| igorz 2004-04-22, 12:25 am |
| Hello all
Cisco support didn't know how to answer me but i am sure there is some kind
of workaround.
This is the how our network is setup:
PIX 506E ==> Cisco 801 ISDN Router -------- (internet) ----- Netgear
PIX is behind NAT on 801 isdn router.
I have created a site-to-site VPN between Cisco PIX 506E and Netgear FVS318
Firewall.
On debugging I can see that the IKE and SAs all getting successfully
initiated and VPN link status is working. That is because IKE is using udp
port 500.
However no traffic can pass through the tunnel. Cannot ping or anything
else.
I have noticed that the problem lies in the following:
Apparently VPN is not going to work behind NAT because you can't really NAT
protocols other than tcp or udp,
and we do need to pass through esp and gre protocols.
Here are the questions ------:
1. Is it possible to setup Cisco 801 to pass through esp, ah protocols
whether it is by means of NAT or something else?
2. If not, is it possible to setup Cisco 801 as a bridge and have PIX
controlling ISDN? (I doubt that.)
3. Will NAT traversal work well in this situation to encapsulate everything
in port 4500? (I haven't tried becoz i only have 6.2 pix.ios)
4. If i do use NAT traversal, can it be only used between PIX and PIX with
both using port 4500, or , can I use NAT traversal with PIX and the netgear
firewall with the settings i already had(it doesn't support NAT traversal).
Thank you so much!
It'd be great to see if anyone has achieved something similar to this.
|