Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
3
Replies

Static NAT VPN Problem

mgriffin
Level 1
Level 1

‎01-26-2007 07:06 AM - edited ‎03-05-2019 02:00 PM

Greetings,

I am having an issue with my NAT configuration. I am fairly knowledable on Cisco routers, but by no means an expert.

Configuration:

Cisco 2611 with two Ethernet ports.

E0/0 (WAN) - DHCP address (69.x.x.228) connected to a Time Warner Cable Modem

E0/1 (LAN) - 10.0.0.1 / 24

E0/0 is configured for NAT outside

E0/1 is configured for NAT inside

ip nat inside source list 115 interface E0/0 overload

10.x.x.x. clients have no issue access the internet and everything thing seems to work fine.

However, I have one client on 10.0.0.51 that is used to connect to a remote VPN site. I cannot connect using VPN. If I add the following statement:

ip nat inside source static 10.0.0.51 interface E0/0

Then VPN works just fine? however you can see that it breaks several other things.

I have tried to put in a static NAT with a specific port mapping for this address but that does not work either. Since I only have one "WAN" address I'm not sure how to get around this.

Any help would be appreciated.

Tnx,

MJG

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎01-26-2007 08:33 AM

Hi

What is happening is that the PAT on your wan interface is changing the source ports from the VPN client. This is breaking the IKE/IPSEC negotiation.

What you probably need to do is use NAT-T which add a UDP header to the IPSEC packets. I've attached a link that explains what it is and how to enable it on a Cisco client (don't know if thats what you are using but all vpn clients should support it ).

http://www.cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client

You will need to talk to the people who control the remote site VPN device as that device has to have NAT-T enabled as well.

HTH

Jon

0 Helpful

mgriffin
Level 1
Level 1
In response to Jon Marshall

‎01-26-2007 08:54 AM

Jon,

Thanks for the info. I looked at the document and it refers to a PIX setup.

I also checked with our remote location and they do not support NAT-T nor does the client I am using.

Any other throughs on how to get this working?

Tnx again.

0 Helpful

mgriffin
Level 1
Level 1
In response to mgriffin

‎01-26-2007 11:57 AM

Jon,

I solved my own problem!!! ...although I dont quite understand how/why.

In the end I changed this statement:

ip nat inside source list 1 interface e0/0 overload

to:

ip nat inside source list 115 interface e0/0 overload.

ACL 1 was: permit 10.0.0.0 0.0.0.255

New ACL 115 is: permit ip 10.0.0.0 0.0.0.255 any

I'm not sure why using an extended ACL works when a standard one does not... but it works fine now and I can VPN outbound and all other services still work.

Tnx,

MJG

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card