A whisper of a networker.

在現今的Internet環境下，愈來愈多的remote access vpn需要在NAT下與PIX建立VPN...
這時需要在PIX上設定NAT Traversal功能...

isakmp nat-traversal

Network Address Translation (NAT), include Port Address Translation(PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enable ESP packets to pass through one or more NAT devices.
The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPSec Packets" draft, and NAT traversal is supported for both dynamic and static crypto maps.

NAT traversal is disabled by default on the firewall.
To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command.
Valid value for natkeepalive are from 10 to 3600 seconds. The default value is 20 seconds. If needed, the show isakmp sa detail command assissts in debugging NAT traversal.