C1111X-8P site to site VPN and PAT

rmakos · ‎09-05-2019

We are upgrading from a c1811 to a c1111X-8P at a site with a single static IP. With the 1811 we were able to have both a site to site VPN and PAT for inbound VPN connections to a RAS server using ports UDP 500 and 4500 by creating a route-map. This does not seem to work in IOS XE. When you try to add the config, the following error occurs: Port 500 is being used by system. Can anyone advise if there is a way to get this working in IOS XE? Here is the old config that worked in the 1811:

ip nat inside source static udp x.x.x.x 500 x.x.x.x 500 route-map BlockRT reversible extendable
ip nat inside source static udp x.x.x.x 4500 x.x.x.x 4500 route-map BlockRT reversible extendable

access-list 110 deny ip any host x.x.x.x

route-map BlockRT permit 10
match ip address 110

Georg Pauwen · ‎09-05-2019

Hello,

XE has NAT transparency enabled by default, not sure if this might cause your problem. Try and turn it off, and check if the error is still there:

C1111X(config)#no crypto ipsec nat-transparency udp-encapsulation

rmakos · ‎09-06-2019

Thanks, but that did not work. Still getting %Port 500 is being used by system. Any other ideas?

Georg Pauwen · ‎09-06-2019

Hello,

what other NAT statements do you have configured ? Are you overloading any interface or IP address ? If so, try and remove all NAT statements and enter the static NAT entries (those that generate the errors) first. Add all other NAT configuration you need after that.

rmakos · ‎09-06-2019

I tried removing all NAT statements and reloading. Still does not work, it is only ports UDP 500 and 4500 that error - I can add others. Has anyone successfully used one static IP for a site to site VPN and NAT to a RAS server in IOS XE?

Georg Pauwen · ‎09-06-2019

Hello,

try and remove all VPN configuration as well first, so that the static NAT is in there BEFORE any VPN and other NAT stuff. I remember there to be a bug in XE that could cause this behavior.

rmakos · ‎09-06-2019

I remember reading about the XE bug when NAT overloading and I don't think this is the case here, I can add other NAT translations without a problem. If I remove the crypto map from the interface, it does allow me to add the NAT entries, but after adding the crypto map back the site to site VPN connection will not establish until I remove those entries for ports 500 and 4500.

Georg Pauwen · ‎09-06-2019

Hello,

what is the output of:

sh ip nat portblock dynamic global detail

rmakos · ‎09-06-2019

tcp:
5062 - 6085 (config) rfcnt 1
545 - 617 (config) rfcnt 1

udp:
5062 - 6085 (config) rfcnt 1
512 - 584 (config) rfcnt 1

Georg Pauwen · ‎09-06-2019

Hello,

so it looks like NAT is not the culprit. Which XE version are you actually running ?

rmakos · ‎09-06-2019

Cisco IOS XE Software, Version 16.09.02

w/ securityk9

Georg Pauwen · ‎09-06-2019

Hello,

for the sake of testing, change the public IP address of the static NAT translations that produce the error to a different address than the one that is configured on the interface. If that works, you possibly actually do need a second public IP address...

rmakos · ‎09-06-2019

Changing the outside IP does work, and I wound up getting another static as a solution. But we have another single static site and I'm wondering why it worked with route-maps in IOS 12.4 and won't in XE?