cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1757
Views
0
Helpful
2
Replies

NAT Problems on a Cisco 3000 Concentrator

mwestern
Level 1
Level 1

Hi All,

We have a number of Cisco 3000 Concentrators which are doing VPN beautifully. But at a couple sites we want to enable NAT for the PCs inside.

I've tried everything to get NAT working out and the best i can get is to ping out. No surfing and no ftp access.

I've added three rules as per the docs but I still cant' get it to work:

---------------------------

You can configure a maximum of 10 NAT rules. A typical system might have three rules:

• Provide FTP Proxy services for all private network addresses.

• Map TCP/UDP ports in packets to and from all private network addresses.

• Translate IP addresses for protocols that do not use ports (No Port Mapping).

-----------------------

I've tried adding them in different orders but doesn't seem to take effect. Where am I going wrong??

I'm sure i've got my subnet mask and stuff OK because when i enable the 'No Port mapping' ping suddendly starts to work. I'm baffled as to why the other two don't.

Any ideas or pointers to something i can read to understand what's going on?

Thanks

Matthew

2 Replies 2

Nelson Rodrigues
Cisco Employee
Cisco Employee

Mathew, a couple words about NAT on the VPN 3000.

1) Prior to version 3.6 Rel of the VPN 3000, it supports NAT , called Interface NAT (actually many-to-one PAT). This allows private network addresses to be PATed with the public IP address of the VPN 3000 for traffic destined for the "public network". This NAT type is not used for traffic across a LAN-to-LAN tunnel.

You must still explicitly allow "portless/ICMP", FTP and UDP on the NAT interface by assigning these