topic Re: Static NAT VPN Problem in Switching

Static NAT VPN Problem

mgriffin — Tue, 05 Mar 2019 22:00:50 GMT

Greetings,

I am having an issue with my NAT configuration. I am fairly knowledable on Cisco routers, but by no means an expert.

Configuration:

Cisco 2611 with two Ethernet ports.

E0/0 (WAN) - DHCP address (69.x.x.228) connected to a Time Warner Cable Modem

E0/1 (LAN) - 10.0.0.1 / 24

E0/0 is configured for NAT outside

E0/1 is configured for NAT inside

ip nat inside source list 115 interface E0/0 overload

10.x.x.x. clients have no issue access the internet and everything thing seems to work fine.

However, I have one client on 10.0.0.51 that is used to connect to a remote VPN site. I cannot connect using VPN. If I add the following statement:

ip nat inside source static 10.0.0.51 interface E0/0

Then VPN works just fine? however you can see that it breaks several other things.

I have tried to put in a static NAT with a specific port mapping for this address but that does not work either. Since I only have one "WAN" address I'm not sure how to get around this.

Any help would be appreciated.

Tnx,

MJG

Re: Static NAT VPN Problem

Jon Marshall — Fri, 26 Jan 2007 16:33:22 GMT

What is happening is that the PAT on your wan interface is changing the source ports from the VPN client. This is breaking the IKE/IPSEC negotiation.

What you probably need to do is use NAT-T which add a UDP header to the IPSEC packets. I've attached a link that explains what it is and how to enable it on a Cisco client (don't know if thats what you are using but all vpn clients should support it ).

http://www.cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client

You will need to talk to the people who control the remote site VPN device as that device has to have NAT-T enabled as well.

HTH

Jon

Re: Static NAT VPN Problem

mgriffin — Fri, 26 Jan 2007 16:54:50 GMT

Jon,

Thanks for the info. I looked at the document and it refers to a PIX setup.

I also checked with our remote location and they do not support NAT-T nor does the client I am using.

Any other throughs on how to get this working?

Tnx again.

Re: Static NAT VPN Problem

mgriffin — Fri, 26 Jan 2007 19:57:40 GMT

Jon,

I solved my own problem!!! ...although I dont quite understand how/why.

In the end I changed this statement:

ip nat inside source list 1 interface e0/0 overload

to:

ip nat inside source list 115 interface e0/0 overload.

ACL 1 was: permit 10.0.0.0 0.0.0.255

New ACL 115 is: permit ip 10.0.0.0 0.0.0.255 any

I'm not sure why using an extended ACL works when a standard one does not... but it works fine now and I can VPN outbound and all other services still work.

Tnx,

MJG