1 of 1 people found this helpful
NAT-T is for IPSec VPNs only, unfortunately.
If you are NATing these sessions through the firewall there is no way to overcome this. GRE is portless; the firewall can't build separate sessions if more than one internal IP connects to the same external IP (the session on the outside would look like this: fw-ext-ip:proto-47 -> server-ip:-proto-47). Since you are NATing, every session would look like this, so there is no way to distinguish between the sessions.
You're right, other devices can distinguish between the sessions even if you NAT. You say iptables can; a Snapgear can also do this. I don't know exactly how they do it, but I'm guessing they might keep a table of the key in the GRE header (the key should be unique between sessions). Since a firewall doesn't manipulate this key, if it has the ability to keep a table of the keys it could distinguish the sessions.
I would say the reason the firewall doesn't do this is that it doesn't do "everything." This is simply something it doesn't do; it wasn't written into the code.
You can request any features/modifications to the firewall you'd like at this URL:
Choose 'McAfee Firewall Enterprise' in the drop-down box. Be sure to specify your version in the description field also.