What's the deal with NAT?

[Mullen, Matt]

Hello list,

I have been trying to connect several VPN clients to their respective VPN
servers across the Internet without any success and I was wondering if
anyone might be able to tell me the answer to this question:  if any device
is running NAT that is between two VPN endpoints,  will the connection
between the two VPN endpoints fail?

For example,  I have a Nortel Extranet Access client on the LAN that is
trying to connect to a VPN server on the Internet.  Between the client and
the server is a Checkpoint FW-1 firewall running NAT.  The client is unable
to connect.  That same client has no problem connecting if using a dialup
via modem to an ISP, so I have ruled out any config problem on the client.
Even if I open the firewall to allow any traffic on any port inbound and
oubound, the client is still unable to connect.  In my network traces,  I
see traffic on port 500 (ISAKMP) coming back from the VPN server to the
firewall and to the client.

I have had the same problems with other VPN clients,  such as CiscoSecure
VPN client and even PPTP.  None of them are able to connect when the
firewall running NAT is in between the client and the host they are trying
to reach.  I haven't tested thoroughly but I have another client with a
different firewall (Cisco PIX) and it seems to be the same problems there as
well.  I have heard that NAT causes problems with IPSec,  but could anyone
describe what the limitations are,  i.e.  what can and what can't you do
with VPNs and NAT?


Thanks in advance,

Matt Mullen

VPN is sponsored by SecurityFocus.COM