Inbound NAT at concentrator

Unanswered Question
Mar 7th, 2007

Has anybody tried an inbound NAT at the concentrator side ? It is documented and also described in TAC Case K31070531 but I have no success in implementing this.

Regards

Christoph

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
kaachary Thu, 03/08/2007 - 01:51

Hi,

Sounds Interesting. You said its documented, can you point us to that document.

-Kanishka

c.ohliger Thu, 03/08/2007 - 03:02

Hi,

its in the concentrator documentation, but with my pure english ... I may have misundestood that. But the TAC description is clear I think.

Regards

Christoph

K31070531

To configure inbound NAT on the Cisco VPN 3000 Concentrator, perform these steps:

1. Log in to the Concentrator through HTTP or HTTPS.

2. Go to Configuration > Policy Management > Traffic Management > NAT > Enable.

3. Select LAN-LAN NAT Rules. Click Apply.

4. Go to Configuration > Policy Management > Traffic Management > NAT > LAN-LAN NAT Rules.

5. Click Add.

6. Select Static. Configure the source address, translated address and the destination address with correct relevant wildcard masks.

7. Click Add.

Note: The source address is the remote address.The destination address is the local address behind the Concentrator. The translated address is the one into which the remote address should be translated.

For example, the remote network is 1.1.1.0 255.255.255.0. If the network behind the Concentrator is 2.2.2.0 255.255.255.0, and you want the remote network to be visible as 3.3.3.0 255.255.255.0, it would look like this:

Source : 1.1.1.0

Wildcard Mask : 0.0.0.255

Translated : 3.3.3.0

Wildcard Mask : 0.0.0.255

Destination : 2.2.2.0

Wildcard Mask : 0.0.0.255

For additional information, refer to the Configuration | Policy Management | Traffic Management | NAT section of Policy Management.

kaachary Thu, 03/08/2007 - 04:41

Hi,

Are you not able to implemment this ? What issues are you facing ?

-Kanishka

c.ohliger Thu, 03/08/2007 - 04:52

Hi,

my issue is that the communication from the remote side will not be natted. In the firewall log (firewall is behind the concentrator on the internal side) i see the unnatted ip address and therefore a deny.

Christoph

kaachary Thu, 03/08/2007 - 15:27

This should work. Can you post your nat rules here, so that we can take a look.

-Kanishka

c.ohliger Fri, 03/09/2007 - 01:12

Here is the architecture:

Remote Client -> PIX -> Tunnel -> Concentrator -> Firewall -> Internal

Client is in network 172.22.0.0/16 trying to connect to host 172.26.130.25/32 which is also a natted address. Client has the IP 172.22.1.2

Here the two NAT statements for the local host and the remote network

[natrules 4.2]

rowstatus=1

name=

srcIp=10.60.1.3

srcMsk=255.255.255.255

dstIp=172.26.130.25

dstMsk=255.255.255.255

RemoteIp=0.0.0.0

RemoteMask=0.0.0.0

action=31

portmin=49152

portmax=65535

direct=2

protocol=255

tunneled=2

type=1

[natrules 4.8]

rowstatus=1

name=

srcIp=172.22.0.0

srcMsk=255.255.0.0

dstIp=10.61.0.0

dstMsk=255.255.0.0

RemoteIp=0.0.0.0

RemoteMask=0.0.0.0

action=31

portmin=49152

portmax=65535

direct=2

protocol=255

tunneled=2

type=1

Here is the output from the internal firewall log:

Mar 6 13:12:19 10.2.1.115 FWSM %FWSM-3-106010: Deny inbound icmp src

dmz-vpn:172.22.1.2 dst inside:10.60.1.3 (type 8, code 0)

This looks like that the outbound host NAT is done but the inbound NAT for the remote network not (same log entries for TCP).

Regards

Christoph Ohliger

ggilbert Fri, 03/09/2007 - 08:32

Christoph,

Section 1:

Inbound NAT on the concentrator for LAN to LAN tunnels, is not possible.

Section 2:

Having said the above statement, if you are getting packet on the tunnel from the remote network - lets say 172.18.124.x to the network 10.10.10.x on your internal side of the concentrator and you want the 172.18.124.x network to be translated to 20.20.20.x by the concentrator - it is not going to happen.

Packets reaching the concentrator should already be translated when reaching the concentrator when it hits the encryption domain processing part.

Section 3:

I see you have a PIX firewall on the remote side. In my example it would be 172.18.124.x network. You can translate that network to 20.20.20.x before going through the encryption process on the PIX firewall itself.

EG:

Internal segment on the PIX 172.18.124.x

If traffic going to 10.10.10.x network translate to 20.20.20.x network

access-l 100 per ip 172.18.124.0 255.255.255.0 10.10.10.0 255.255.255.0

static (inside,outside) 20.20.20.0 access-list 100 netmask 255.255.255.0

Your encryption ACL on the PIX should be

access-l 101 per ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

Section 4:

If they cant do that on the PIX, then there is no way you can get it to work on the concentrator because of answer provided in Section 1.

Hope this helps

Cheers

Gilbert

c.ohliger Sat, 03/10/2007 - 02:16

Hi Gilbert,

section 1 is what i want to know, thanks for that information !

Its in conflit to the TAC Case ... but maybe its a wrong description: K31070531

To configure inbound NAT on the Cisco VPN 3000 Concentrator

Solution

It is not wanted to do NAT on the PIX of the remote side. What i want to try in the next step is to do outbound NAT on the concentrator and the inbound NAT on the internal firewall.

Thanks for your help

Christoph

ggilbert Mon, 03/12/2007 - 07:30

Christoph -

Good luck on your next adventure. :)

Rate the post, if it helped.

Gilbert

Actions

This Discussion