give my PC an internet IP then it works, so it has
> > something to do with
> > the NAT. No filters are in effect on the interfaces on my
> > router.
> >
> > Thanks!
> >
> >
> > Greg
> >
> > ___________________________________
> > UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> >
> > ___________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> ---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
