Re: Using Cisco VPN over a SBS 2003 network

You'll have to examine the VPN client & server configuration, but the defaults for both are to use "native" IPSec, which does not
tolerate NAT.
If possible, configure both to use NAT-T, which only requires outgoing traffic on UDP:500 and UDP:4500.
You should note that some Cisco VPN servers don't abide by RFC 3715 (ftp://ftp.rfc-editor.org/in-notes/rfc3715.txt), which allows
IPSec NAT-T to change the source port (normally UDP:500).
<quote>
2.1. Intrinsic NA(P)T Issues
....
d) Incompatibility between fixed IKE source ports and NAPT. Where
multiple hosts behind the NAPT initiate IKE SAs to the same
responder, a mechanism is needed to allow the NAPT to demultiplex
the incoming IKE packets from the responder. This is typically
accomplished by translating the IKE UDP source port on outbound
packets from the initiator. Thus responders must be able to
accept IKE traffic from a UDP source port other than 500, and must
reply to that port. Care must be taken to avoid unpredictable
behavior during re-keys. If the floated source port is not used
as the destination port for the re-key, the NAT may not be able to
send the re-key packets to the correct destination.
....
</quote>

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.

"Phillip Avelar" <PhillipAvelar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FDFB1ED0-E593-4FB8-9F86-C54A49CA573D@xxxxxxxxxxxxxxxx
I looked for a possible solution but maybe someone has already dealt with
this. We remotely conenct to some of our clients to work on their systems
using their VPN client. We have not had any problems using the nortel client
but we have not been able to get a Cisco VPN client to connect over our
network. We know it has something to do with the NAT tranlation but have
tried opening ports without success.

Has anyone dealt and resovled this? We are not using ISA server.


.

Relevant Pages

  • Re: VPN over UMTS
    ... I'm not sure if the USA group can give any input to this or if I have a somehow European problem as it's related to a UMTS connection. ... they assign private IP addresses and apparently do NAT for Internet access. ... In this setup, the Cisco VPN client does not work but as soon as I'm requesting a public address, things work fine. ... Vodafone offers a public IP address to the client and the VPN Client does NOT use udp encapsulation for NAT/PAT traversal. ...
    (comp.dcom.sys.cisco)
  • Re: Cant get L2TP VPN working with NAT...PPTP works fine
    ... My wife uses a VPN client over the same network connection that I use. ... The second I put my pc behind a router with nat (netgear ...
    (microsoft.public.win2000.networking)
  • Re: Connection to SonicWall VPN through Linux IPTABLES Firewall/Proxy
    ... >> unable to connect to a SonicWall VPN server from behind that box. ... Given that all NAT traffic is going to ... I don't think that's actually required when the packets are being ... > I use a Cisco VPN client through my firewall without a problem. ...
    (comp.security.firewalls)
  • Watchguard VPN client through Firewall-1 v4.1
    ... Quick question to see if this is possible before I go spending lots of time ... Locally I have a Windows XP client, ... We are using NAT and the VPN/Firewall at the other end also uses NAT is this ... PS I tried a the Cisco VPN client to a PIX and saw similar problems. ...
    (comp.security.firewalls)
  • Re: Zywall2 Problem! VPN Phase2 (No proposal chosen)
    ... The English in that article has been a bit butchered., ... In any case, it basically means that during phase 2 negotiation, 2 VPN ... >Vpn Client is SSH Sentinel. ... >212.216.139.xxx192.168.1.254 IKE ...
    (comp.security.firewalls)