Quote:
NAT-T and Firewall Rules
Because the new NAT-T code is designed around the IETF RFC 3193 and draft-02 of the IETF NAT-T specification, for these services to run through a firewall, you may have to open the following ports and protocols in the firewall rules: • L2TP - User Datagram Protocol (UDP) 500, UDP 1701
• NAT-T - UDP 4500
• ESP - Internet Protocol (IP) protocol 50

Supported Scenarios Using NAT-T
The following scenarios will successfully allow L2TP/IPSec NAT-T connections. In these scenarios, Client is a client that is running Windows 2000 and that has the 818043 update installed or is a Windows XP-based computer with SP2 installed. Server is an L2TP/IPSec server that is running Windows Server 2003 and that is using Routing and Remote Access. In the first scenario, for example, Client is behind a NAT router; the connection goes through the Internet and connects to Server. In the second scenario, Server is behind another NAT router.
Client----> NAT ----Internet---->Server
Client---->Internet---- NAT ---->Server
Client----> NAT ----Internet----> NAT ----> Server
In these scenarios, where an L2TP/RRAS server is behind a NAT router, the NAT router must open the required ports and protocols for L2TP/IPSec NAT-T connections. The L2TP/IPSec server may also be a third-party gateway product that supports NAT-T connections.

Note If you apply the 818043 update to a Windows 2000-based server that is using Routing and Remote Access, the server cannot function as an L2TP/IPSec server in these scenarios. It cannot allow connections from L2TP/IPSec clients when one or more NAT routers is involved. This update is a client-side update only. Server-side NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access.