Cisco Systems OL-5490-01 manual Enable Transport Tunneling, Transparent Tunneling Mode

Chapter 4 Configuring Connection Entries

Transport Parameters

Enable Transport Tunneling

Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall. The router might also be configured for Network Address Translation (NAT) or Port Address Translations (PAT).

Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets. It allows for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.

Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Check with your device's vendor to see if this limitation exists. Some vendors support Protocol 50 (ESP) PAT, which might let you operate without enabling transparent tunneling.

•To use transparent tunneling, the IPSec group in the Cisco VPN device must be configured to support it.

•Transparent Tunneling is enabled by default. To disable this parameter, clear the check box. We recommend that you keep this parameter enabled.

Transparent Tunneling Mode

The transparent tunneling mode you select must match the mode used by the VPN device providing your connection to the private network.

•If you select IPSec over UDP (NAT/PAT), the default mode, the port number is negotiated.

•If you select TCP, you must enter the port number for TCP in the TCP port field. This port number must match the port number configured on the VPN device. The default port number is 10000.

Note Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if you are in an extranet environment, TCP mode is preferable. UDP does not operate with stateful firewalls. Use TCP with this configuration.

Allow Local LAN Access

The Allow Local LAN Access parameter gives you access to resources on your local LAN when you are connected through a secure gateway to a central-site VPN device.

•When this parameter is enabled:

–You can access local resources (printer, fax, shared files, other systems) while connected.

–You can access up to 10 networks. A network administrator at the central site configures a list of networks at the VPN Client side that you can access.

–If you are connected to a central site, all traffic from your system goes through the IPSec tunnel except traffic to the networks excluded from doing so (in the network list).

–If enabled on the VPN Client and permitted on the central-site VPN device, you can see a list of the local LANs that are available by choosing Statistics from the Status menu and clicking the Route Details tab. For more information, see the “Route Details” section on page 7-10.

VPN Client User Guide for Mac OS X