Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1673
Views
0
Helpful
2
Replies

NAT Problems on a Cisco 3000 Concentrator

mwestern
Level 1
Level 1

‎10-09-2002 06:39 PM - edited ‎02-20-2020 10:17 PM

Hi All,

We have a number of Cisco 3000 Concentrators which are doing VPN beautifully. But at a couple sites we want to enable NAT for the PCs inside.

I've tried everything to get NAT working out and the best i can get is to ping out. No surfing and no ftp access.

I've added three rules as per the docs but I still cant' get it to work:

---------------------------

You can configure a maximum of 10 NAT rules. A typical system might have three rules:

• Provide FTP Proxy services for all private network addresses.

• Map TCP/UDP ports in packets to and from all private network addresses.

• Translate IP addresses for protocols that do not use ports (No Port Mapping).

-----------------------

I've tried adding them in different orders but doesn't seem to take effect. Where am I going wrong??

I'm sure i've got my subnet mask and stuff OK because when i enable the 'No Port mapping' ping suddendly starts to work. I'm baffled as to why the other two don't.

Any ideas or pointers to something i can read to understand what's going on?

Thanks

Matthew

0 Helpful
2 Replies 2

Nelson Rodrigues
Cisco Employee
Cisco Employee

‎10-09-2002 08:33 PM

Mathew, a couple words about NAT on the VPN 3000.

1) Prior to version 3.6 Rel of the VPN 3000, it supports NAT , called Interface NAT (actually many-to-one PAT). This allows private network addresses to be PATed with the public IP address of the VPN 3000 for traffic destined for the "public network". This NAT type is not used for traffic across a LAN-to-LAN tunnel.

You must still explicitly allow "portless/ICMP", FTP and UDP on the NAT interface by assigning these rules to the public interface filter. Ping worked for you because ICMP/IN and ICMP/Out rules are assigned to the public interface by default. Add the FTP and UDP rules and this should work.

2) IWith Rel 3.6 , besides Interface NAT, we also added "NAT over LAN-to-LAN". This is used when you have overlapping or same IP networks at multiple sites.

Hope ths helps.

Nelson

0 Helpful

mwestern
Level 1
Level 1
In response to Nelson Rodrigues

‎10-09-2002 08:41 PM

1) I *think* i have already tried this. here are my rules:

10.1.64.0/21 on Ethernet 2 (Public) (no port mapping)

10.1.64.0/21 on Ethernet 2 (Public) (map TCP/UDP)

10.1.64.0/21 on Ethernet 2 (Public) (FTP Proxy)

i've also tried having the TCP and the UDP in separate rules. Do these rules need to be in any order?

We have a number of VPNs setup on this already all on the 10.x.x.x range. i just want to enable NAT out to the internet so internal machines can surf out. (I have DNS etc etc all working fine becuase i have our real firewall here to try it out). I'm actually trying to get this going for a small office of our company who will just have this Cisco Plugged in for both VPN to head office and for surfing/firewall etc etc... which is why we want to NAT to the internet (or pat or whatever it is). ideas?

2) is rel 3.6 just a firmware update that i can apply to my cisco? will this erase all my customizations for existing VPNs etc? i have about 7 VPNs going like a bought one.

Thanks a pile for the response.

Matthew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card