IPSec port forwarding w/ NAT traversal

[xyyz]

here's a quick diagram:

*internet* ------ [cisco 831] ------ (pix) ------- *private network*

i've done the ipsec vpn setup on the pix, and i tested it on the network between the 831 and the pix; it works.

can someone tell me what ports/protocols/etc i need to forward on the 831 to the pix?

i know how to port forward, but i don't know if you can forward protocols right? i think i'll just need to let the router accept those protocols?

also, since the traffic is passing through a NAT to get to the pix, do i need to do enter any commands to prevent disruption?

finally, please please please stick on topic. i didn't ask if this was the best way to do it, or ask for another way to do it. i just want to know how to handle this particular situation.

 

[spidey07]

If you just do straight NAT, meaning IP address to IP address, not PAT (port numbers) it should work on the 831. The PIX has more intelligence to deal with IPsec but it's easy in IOS. Search cisco.com for "ipsec NAT configuration".

It will depend somewhat on the VPN endpoints on what ports/protocols you need to be doing. If you're doing NAT traversal the actual tunnel traffic will be wrapped in a udp or tcp header (udp is the preferred wrapper) depending on configuration of ipsec.

-edit-
normal ipsec uses UDP port 500 for the initial phase/negotiation. Even if you just search cisco.com for "ipsec nat configuration" you'll get a TON of info.