Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Question inbound traffic

I have a router (public address) and PiX behind it (private addresses). When the PIX creates the IPSEC VPN to another PIX over the router it sets up NAT. I see UDP 500 and 4500.

If I were to want the remote PIX to bring up the connection would I need to put static nat to redirect this traffic to the outside of the PIX?

If I do something like this it breaks outbound VPN:

ip nat inside source static udp 192.100.150.1 500 1.2.3.4 500 extendable

I think may be it the wrong way?

I attach a simple diagram of what im doing.

7 REPLIES

Re: NAT Question inbound traffic

There is a link on CCO describing how a router should be setup for this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml#diag

You may need a CCO account for this so I must also say that the document ID is: 23820

You may also find useful info on:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

Regards,

Leo

New Member

Re: NAT Question inbound traffic

Thats basically what I set up. I have two external interfaces with 4500 and 500 mapped to the PIX with static NAT. I have reliable static routes which switch should the primary go down. Web traffic fails over perfectly. I also have multiple peers enabled on the pixs for each interface. Problem is when I use static nat the PIXs keep trying to use link thats down.

If I remove the static maps, and allow the PIX behind the router it all works much better and faster. Problem is that outside PIX can't bring up the tunnel (as no statics to direct traffic).

I enable keep alives on PIX and have relatively short ISAKMP policy - 10mins.

This is the behaviour on the router:

No static NAT on the router.

Able to switch between primary and backup interface easily with 10 pings

Unable to initate the tunnel from outside the "local" network

No really ideal because people outside may need to initiate this connection

Static NAT maps for both outside interfaces on UDP 4500 and UDP 500 redirected to PIXs "outside" address.

Able to connect out over primary link.

switch to failover, tunnels never come back up - I see lots of statics mapping to the link thats down.

udp 195.172.169.99:500 192.100.151.1:500 217.207.48.226:500 217.207.48.99:500

I don't know if the NAT-T Keepalives are causing this.

If I connect to a remote site I CAN bring the tunnel up, but it only stays up as long at remote end is pinging. This is also no acceptable because we cannot bring the tunnel up from our local net.

New Member

Re: NAT Question inbound traffic

Is it possible to create dynamic static enteries. Ie when main link up it adds "source 4500 dest 4500" to the PIX, when the failover kicks in it adds the new static map and removes the original.

Is this possible using PBR and static NAT?

Re: NAT Question inbound traffic

I have succesfully applied the config as posted in the example to sutes that had only one public IP available, that is what it is basically meant for. Probably the additional requirement for failover is a bit too much to ask.

Regards,

Leo

New Member

Re: NAT Question inbound traffic

I wonder if I changed the PIX identify in Phase 1 to sometime other than the "ip address" it may work better. Reading your article it suggests a hash mis=match and I have seen something similar in the PIX debug.

I guess the source address acording to the PIX is the "ouside" but private address.

Does this sound feasable?

New Member

Re: NAT Question inbound traffic

I wonder if I changed the PIX identify in Phase 1 to sometime other than the "ip address" it may work better. Reading your article it suggests a hash mis=match and I have seen something similar in the PIX debug.

I guess the source address acording to the PIX is the "ouside" but private address.

Does this sound feasable?

New Member

Re: NAT Question inbound traffic

I wonder if I changed the PIX identify in Phase 1 to sometime other than the "ip address" it may work better. Reading your article it suggests a hash mis=match and I have seen something similar in the PIX debug.

I guess the source address acording to the PIX is the "ouside" but private address.

Does this sound feasable?

138
Views
0
Helpful
7
Replies