Re: Do we need to enable NAT -T on Local and Remote Firewalls

From: Akber Ali Mirza (akberali.cisco@gmail.com)
Date: Mon Dec 01 2008 - 17:47:03 ARST

• Next message: Scott Morris: "RE: MSTP odd Vlans and even Vlans, Where to place native"
• Previous message: Gary Duncanson: "Re: OSPF Updates Restriction"
• Maybe in reply to: Akber Ali Mirza: "Re: Do we need to enable NAT -T on Local and Remote Firewalls"
• Next in thread: Jian Gu: "Re: Do we need to enable NAT -T on Local and Remote Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Jian,

This is a Client-to-site VPN to Nortel VPN Box.Do we really need NAT -T case
in Client-to-Site VPN (C2s) as the VPN is only located at the Remote end and
from our end we have used PAT through ISP for reaching the destination.

Do we need to enable NAT -T for devices which are using NAT/PAT as my
external PIX using PAT .

We are not convinced about this recommnendation provided by the Vendor for
this issue, hence request your further advice.

Cuurent issue:- My users who use C2S VPN to access remote end faces
intermittent disconection 10 out of 30 users on a daybasis for 5mins, after
flushing all the connections on my External pix firewall , all the 30 usrs
will be able to login.

I am looking for the Root cause.

Thanks and Regards,
Akber Mirza.

On Tue, Dec 2, 2008 at 12:03 AM, Jian Gu <guxiaojian@gmail.com> wrote:

> What do you mean by turn on NAT-T between internal firewall and remote VPN?
> your internal firewall does not terminate IPsec, your IPsec VPN is between
> PIX515E and Nortel VPN client. Besides, NAT-T is a one line global
> configuration, you don't specify which IPsec peer to use NAT-T, once
> enabled, IPsec will automatically detect NAT.
>
> On Mon, Dec 1, 2008 at 5:19 AM, Akber Ali Mirza <
> akberali.cisco@gmail.com> wrote:
>
>> Hi Experts,
>>
>> Could you please Answer the below query .
>>
>> ( I know this forum is not meant for other than CCIE LAB, I apologise for
>> it)
>>
>> Best Regards,
>> Akber Mirza.
>>
>> On Mon, Dec 1, 2008 at 2:04 PM, Akber Ali Mirza <akberali.cisco@gmail.com
>> >wrote:
>>
>> > Hi ,
>> >
>> > I have IPSEC configured between local end -Cisco PIX 515E & Remote end
>> > device - Nortel VPN box . Users from Local end use VPN
>> >
>> > to access Remote end applciations. But I am facing issues like VPN
>> > disconnections ( 10 users out of 30) intermittently. After i perform
>> clear
>> > all the sessions from Cisco PIX firewall users who are facing problem
>> are
>> > able to connect back to the VPN with out any issues.
>> >
>> > My Network :-
>> >
>> > user PC ----> Coreswitch--> Netscreen Internal Firewall ----> Cisco PIX
>> > External firewall 6.2OS ver----> ISP Provider -------> Remote end
>> Nortel
>> > VPN.
>> >
>> > When we checked with our vendor Cisco theya re suggesting us to enable
>> > NAT-T between our Internal Firewall & Remote VPN to overcome this issue.
>> >
>> > Please let us know do we need this option to enable. Also let me know
>> other
>> > possibilities for causing this issue.
>> >
>> >
>> > Thanks and Regards,
>> > Akber Mirza.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Scott Morris: "RE: MSTP odd Vlans and even Vlans, Where to place native"
• Previous message: Gary Duncanson: "Re: OSPF Updates Restriction"
• Maybe in reply to: Akber Ali Mirza: "Re: Do we need to enable NAT -T on Local and Remote Firewalls"
• Next in thread: Jian Gu: "Re: Do we need to enable NAT -T on Local and Remote Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST