On Fri, May 17, 2002 at 01:56:07PM -0500, Austad, Jay wrote: > > Yes, the Cisco 675 does NAT. I've had to punch holes for my > > SSH, SMTP, and IPSec. (I really should get around to trying the IPSec > > sometime...) > > IPSec does not work through NAT. Both your client and server must support > NAT Traversal (NAT-T) for this to work. I believe the Cisco VPN client will > do this, and I know for a fact the Netscreen client does it. But, the other > endpoint must support it also. > > The reason is that NAT changes the source address, and the checksum in AH > will no longer match. Search for NAT traveral and ipsec on google, and > you'll find out more of the reasons it won't work without NAT-T. Which is why I punched holes - I know what ports my IPSec client claims to use, and I'M NOT DOING NAT ON THOSE PORTS! Therefore, the IP address stays constant. That's what 'punching holes' means - at least, that's the term that I've seen and heard from multiple sources. -- Scott Raun sraun at fireopal.org