Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
1
Replies

PAT with CSS Switch has a problem with me.

willyseo
Level 1
Level 1

‎01-13-2003 06:33 PM

Dear all,

Yesterday, I configed PAT in CSS Switch and there were some problem of VPN connection.

The reason of this problem is that CSS Switch didn't change port number when it used Port Address Translation for VPN connection. When the reply packet arrived to CSS, it couldn't translate to Internal IP address.

But other service like DNS worked well.

Please show me the solution!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

You can see the debugging result below.

#########################################################

JAN 13 21:35:23 5/1 3742 FLOWMGR-4: UDP in 192.1.1.171:500->211.1.1.1:500

JAN 13 21:35:23 5/1 3743 FLOWMGR-4: UDP out 211.2.2.253:500->211.1.1.1:500

JAN 13 21:35:23 5/1 3744 FLOWMGR-4: UDP in 211.1.1.1:500->211.2.2.253:500

JAN 13 21:35:38 5/1 3745 FLOWMGR-4: UDP in 211.1.1.1:500->211.2.2.253:500

JAN 13 21:35:53 5/1 3746 FLOWMGR-4: UDP in 211.1.1.1:500->211.2.2.253:500

CSSIN_Master(debug)#

CSSIN_Master(debug)# flow trace-ip 211.1.1.11

CSSIN_Master(debug)#

JAN 13 21:38:24 5/1 3747 FLOWMGR-4: UDP in 192.1.1.171:2694->211.1.1.11:53

JAN 13 21:38:24 5/1 3748 FLOWMGR-4: UDP out 211.2.2.253:42471->211.1.1.11:53

JAN 13 21:38:25 5/1 3749 FLOWMGR-4: UDP in 211.1.1.11:53->211.2.2.253:42471

JAN 13 21:38:25 5/1 3750 FLOWMGR-4: UDP out 211.1.1.11:53->192.1.1.171:2694

#########################################################

Best Regards,

Willy Seo

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎01-15-2003 05:22 AM

Willy,

first, let me say that it is not an issue if the port is not changed.

Then, looking at the data, we can see the packet is sent to UDP port 500.

This port is used by ISAKMP which is the protocol that negotiates all the parameters for IPSEC/VPN.

This ISAKMP does not work over NAT because it uses the source and destination ip addresses in the payload.

The only way to have VPN working over NAT is to use the UDP only VPN solution.

Cisco has this solution available with the cisco VPN3000 device and its associated client software.

So, in your case, the CSS is working fine.

This is just that your VPN solution does not work with NAT/PAT.

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents