I think you will find that AH cannot be used with NAT. AH does a has on the entire packet, including IP SRC and DST, and NAT would modify this thus invalidatin the packet!. For VPN's that are behind a NAT device, be it a firewall, router or what ever, the transport mechanism would be ESP, or indeed encapsualte it in UDP or TCP.
Look at http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac182/about_cisco_ipj_archive_article09186a00800c83ec.html and do a seach for AH .. there is a whole section on NAT with AH and ESP. ! BJ Rice wrote: > > AH does work fine behind NAT, otherwise no one could ever run > VPNs behind a firewall. I can run a VPN from behind my PIX > with the following ACLs: > > access-list VPN permit ah any any > access-list VPN permit esp any any > access-list VPN permit udp any any eq isakmp > > Still, my question remains, is there anyway to have port > redirected statics evaluate before a generic static? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63737&t=63638 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]