Cisco has 2 versions of NAT transparency, one is used with the 30xx series boxes they bought from Altiga, the other is used with the 5000 series they bought from Compatible systems. They perform NAT transparency differently.
For the 30xx series: "IPSEC NAT Transparency (UDP) 10000 (default) 10000 (default) The Network Address Translation (NAT) Transparency port is configurable to any value in the 4001-49151 range" For the 5000 series: "If you are using NAT transparency, allow packets to the device with a destination TCP port of 80, and from the device with a source TCP port of 80 (by default). If you change the TCP port using the General section NATTransport keyword, set the port number appropriately" If users on Comcast could not connect to your 30xx series box, the only way that they could have been blocking this traffic would have been either blocking packets with your VPN box as the dst IP (unlikely), or blocking some or all of the UDP port numbers in use. Obviously, with the 5000 this would not be possible since they wouldn't be able to block users from using port 80. NAT transparency _can_ solve the issue of an ISP blocking IPSec traffic, but it depends on how the feature is implemented and to what lengths your willing to go to work around your ISP. I can see no reason why it wouldn't work, you just need the right src/dst port combo. From the ISP's perspective, it's just a UDP or TCP payload, all they can see are the port numbers being used and that's all they would be able to filter on. Regards, Kent --------------------------------------------------------------------------- Our Cisco 30xx *did* NAT transparency. Our users behind NAT had no trouble connecting to it. Our user on ComCast could not establish a connection to it. Their AUP said their users couldn't use VPNs, and they configured their network to try to prevent it -- successfully, in the case of our NAT- transparent unit. Your description of how NAT-transparency works doesn't sound right. Your claim that it solves *this* issue is WRONG. DG On 27 Nov 2001, at 8:16, Daniel Ashley wrote: > By using NAT transparency it shoves it out port 80 instead of 1723 & 500. > So using NAT transparency as a work-around is relevant to them blocking > useful ports. > > Daniel > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, November 26, 2001 10:55 PM > To: [EMAIL PROTECTED] > Subject: Re: ISPs that don't allow IPSEC protocol thru > > > I believe it was actually ComCast, a reseller of @home cable > service. I believe they block GRE and perhaps also ports used by > IKE; this has nothing to do with NAT. > They also clearly include VPN usage as prohibited by their AUP, > along with bandwidth reselling and other commercial uses. So their > network policy of blocking this traffic is enforcement of a written > policy by which users are (allegedly) already bound. > > DG > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
