you should be ok as long as you do static nat (1 to 1 mapping) and don't use AH (protocol 51 i think). AH takes a md5 snap shot of the packet, so when the packet get the ip changed (from nat) it fails the crypto ckecksum test. Also you will need to pass udp 500 and protocol 50 (ESP (not port 50)) to and from both vpn peers.
> -----Original Message----- > From: James Drake [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 08, 2002 10:03 > To: [EMAIL PROTECTED] > Subject: VPN and NAT > > I've been told that I cannot have NAT running on the > router before the > firewall if I want VPN functionality. Is there > anyone who might be able > to explain the reason for this? > > Thanks, > > James > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls