NAT question

Unanswered Question
Jul 16th, 2007

We have many users that connect to a remote VPN. They use a local client on Windows XP, but the only way we can get them to connect is by giving each user a public external IP address and NAT it to their private internal address and use the GRE IP protocal, we have no more public address left now. Is there a way where we can allow all users to just use one external IP or a pool of IP's to NAT? We only have one or two users (max) that connect to this VPN?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Mon, 07/16/2007 - 07:09

If I understand you correct, you want to let outbound PPTP traffic pass through your firewall without using 1:1 NAT as you are currently doing, but rather use a single public IP (PAT)?

I really depends on what firewall you are using, but if you have a PIX firewall running OS 6.3 or later, you can use the command 'fixup protocol pptp 1723'.

This will let PPTP traffic traverse the PIX when configured for PAT, performing stateful PPTP packet inspection in the process.

whiteford Mon, 07/16/2007 - 07:42

It's a Pix with that version, how can I do this in the ADSM?

mattiaseriksson Mon, 07/16/2007 - 07:50

Try Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab and enable PPTP inspection.

whiteford Mon, 07/16/2007 - 07:51

That's it? i wish I knew about this earlier :) So what public address will all users use? plus and downtime on the Pix when I enable this?

mattiaseriksson Mon, 07/16/2007 - 07:58

What address they will use depends on your NAT/PAT configurations. You can let them use the outside interface address with PAT if you want.

There should not be any downtime (unless you also change NAT configuration and clear the translation table).

whiteford Mon, 07/16/2007 - 13:32

ok, once I tick that "PPTP" box what should I do for the NAT/PAT config, explained in an idiots guide please :) as this is new to me.

Many thanks inadvance for you help

mattiaseriksson Mon, 07/16/2007 - 13:52

You said you are using static NAT for computers that connect through vpn, and I guess that other computers are accessing internet through the same firewall using dynamic NAT?

Then you only have to remove the statics, and all computers should have the same NAT policy applied.

To configure dynamic NAT the easiest way is to use the interface address:

global (outside) 1 interface

nat (inside) 1 0 0

Replace with whatever network you are using internally.

This will translate all internal source addresses to the outside interface address.

Have a look here for some ideas of how to control NAT with ASDM:

whiteford Mon, 07/16/2007 - 23:15

Would I have to still create a security policy for example allow on PPTP and GRE?

mattiaseriksson Tue, 07/17/2007 - 00:32

If you have an outbound ACL you should make sure that PPTP control traffic is allowed out (TCP port 1723). The inspection engine dynamically creates the GRE connections and translations necessary to permit PPTP traffic.

whiteford Tue, 07/17/2007 - 02:41

I noticed that there is no NAT rules on the Outside interface do I need to do this for all our VLAN/Subnets? of leabe this all blank?

mattiaseriksson Tue, 07/17/2007 - 02:52

The source network is on your inside interface, and you can specify every subnet that you use, or just use mask to translate every subnet.

Then you need to add a dynamic pool on the outside interface. It can be a range of addresses or the ouside interface address.

Easiest way to do it is, of course, to just enter these two lines:

global (outside) 1 interface

nat (inside) 1 0 0


This Discussion