01-26-2007 07:06 AM - edited 03-05-2019 02:00 PM
Greetings,
I am having an issue with my NAT configuration. I am fairly knowledable on Cisco routers, but by no means an expert.
Configuration:
Cisco 2611 with two Ethernet ports.
E0/0 (WAN) - DHCP address (69.x.x.228) connected to a Time Warner Cable Modem
E0/1 (LAN) - 10.0.0.1 / 24
E0/0 is configured for NAT outside
E0/1 is configured for NAT inside
ip nat inside source list 115 interface E0/0 overload
10.x.x.x. clients have no issue access the internet and everything thing seems to work fine.
However, I have one client on 10.0.0.51 that is used to connect to a remote VPN site. I cannot connect using VPN. If I add the following statement:
ip nat inside source static 10.0.0.51 interface E0/0
Then VPN works just fine? however you can see that it breaks several other things.
I have tried to put in a static NAT with a specific port mapping for this address but that does not work either. Since I only have one "WAN" address I'm not sure how to get around this.
Any help would be appreciated.
Tnx,
MJG
01-26-2007 08:33 AM
Hi
What is happening is that the PAT on your wan interface is changing the source ports from the VPN client. This is breaking the IKE/IPSEC negotiation.
What you probably need to do is use NAT-T which add a UDP header to the IPSEC packets. I've attached a link that explains what it is and how to enable it on a Cisco client (don't know if thats what you are using but all vpn clients should support it ).
http://www.cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client
You will need to talk to the people who control the remote site VPN device as that device has to have NAT-T enabled as well.
HTH
Jon
01-26-2007 08:54 AM
Jon,
Thanks for the info. I looked at the document and it refers to a PIX setup.
I also checked with our remote location and they do not support NAT-T nor does the client I am using.
Any other throughs on how to get this working?
Tnx again.
01-26-2007 11:57 AM
Jon,
I solved my own problem!!! ...although I dont quite understand how/why.
In the end I changed this statement:
ip nat inside source list 1 interface e0/0 overload
to:
ip nat inside source list 115 interface e0/0 overload.
ACL 1 was: permit 10.0.0.0 0.0.0.255
New ACL 115 is: permit ip 10.0.0.0 0.0.0.255 any
I'm not sure why using an extended ACL works when a standard one does not... but it works fine now and I can VPN outbound and all other services still work.
Tnx,
MJG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide