Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Problems on a Cisco 3000 Concentrator

Hi All,

We have a number of Cisco 3000 Concentrators which are doing VPN beautifully. But at a couple sites we want to enable NAT for the PCs inside.

I've tried everything to get NAT working out and the best i can get is to ping out. No surfing and no ftp access.

I've added three rules as per the docs but I still cant' get it to work:


You can configure a maximum of 10 NAT rules. A typical system might have three rules:

• Provide FTP Proxy services for all private network addresses.

• Map TCP/UDP ports in packets to and from all private network addresses.

• Translate IP addresses for protocols that do not use ports (No Port Mapping).


I've tried adding them in different orders but doesn't seem to take effect. Where am I going wrong??

I'm sure i've got my subnet mask and stuff OK because when i enable the 'No Port mapping' ping suddendly starts to work. I'm baffled as to why the other two don't.

Any ideas or pointers to something i can read to understand what's going on?



Cisco Employee

Re: NAT Problems on a Cisco 3000 Concentrator

Mathew, a couple words about NAT on the VPN 3000.

1) Prior to version 3.6 Rel of the VPN 3000, it supports NAT , called Interface NAT (actually many-to-one PAT). This allows private network addresses to be PATed with the public IP address of the VPN 3000 for traffic destined for the "public network". This NAT type is not used for traffic across a LAN-to-LAN tunnel.

You must still explicitly allow "portless/ICMP", FTP and UDP on the NAT interface by assigning these rules to the public interface filter. Ping worked for you because ICMP/IN and ICMP/Out rules are assigned to the public interface by default. Add the FTP and UDP rules and this should work.

2) IWith Rel 3.6 , besides Interface NAT, we also added "NAT over LAN-to-LAN". This is used when you have overlapping or same IP networks at multiple sites.

Hope ths helps.


New Member

Re: NAT Problems on a Cisco 3000 Concentrator

1) I *think* i have already tried this. here are my rules: on Ethernet 2 (Public) (no port mapping) on Ethernet 2 (Public) (map TCP/UDP) on Ethernet 2 (Public) (FTP Proxy)

i've also tried having the TCP and the UDP in separate rules. Do these rules need to be in any order?

We have a number of VPNs setup on this already all on the 10.x.x.x range. i just want to enable NAT out to the internet so internal machines can surf out. (I have DNS etc etc all working fine becuase i have our real firewall here to try it out). I'm actually trying to get this going for a small office of our company who will just have this Cisco Plugged in for both VPN to head office and for surfing/firewall etc etc... which is why we want to NAT to the internet (or pat or whatever it is). ideas?

2) is rel 3.6 just a firmware update that i can apply to my cisco? will this erase all my customizations for existing VPNs etc? i have about 7 VPNs going like a bought one.

Thanks a pile for the response.