Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3002 with PAT address on Public Interface

I installed a 3002 hardware client at a customer site and the address on the public interface gets natted/patted at their firewall (they say they can't give me a one-to-one translation for some reason). The systems behind the 3002 work and can get to the servers behind a 3020 but performance seems sluggish and inconsistent. Is it ok to have a patted address on the public interface? I'm wondering if that's what's causing the performance issues. If it is ok are there any configuration parameters I need to be aware of with this setup? Thanks in advance.

Cisco Employee

Re: VPN 3002 with PAT address on Public Interface

Hello -

3002 getting a non-routable IP address on the public interface should not cause any performance impact unless the ISP is doing something out of the ordinary.

Having tried to change the MTU on the public interface private interface of the 3002 to a lower level - 1100 or so and see if that makes any difference.

Did you insert a sniffer trace to see what might be causing the sluggish/inconsistent performance.

Also, a ping test with a different size of packet to the server on the 3020 side would reveal any issues with packet size of DF bit.

Hope these tips helps!!



New Member

Re: VPN 3002 with PAT address on Public Interface

Hi and thanks for your reply, I appreciate it. It's not the non-routable address part I was concerned about, but the fact that the address is PATted and the public address is shared with many other systems. Since I wrote that post I was able to make some adjustments to the config on both the 3002 and 3020 which helped considerably.

The 3002 was at a different site for a while where it worked fine in network extension mode, and was configured to connect via tcp port 443 for reasons I won't bore you with. It didn't work well at all at the new site, and I'm guessing it's because you can't do that with a PATted address because you need UDP in that scenario.

One thing I'm not sure about is if I should have PAT enabled on the 3002 under Traffic Management. My understanding is that if it isn't enabled then the unit is in network extension mode and I don't know if that's ok with a PAT address. However when I configure the PAT option it doesn't work any more and all connectivity is lost, but I could be doing something wrong. In any case it seems ok as it is but perhaps it could be more efficient.

I will probably try adjusting the MTU as you mentioned to see if it helps, thanks for the suggestion.

Cisco Employee

Re: VPN 3002 with PAT address on Public Interface

Hi Jad,

With the PAT enabled, it should get an IP address from the concentrator. If PAT is not enabled, then it should use Network Extension Mode (NEM).

If you have an application that doesnt work well under PAT like an IP phone, etc...then NEM is THE option.



Rate this post, if it helps!