Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client NAT not connected

Hello,

I'm using a cisco 1721 router to connect to the internet with one public ip address.

Between the LAN and the router is a Cisco Pix 515. On the the pix i use private addresses. (inside and outside).

I configured the pix with the vpn wizzard for remote access.

The vpn connection is working fine if i have a direct connection to the internet on my client site. (No nat enabled on vpn client)

I have configured the 1721 for ipsec passthrough.(ESP,UDP)

When i'm connecting from a site behind a firewall , i can not connect when i enable nat on the vpn client. If i disable nat i can connect but i can not ping or connect to a server on the remote site.

I've configured nat traversal on the pix.

Is there someone who have might suggestions for me?

  • VPN
11 REPLIES
Silver

Re: VPN client NAT not connected

I'm not clear about your topology and what you are trying to do. If you are trying to configure VPN client to PIX vpn, wiith a NAT device in-between, you should enable IPSec over UDP. Also, if the tunnel setup is fine but there are problems browsing local resources, you shold see http://www.cisco.com/warp/customer/471/vpn-net-hood.html

New Member

Re: VPN client NAT not connected

The problem is that, when nat is enabled on the vpn client i can not establish a vpn session to the pix.

Between is a cisco 1721 router with ipsec passthrough.

New Member

Re: VPN client NAT not connected

Hi

From the problem description it look like this is your topology what you are trying to resolved

VPNclient------Internet-----1721router-----PIX----LAN.

If this is the topology , is the router doing any kind of PAT?

Let me know if you have any queries and please provide more information .

Deepali

New Member

Re: VPN client NAT not connected

Hi

Yes the following is in the configuration of the router:

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static udp x.x.x.x 500 interface Dialer0 500

ip nat inside source static esp x.x.x.x interface Dialer0

Kind regards,

Edwin

Gold

Re: VPN client NAT not connected

Hi,

You may find the following post from the 'Ask the Expert' with Glenn Fullager useful reading:

Nov 4, 2003, 3:27pm PST

Since the PIX is a layer 3 device, you now have the problem of creating another subnet in between the router and PIX. Basically you have to decide where you're going to NAT now, probably best on the router.

So let's turn off NAT in the PIX with:

clear nat

clear global

nat (inside) 0 access-list nonat

access-list nonat permit ip 192.168.1.0 255.255.255.0 any

clear xlate

We need to create a small two-host network in between the router and the PIX now, so on the PIX do:

ip address outside 10.1.1.1 255.255.255.252

route outside 0.0.0.0 0.0.0.0 10.1.1.2

You can then clear your statics out cause the "nat 0" will replace that:

clear static

and since the router is now going to be doing the NAT, we need to change your access-list:

no access-list 101

access-list 101 permit tcp any host 192.168.1.102 eq www

access-list 101 permit tcp any host 192.168.1.102 eq smtp

access-list 101 permit tcp any host 192.168.1.102 eq ftp

access-list 101 permit tcp any host 192.168.1.102 eq 8080

access-list 101 permit tcp any host 192.168.1.102 eq pop3

access-group 101 in interface outside

On the router now, we change the inside interface address and add a route to the 192.168.1.0 network with:

interface faste0

ip address 10.1.1.2 255.255.255.252

ip route 192.168.1.0 255.255.255.0 10.1.1.1

Now on the router set up the NAT'ing:

ip nat inside source static tcp 192.168.1.102 80 interface dialer1 80

ip nat inside source static tcp 192.168.1.102 8080 interface dialer1 8080

ip nat inside source static tcp 192.168.1.102 25 interface dialer1 25

ip nat inside source static tcp 192.168.1.102 ftp interface dialer1 ftp

ip nat inside source static tcp 192.168.1.102 pop3 interface dialer1 pop3

allow any others through that you need, making sure you add a corresponding ACL on the PIX for it

That should be pretty close to what you want. You may need to tweak it a bit and I haven't tested this, but I have set it up a few times before. Basically the routerdoes the NAT'ing now, and NAT's everything to the 192.168.1.102 address as before. This then gets sent through to the PIX across the 10.1.1.0/30 subnet and the PIX just allows it through based on its access-list and "nat 0" statement.

Hope it helps a little...

New Member

Re: VPN client NAT not connected

Sorry,

But i have already nat on the router and no nat on the pix.

So this is not my problem. The problem is that the vpn client can not connect to the pix when i am using nat.

New Member

Re: VPN client NAT not connected

Hi

Thanks for the information , Since your clients are behind the router and they are connecting to a PIX, itis a NAT-T issue.

What is NAT-T when you are using IPSec:

IPSec over TCP/UDP (NAT Transparency) was formed to get over the need to have one-to-one translation. What it does it encapsulates the ESP packet inside TCP or UDP. Since TCP and UDP have no problems going through PAT (because they have ports) then this allows ESP to go through PAT

too, since ESP will be riding inside TCP/UDP. However, the other side of the VPN tunnel needs to understand that it should be expecting ESP traffic encapsulated inside something else or this won't work. So whatever device you are connecting to at the remote end will need to understand IPSec over TCP/UDP.

Cisco Router code 12.2(13)T allows IPSec over UDP but not TCP. And the PIX OS 6.3 and higher supports IPSec over UDP.

Cisco VPN client 3.6 and higher supports NAT-T.

NAT-T can also be resolved by doing one-to-one static translation.

Let me know if you have any queries.

Deepali

New Member

Re: VPN client NAT not connected

Hi,

I am using the following code on the router:

flash:c1700-k8sy7-mz.122-15.T9.bin

The pix is using 6.3 code.

So I think it´s not a ios issue.

Gold

Re: VPN client NAT not connected

there are 3 protocols/ports to be opened.

esp

udp 50

udp 4500

560
Views
0
Helpful
11
Replies