Re: ipsec and nat [7:12825]

Ross McCormick Thu, 19 Jul 2001 01:29:43 -0700
Two scenarios:

1)   End point --- NAT --- IPSec --- IPSec --- Endpoint
2)   End point --- IPSec --- NAT --- IPSec --- Endpoint

Ignoring fancy tricks, scenario 1 will work whereas 2 will fail.  

IPSec encapsalates the IP address within the encrypted packet, so if there
is a NAT device in the IPSec path the IPSec tunnel will fail.

Cisco have a number of documents regarding the options of dealing with
NAT/IPSec combinations at TAC, so I recommend starting there.

Ross


Fly Ers wrote:
> 
> Dennis,
> I am not referring to vpn client, but having a lan-lan vpn
> setup where
> networks on both sides of the endpoints are configured with
> overlapping
> address space.  one side of the tunnel is a hiding (nat on a
> non-cisco
> device) behind one address.  there is a vpn3000 on the other
> end that can
> not perform the translation and route it over the IPsec tunnel.
> thanks.
> 
> 
> >From: "Dennis H" 
> >Reply-To: "Dennis H" 
> >To: [EMAIL PROTECTED]
> >Subject: Re: ipsec and nat [7:12825]
> >Date: Wed, 18 Jul 2001 12:23:48 -0400
> >
> >I believe you mean ipsec over nat, as opposed to nat over
> ipsec... the vpn
> >concentrators can do it using udp port forwarding but this
> only work if
> >you're using Cisco's vpn client.
> >
> >
> >""Fly Ers""  wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Anyone confirm whether pix, concentrator or ipsec router
> has the ability
> >to
> > > nat over ipsec?  i know that I can nat everything on a
> router behind one
> >of
> > > these devices.
> > >
> > > Thanks.
> > >
> > >
> _________________________________________________________________
> > > Get your FREE download of MSN Explorer at
> http://explorer.msn.com
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12924&t=12825
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ipsec and nat [7:12825]

Reply via email to
