Elijah, Thanks for your answer.. Here is also a little more info for anyone interested that I found during my research..
Heres why 1 to 1 static NAT should work with IPSEC VPN... To be compliant as an IPSec VPN a product needs to support 2 things: IKE (Internet Key Exchange which runs on UDP/500) and IPSec (AH and/or ESP) which do NOT run on TCP or UDP at all. IPSec is it's own protocol number, like ICMP, TCP, RIP, etc. The reason that many to one NAT breaks most IPSec implementations is that it changes the TCP/UDP port numbers so that it can map the connections to a single IP. This breaks IKE because IKE has to run on UDP/500 and it can not be changed. It also does not work for IPSec, because IPSec does not use UDP or TCP port numbers (although original user packets which are TCP/UDP based are often tunneled inside of IPSec packets). IPSec can be made to work when 1to1 NAT is used. IKE will not be broken because no port mapping occurs. IPSec can be made to function as long as AH (which computes a checksum signature which includes the original IP address) is turned off. ESP also computes a checksum signature, but does not use the original IP as part of it, so therefore a NATted packet works in this environment. IPSec does support "TCP based" VPNs however, as tunnel-mode IPSec carries TCP sessions through the IPSec session. Here is why PAT will work when using the VPN client... Encapsulating Security Payload Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. Most PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP and sending it to a negotiated port. The name of the attribute to activate on the VPN 3000 Concentrator is IPSec through NAT. How Does NAT Transparent Mode Work? Activating IPSec transparent mode on the VPN Concentrator creates non-visible filter rules and applies them to the public filter. The configured port number is then passed to the VPN Client transparently when the VPN Client connects. On the inbound side, UDP inbound traffic from that port passes directly to IPSec for processing. Traffic is decrypted and decapsulated, and then routed normally. On the outbound side, IPSec encrypts, encapsulates and then applies a UDP header (if so configured). The runtime filter rules are deactivated and deleted from the appropriate filter under three conditions: when IPSec over UDP is disabled for a group, when the group is deleted, or when the last active IPSec over UDP SA on that port is deleted. Keepalives are sent to prevent a NAT device from closing the port mapping due to inactivity. But even though the remote PIX is acting as a VPN client "easyvpn client" it still can't use PAT because its not able to negotiate with the VPN concentrator to encapsulate its packets in UDP and according to the TAC engineer that I asked they have no plans of making that possible. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56615&t=56615 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
