Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
4
Replies

8.3 object oriented NAT/PAT and address pool use.

thingywhatnot
Level 1
Level 1

‎05-04-2012 03:22 AM - edited ‎03-11-2019 04:02 PM

Hi,

Since moving to the new object oriented nat syntax - i have encountered problems with using port address translation from many to many.

With many thousands of users behind a firewall all passing traffic from inside to outside, I am required to resort to using a pool of external IP addresses, so as not to run out of sockets.

Bit Torrent and other similar apps can cause a world of mess.

While I can configure port address translation as follows:

object network PRIMARY_OUT

range x.x.x.x x.x.x.x

object-group network INSIDE

network-object 0.0.0.0 0.0.0.0

nat (any,Primary) source static INSIDE PRIMARY_OUT

While this works there is a single glaring problem that I cannot overcome - irrespective of adding it to the fixup protocol inspection.

When PATing to multiple IP addresses on the outside, PPTP VPNs cease to work.

The only way to overcome this is to PAT to a single overloaded IP address or interface.

Am I doing something wrong? This all worked fine with the old school nat (inside) global (outside) style configuration.

Any help or tips would be warmly received.

Labels:
0 Helpful
4 Replies 4

Dan-Ciprian Cicioiu
Level 7
Level 7

‎05-04-2012 03:47 AM

Hi,

You might try to exempt the VPN from being nat-ed

object-group network VPN

network-object x.x.x.x x.x.x.x

nat (inside,outside) 1 source static INSIDE INSIDE destination static VPN VPN

Dan

0 Helpful

thingywhatnot
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎05-04-2012 04:01 AM

I might be being dim, and I also might have failed to relay my question correctly.

The problem is with users behind the firewall - who are NAT'd getting out the internet, who require to use a PPTP VPN to remote sites beyond our firewalls.

Would your recommendation overcome this issue?

Many thanks.

0 Helpful

Colin Higgins
Level 2
Level 2
In response to thingywhatnot

‎05-04-2012 07:45 AM

The only way to overcome this might be to carve out some addresses from that NAT range and set up statics for those internal users who require PPTP outbound access.

Check the xlate table and see if the PPTP users are opening multiple sockets when connecting to their VPN peers.

0 Helpful

thingywhatnot
Level 1
Level 1
In response to Colin Higgins

‎05-05-2012 01:54 AM

Thanks Colin, unfortunately I don't think that this is going to be a scalable solution given the nature of the network and userbase.

Is a PAT pool singularly incompatible with PPTP passthrough because of the dynamic nature of source/dest port allocation? Also why is this possible when overloading to a single IP address, rather than a pool?

Many thanks for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card