cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
759
Views
0
Helpful
13
Replies

NAT question

whiteford
Level 1
Level 1

We have many users that connect to a remote VPN. They use a local client on Windows XP, but the only way we can get them to connect is by giving each user a public external IP address and NAT it to their private internal address and use the GRE IP protocal, we have no more public address left now. Is there a way where we can allow all users to just use one external IP or a pool of IP's to NAT? We only have one or two users (max) that connect to this VPN?

Thanks

13 Replies 13

mattiaseriksson
Level 3
Level 3

If I understand you correct, you want to let outbound PPTP traffic pass through your firewall without using 1:1 NAT as you are currently doing, but rather use a single public IP (PAT)?

I really depends on what firewall you are using, but if you have a PIX firewall running OS 6.3 or later, you can use the command 'fixup protocol pptp 1723'.

This will let PPTP traffic traverse the PIX when configured for PAT, performing stateful PPTP packet inspection in the process.

It's a Pix with that version, how can I do this in the ADSM?

Try Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab and enable PPTP inspection.

That's it? i wish I knew about this earlier :) So what public address will all users use? plus and downtime on the Pix when I enable this?

What address they will use depends on your NAT/PAT configurations. You can let them use the outside interface address with PAT if you want.

There should not be any downtime (unless you also change NAT configuration and clear the translation table).

ok, once I tick that "PPTP" box what should I do for the NAT/PAT config, explained in an idiots guide please :) as this is new to me.

Many thanks inadvance for you help

You said you are using static NAT for computers that connect through vpn, and I guess that other computers are accessing internet through the same firewall using dynamic NAT?

Then you only have to remove the statics, and all computers should have the same NAT policy applied.

To configure dynamic NAT the easiest way is to use the interface address:

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

Replace 10.0.0.0 with whatever network you are using internally.

This will translate all internal source addresses to the outside interface address.

Have a look here for some ideas of how to control NAT with ASDM:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml

Would I have to still create a security policy for example allow 10.0.0.0 255.0.0.0 on PPTP and GRE?

If you have an outbound ACL you should make sure that PPTP control traffic is allowed out (TCP port 1723). The inspection engine dynamically creates the GRE connections and translations necessary to permit PPTP traffic.

I noticed that there is no NAT rules on the Outside interface do I need to do this for all our VLAN/Subnets? of leabe this all blank?

The source network is on your inside interface, and you can specify every subnet that you use, or just use 0.0.0.0 mask 0.0.0.0 to translate every subnet.

Then you need to add a dynamic pool on the outside interface. It can be a range of addresses or the ouside interface address.

Easiest way to do it is, of course, to just enter these two lines:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Will there be any downtime when I apply this?

It depends on your existing NAT configuration. Can you attach the configuration?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: