[c-nsp] IPSEC behind NAT device problem

Mihai Tanasescu mihai at duras.ro
Thu Oct 18 16:14:12 EDT 2007


J. Oquendo wrote:
> Church, Charles wrote:
>   
>> Are you using AH?  That doesn't work with NAT, at least it didn't last
>> time I did a lot of VPN stuff. 
>>
>> Chuck
>>
>>     
>
> nonrandomseq is your friend
>
>   
Hello,


Can  you help a bit here with some details regarding my schematic ?


I have been digging for a while on Cisco's website and only found 
examples of using static (inside,outside) with the norandomseq 
parameter, but that was for the case Router 1 --- PIX NAT --- Router 2 
(to make a NAT exception for Router 1 to Router 2 traffic.

They also showed this example (for BGP not IPSEC):

!--- No NAT translation, to allow Router11 on the inside to initiate a 
BGP session
!--- to Router12 on the outside of PIX.
! for the case Router 11 - eBGP multihop --- PIX ---  eBGP endpoint -- 
Router 12

static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255

In my case the IPSEC tunnel is initiated by the PIX to the public IP 
address of the Linux machine that statically destination NATs all ESP 
and UDP port 500 traffic to the C3660 router (ipsec end point).


I can't figure this one out unfortunately...can you lend me a hand please ?




More information about the cisco-nsp mailing list