Yes I don't see why straight up NAT-T would not work like others have said. That is exactly what it is designed to do. The ESP will be encapsulated in UDP 4500 datagrams after phase 1 determines there is NAT and negotiates NAT-T
Sent from my iPhone On Nov 22, 2012, at 1:13 PM, Adrian Campos <[email protected]> wrote: Just translate udp 500 and 4500. The phase1 will detect the VPN server behind NAT and wont use plain ESP for phase 2, it will encapsulated it in udp 4500. Make sure udp500/4500 are open on the edge router. Regards Adrian. ------------------------------ Date: Fri, 23 Nov 2012 01:55:46 +1100 From: [email protected] To: [email protected]; [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Configuring NAT for IKE and ESP traffic Thanks for the input guys. I am running this up in GNS at the moment and will let you know what results I get. On Fri, Nov 23, 2012 at 1:43 AM, Jay McMickle <[email protected]>wrote: Interesting scenario- let me see of I can dig up something. Regards, Jay McMickle- CCIE #35355 (RS) Sent from my iPhone 5 On Nov 22, 2012, at 1:42 AM, Ben Shaw <[email protected]> wrote: > Hi All > > can anyone provide input on this challenge? > > I have a small client with a single Internet connection and just the one public IP. I use static PAT on the edge router to translate inbound connections to different servers based on port (25, 443, 80 etc). > > I would like to place a router on the inside of this edge router to terminate VPN tunnels. I do not wish to terminate VPN tunnels on this edge router. Having still only one public IP I can obviously translate UDP 500 to the outside interface of this VPN router but what about the ESP traffic? I don't believe I will be able to use PAT to translate the ESP packets to the same outside interface of the VPN router. For that I presume it would have to be a static NAT translation at layer 3. > > So considering all current translations are in the form of static PAT on the router, if I add to this a static PAT for UDP 500 and a static NAT for the WAN interface of the edge router to the outside interface of the VPN router should this work? The resultant configuration will be along the following lines > > WAN IP:TCP25 -> Internal_Mail_Server:25 > WAN IP:TCP443 -> Internal _Web_Server1:443 > WAN IP:TCP80 -> Internal_Web_Server2:80 > WAN IP:UDP500 -> VPN_Router:500 (new) > WAN IP -> VPN_Router (new) > > There is currently no static NAT configured on the edge router, only static PAT. > > Thanks > Ben > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.comAre you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
