Is there a way to force IOS, when configured for NAT overload, to overload to a specific range of port numbers (or not overload to specific numbers) rather than the default of 0-511, 512-1023, 1024+?
I have NAT configured on a 2801 so all inside addresses matching a certain list are NAT'ed to a certain external IP address with overloading enabled.
This is causing problems with outbound client VPN sessions which use NAT traversal. (directed to a Nortel Extranet switch).
The first outbound VPN session always works fine. The inside local source port for one of the UDP streams is 500 and the inside global source port is 500.
If a second or subsequent VPN session is opened from inside the network however, the inside local source port is 500 but the inside global source port is in the range 0-511 (often around 20). This is expected.
All VPN sessions other than the first fail to connect. I strongly suspect this is due to the VPN concentrator (or a firewall in front of it) dropping UDP packets from some or all low source port numbers. When we route outbound traffic via another router/firewall box (linux-based) which uses high port numbers > 48000) we don't have the issue.
We don't have control of the remote VPN concentrator and I'd rather not waste public addresses by using multiple NAT pools (or hack the NAT client so it uses another source port which might be free when translated) - but I suspect I may not have a choice.
I suspect your problem is that the concetrator on the far end is not supporting nat transversal (NATT). It is almost impossible to get 2 IPSEC sessions over a nat connection because they expect only certain port numbers.
This was the reason that NATT came about. Many times this is a client option. The concentrators may accept both type of connection.
The only way to get around this would be to use a pooled nat without overload for these sessions and overload everything else into a single IP. It depends on how many public ip's you have and how many sessions you run. Your pool of ip would need to be a little bigger than your peak load of user sessions.
I only have one address in the pool. I know the remote concentrator supports NAT-T because the client logs show it is in use. And I know multiple sessions can work, because they do through our linux-based firewall (which I suspect is because its PAT function rewrites the source port of UDP 500 to UDP > 40000) - I've had up to 4 simultaneous outbound sessions to the same concentrator, with NAT/PAT translating to a single external address.
I will create a dedicated multi-address pool for the VPN sessions if I have to - I'd just rather not blow the address space on this if there's a way to force the router to map the outbound session's source ports to different numbers or number ranges.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...