Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


VPN on Cisco PIX with NAT - what is my options to make it work?

Posted on 2002-05-23
Medium Priority
Last Modified: 2010-04-11
hi guys,

What options do I have if I want to run a VPN using Cisco PIX behing my NAT device (which is separate from the Cisco)? If possible, I would like to run IPSEC but the NAT device as I understand does not support IPSEC. BUT I read that while NAT & IPSEC do not go well together,
IP ESP[tunnel] IP TCP payload may work.

Can anybody advice me on the options I have and what would I recommend to configure on the Cisco PIX and whether the above option (NAT+IPSEC ESP) will work?? Some detailed explanation would be great!


Question by:Haho
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +4
LVL 63

Expert Comment

ID: 7029596
It probably depends on exactly what NAT device you have and what it supports.

Please provide more details.

See Firewall and security for home and offices
Test firewall ports  and port blocking
Protect DSL or boradband connection. ICF, ICS firewall security
Home PC Firewall Guide - 

Many inexpensive routers have a VPN "feature" that
 allows multiple client pass-thru sessions, but only one VPN   session per VPN tunnel "terminator".  This means that you  can't connect multiple VPN clients simultaneously to the same  VPN server, but can connect only one client per VPN server. 
$595 ? Cisco PIX® 501 Firewall VPN help routers

I hope this helps !

LVL 23

Expert Comment

by:Tim Holman
ID: 7031575
What's your NAT device & what sort of NAT is it doing ?
This sort of thing generally works with static one-to-one NAT, but NOT port address translation.

Expert Comment

ID: 7053018
You need to "Allow IPSec over UDP (or TCP)" on your client.
This will encapsulate the packet with a UDP header and "unconfuse" some firewalls.  (Mainly the PIX here)
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.


Expert Comment

ID: 7053020
Yes it will work, as I have it running now on a PIX 520.

Expert Comment

ID: 7053022
Ack, disreguard all of my previous posts.  I reread your question.

Expert Comment

ID: 7053026
Use a separate IP address for the VPN on your NAT device.

Author Comment

ID: 7069562
I read up a bit.. pls correct me if i am wrong.

what about NAT traversal in IPSEC ESP Tunnel mode? I understand that because because UDP checksums are not (usually) used, changing the IP headers (as done by NAT) will not destroy the "integrity" of the packets.

This is opposed to using TCP which has a mandatory checksum that includes the IP header which of course is broken if the IP headers are changed by NAT.

Also because the outermost IP and UDP header is not in the encrypted payload, the NAT can safetly change the UDP source ports and IP headers without breaking the ESP what-you-might-call-it. :)

In fact, I read the NAT traversal is the cure for all NAT deployments to run IPSEC, assuming both VPN ends support NAT Traversal.

My info is gleaned theorically, can anybody fill me in on the practical side with Cisco PIX?


Expert Comment

ID: 7074184
Hi Haho:
It may help me to describe things better if I understand more clearly just what you are working with and what type of VPN implementation you are attempting to create. Just a few questions if you don't mind?
1)Can I ask is your "NAT device" a router, ADSL modem or what?
2)What are you attempting to connect to with the PIX, are you doing a site to site VPN (from another LAN), or a Remote-User VPN from some device running Cisco client software?
3)Will you be coming from a static IP addressed source to the PIX or will you be coming from some dynamically addressed source to the PIX (ie a dial-up)?

I will watch for more details and then try to answer your question, thanks, Chriskohn

Author Comment

ID: 7074736
hi chris,

Here are the answers:
(1) a router (not cisco or ibm)
(2) A remote-user VPN
(3) dynamic (i.e. dial-up)

What do u think? Thanks for your help.

Expert Comment

ID: 7076520
Okay Haho:
See your answers. It appears are you planning to connect to your PIX through your router, from the Internet when you are at some other place, and you are going to have a dynamic IP address because you are dialing into the Internet from that site? Is this correct? If so, version of Cisco VPN client are you planning to use??? When you answer this, I will be able to direct you, Chriskohn

Expert Comment

ID: 7088733
It will be very difficult to make VPN over IPSEC with NAT device between. The Best easy solution is to make a VPN for remote client (Microsoft Client only) with MPPE 40 and not IPSEC. It is GENERALY Ok For Proxy or other Nat devices.

For the PIX : (may be I forgot something but I don't think so)
name resint (for exmple Internal Network)
name resvpn (ip addresses for the vpn )
ip local pool pptp-pool
sysopt connection permit-pptp
access-list 101 permit ip resint resvpn
nat (inside) 0 access-list 101
(no nat between internal addresses and vpn clients)
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host AuthHost keyAAA
timeout 10
(if applicable for a W2K OR NT Server WITH IAS Server Installed, RADIUS Server or other method : only PIX password)
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns HostDns
vpdn group 1 client authentication aaa AuthInbound
(if applicable or only Pix Auth for the Clients)
vpdn group 1 pptp echo 60
vpdn enable outside

For The client :
Windows NT, 2000, XP, it's in the OS (Dialup and Network Connections). Define a VPN Connection IP Adress: External Ip Adress of The Pix. In Advanced Parameters Take  Require Crypt and MSCHAP (not MSCHAP V2).
Then Take The internet Connection and then the VPN connection. (IN 2000 XP the VPN connection can run first the Internet Connection not with W95 and W98)
Windows 95 : you need to download the update client from Microsoft ( Search for VPN Client)
Windows 98 : You need WINDOWS 98 SE (Second Edition): (for the install you need to install first then desinstall drivers  and reinstall because there is a bug in the VPN CLIENT OF 95 AND 98 )

NOTE : with MPPE 40 Client YOU CAN NOT When you are connected to the pix (VPN Tunnel active) go to the INTERNET (through the pix) or go to a other card of the Pix (eg :DMZ) . YOU CAN ONLY JOIN THE INTERNAL NETWORK. The command
'sysopt ipsec pl-compatible' has no equivalent in MPPE .


Accepted Solution

matt_t1 earned 400 total points
ID: 7155650
I have numerous IPSec VPNs running in the wild at the moment, and most of them are subject to NAT at some point between the endpoints.  While they are not running on PIX, I can vouch for the fact that IPSec and NAT work fine together.  Basic conditions are as follows:

Permit UDP port 500 as you are likely to need IKE negotiations to establish the tunnel.  These packets can safely be NATted.

Use IPSec ESP mode rather than just AH.  This runs as IP Protocol number 50, and encrypts the whole tunneled packet including the headers, so these can't be touched by intermediate NAT devices.

I'm sure somebody else here can provide you with the PIX config to make this happen, but just don't get too hung up about the NAT causing problems.  Just be careful about the IP routing, and dealing with any RFC1918 addresses you have at either end.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Considering cloud tradeoffs and determining the right mix for your organization.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question