pat and router vpn tunnel conflict - design question
Not sure if I'm just stating the obvious, but here goes...
I've discovered that port address translation (pat) can create problems when trying to connect to inside hosts over a vpn tunnel. I've distilled the problem down to the lab setup and startup-config below. It's actually completely independent of vpn.
1. tftp from client 172.16.0.2 to server address 192.168.0.2 - session established as expected (all traffic destined to 172.16.0.0/24 is explicitly not nat'd)
2. ftp from client 172.16.0.2 to router address 172.16.0.1 - session established as expected (pat static route to 192.168.0.2:21)
3. ftp from client 172.16.0.2 to server address 192.168.0.2 - session not established due to interference from pat
The failure of the session to establish is because the client 172.16.0.2 resets the connection when it receives the SYN/ACK part of the handshake whose source address has been changed by the router. More simply stated, the client 172.16.0.2 sends a connection request to server address 192.168.0.2; upon receiving an acknowledgement from an address other than the original ftp server, the client drops the connection - as it should.
Comments and questions:
We understand what's happening and why it's happening, but should it be happening? It's possible to assign assign acl's to dynamic nat, but it doesn't seem possible to create exclusions for static nat routes. Shouldn't there be a mechanism to apply acl's to static nat/pat routes?
ip address 172.16.0.2/24
IOS (C806-K9OSY6-M), Version 12.3(1a)
ip address 172.16.0.1/24 (e1)
ip address 192.168.0.1/24 (e0)
ftp (pat) and tftp (no pat) server
ip address 192.168.0.2/24
Cisco 806 router config:
no service pad
! <nat config>
ip nat inside source list 110 interface e1 overload
Re: pat and router vpn tunnel conflict - design question
Here is my 2 cents on IPSec over PAT. It's not that IPSec and Pat never go together. However, to make them work you need to be careful abouta couple of things. As an example, some PAT devices use the UDP source port 500 for all IKE sessions. The first session is allowed just fine but as soon as the second connection is brought up, the first is torn down. The way to get around this is to use a PAT device that uses a unique UDP source ports for each additional session.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :