Knowledge Search


×
 

Cannot Communicate Through NAT Traversal

  [KB4994] Show Article Properties


Summary:

Users are unable to communicate through NAT Traversal (NAT-T). NAT Traversal (NAT-T) must be configured correctly in order for it to function properly. This article lists the correct configuration settings.

This article applies to ScreenOS 4.0 and later.

Symptoms:

Symptoms experienced by users:

  • NAT device is in front of NetScreen
  • NetScreen behind NAT device sees phase 2 completing
  • Cannot communicate through NAT traversal
  • Cannot ping through VPN tunnel with NAT traversal
Cause:

Solution:

This article applies to ScreenOS 4.0 and later.

Image of example

NAT Traversal (NAT-T) must be configured correctly in order for it to function properly. If problems are experienced while operating in this mode, confirm the following settings:

  • On the NetScreen device that is not behind a NAT device, the IKE Gateway Type should be Dynamic IP. Also, the Peer ID must be the Local ID of the remote NetScreen device.
  • The VPN should be initiated with traffic from the NetScreen behind the NAT device.
  • When using preshared secrets, both gateways must be configured for aggressive mode. Main Mode can only be used with certificates.

For more information on configuring a LAN-to-LAN VPN using NAT Traversal, go to Configuring Your NetScreen Devices for a Route Based LAN to LAN VPN Using NAT Traversal.



Related Links: