RE: IPSEC with NAT from Tyson Scott on 2010-07-31 (Ccielab archives 07/2010)

From: Tyson Scott <tscott_at_ipexpert.com>
Date: Sat, 31 Jul 2010 14:42:55 -0400

DN,

You will need to configure this using a client/Server relationship. The 3G
device will need to be configured as a EZVPN client with the public device
acting as a EZVPN server. You cannot establish a L2L when you don't control
what is happening with NAT. It could change at any time. Plus I would
presume they are doing PAT and not NAT.

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
DN817
Sent: Saturday, July 31, 2010 8:13 AM
To: Cisco certification
Subject: Re: IPSEC with NAT

Thanks, Nish.
Do we need IPSec Passthrough on the device doing NAT or on the end CE
routers?

Unfortunately NAT is done by service provider and we don't have control on
those devices.

Regards,
DN

On Sat, Jul 31, 2010 at 1:03 PM, Nish Vamadevan <ipnish_at_gmail.com> wrote:

> Should be able to as long as IPSec Passthrough is enabled on both devices
> and Protocol 50/50 and Port 500 isin't blocked... Then, you should be able
> to form tunnels...
>
> Regards,
> Nish
>
> On Sat, Jul 31, 2010 at 12:53 PM, DN817
<ndheeraj.ccie_at_googlemail.com>wrote:
>
>> Hi Experts,
>>
>> I am trying to run IPSEC between an Internet router(with public IP
>> address)
>> and another router which got access to internet over a 3G mobile network.
>> The 3G provider only assigns private address but is static NATed to a
>> public
>> IP address with in their cloud.
>>
>> Please advise whether it is possible to run IPSEC between these 2 routers
>> over the internet.
>>
>> R1(IP=80.x.x.x) == INTERNET == 3G Network (where IP 10.1.1.1 is NAT ed to
>> 90.x.x.x) == 3G Device with WAN IP - 10.1.1.1
>>
>> Thanks,
>> DN
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jul 31 2010 - 14:42:55 ART

This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:15 ART