VPN on Cisco PIX with NAT - what is my options to make it work?

Posted on 2002-05-23
Last Modified: 2010-04-11
hi guys,

What options do I have if I want to run a VPN using Cisco PIX behing my NAT device (which is separate from the Cisco)? If possible, I would like to run IPSEC but the NAT device as I understand does not support IPSEC. BUT I read that while NAT & IPSEC do not go well together,
IP ESP[tunnel] IP TCP payload may work.

Can anybody advice me on the options I have and what would I recommend to configure on the Cisco PIX and whether the above option (NAT+IPSEC ESP) will work?? Some detailed explanation would be great!


Question by:Haho
  • 4
  • 2
  • 2
  • +4
LVL 63

Expert Comment

ID: 7029596
It probably depends on exactly what NAT device you have and what it supports.

Please provide more details.

See Firewall and security for home and offices
Test firewall ports  and port blocking
Protect DSL or boradband connection. ICF, ICS firewall security
Home PC Firewall Guide - 

Many inexpensive routers have a VPN "feature" that
 allows multiple client pass-thru sessions, but only one VPN   session per VPN tunnel "terminator".  This means that you  can't connect multiple VPN clients simultaneously to the same  VPN server, but can connect only one client per VPN server. 
$595 ? Cisco PIX® 501 Firewall VPN help routers

I hope this helps !

LVL 23

Expert Comment

by:Tim Holman
ID: 7031575
What's your NAT device & what sort of NAT is it doing ?
This sort of thing generally works with static one-to-one NAT, but NOT port address translation.

Expert Comment

ID: 7053018
You need to "Allow IPSec over UDP (or TCP)" on your client.
This will encapsulate the packet with a UDP header and "unconfuse" some firewalls.  (Mainly the PIX here)
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.


Expert Comment

ID: 7053020
Yes it will work, as I have it running now on a PIX 520.

Expert Comment

ID: 7053022
Ack, disreguard all of my previous posts.  I reread your question.

Expert Comment

ID: 7053026
Use a separate IP address for the VPN on your NAT device.

Author Comment

ID: 7069562
I read up a bit.. pls correct me if i am wrong.

what about NAT traversal in IPSEC ESP Tunnel mode? I understand that because because UDP checksums are not (usually) used, changing the IP headers (as done by NAT) will not destroy the "integrity" of the packets.

This is opposed to using TCP which has a mandatory checksum that includes the IP header which of course is broken if the IP headers are changed by NAT.

Also because the outermost IP and UDP header is not in the encrypted payload, the NAT can safetly change the UDP source ports and IP headers without breaking the ESP what-you-might-call-it. :)

In fact, I read the NAT traversal is the cure for all NAT deployments to run IPSEC, assuming both VPN ends support NAT Traversal.

My info is gleaned theorically, can anybody fill me in on the practical side with Cisco PIX?


Expert Comment

ID: 7074184
Hi Haho:
It may help me to describe things better if I understand more clearly just what you are working with and what type of VPN implementation you are attempting to create. Just a few questions if you don't mind?
1)Can I ask is your "NAT device" a router, ADSL modem or what?
2)What are you attempting to connect to with the PIX, are you doing a site to site VPN (from another LAN), or a Remote-User VPN from some device running Cisco client software?
3)Will you be coming from a static IP addressed source to the PIX or will you be coming from some dynamically addressed source to the PIX (ie a dial-up)?

I will watch for more details and then try to answer your question, thanks, Chriskohn

Author Comment

ID: 7074736
hi chris,

Here are the answers:
(1) a router (not cisco or ibm)
(2) A remote-user VPN
(3) dynamic (i.e. dial-up)

What do u think? Thanks for your help.

Expert Comment

ID: 7076520
Okay Haho:
See your answers. It appears are you planning to connect to your PIX through your router, from the Internet when you are at some other place, and you are going to have a dynamic IP address because you are dialing into the Internet from that site? Is this correct? If so, version of Cisco VPN client are you planning to use??? When you answer this, I will be able to direct you, Chriskohn

Expert Comment

ID: 7088733
It will be very difficult to make VPN over IPSEC with NAT device between. The Best easy solution is to make a VPN for remote client (Microsoft Client only) with MPPE 40 and not IPSEC. It is GENERALY Ok For Proxy or other Nat devices.

For the PIX : (may be I forgot something but I don't think so)
name resint (for exmple Internal Network)
name resvpn (ip addresses for the vpn )
ip local pool pptp-pool
sysopt connection permit-pptp
access-list 101 permit ip resint resvpn
nat (inside) 0 access-list 101
(no nat between internal addresses and vpn clients)
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host AuthHost keyAAA
timeout 10
(if applicable for a W2K OR NT Server WITH IAS Server Installed, RADIUS Server or other method : only PIX password)
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns HostDns
vpdn group 1 client authentication aaa AuthInbound
(if applicable or only Pix Auth for the Clients)
vpdn group 1 pptp echo 60
vpdn enable outside

For The client :
Windows NT, 2000, XP, it's in the OS (Dialup and Network Connections). Define a VPN Connection IP Adress: External Ip Adress of The Pix. In Advanced Parameters Take  Require Crypt and MSCHAP (not MSCHAP V2).
Then Take The internet Connection and then the VPN connection. (IN 2000 XP the VPN connection can run first the Internet Connection not with W95 and W98)
Windows 95 : you need to download the update client from Microsoft ( Search for VPN Client)
Windows 98 : You need WINDOWS 98 SE (Second Edition): (for the install you need to install first then desinstall drivers  and reinstall because there is a bug in the VPN CLIENT OF 95 AND 98 )

NOTE : with MPPE 40 Client YOU CAN NOT When you are connected to the pix (VPN Tunnel active) go to the INTERNET (through the pix) or go to a other card of the Pix (eg :DMZ) . YOU CAN ONLY JOIN THE INTERNAL NETWORK. The command
'sysopt ipsec pl-compatible' has no equivalent in MPPE .


Accepted Solution

matt_t1 earned 100 total points
ID: 7155650
I have numerous IPSec VPNs running in the wild at the moment, and most of them are subject to NAT at some point between the endpoints.  While they are not running on PIX, I can vouch for the fact that IPSec and NAT work fine together.  Basic conditions are as follows:

Permit UDP port 500 as you are likely to need IKE negotiations to establish the tunnel.  These packets can safely be NATted.

Use IPSec ESP mode rather than just AH.  This runs as IP Protocol number 50, and encrypts the whole tunneled packet including the headers, so these can't be touched by intermediate NAT devices.

I'm sure somebody else here can provide you with the PIX config to make this happen, but just don't get too hung up about the NAT causing problems.  Just be careful about the IP routing, and dealing with any RFC1918 addresses you have at either end.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question