Force NAT overload ports?

b.henshaw · ‎11-15-2006

Is there a way to force IOS, when configured for NAT overload, to overload to a specific range of port numbers (or not overload to specific numbers) rather than the default of 0-511, 512-1023, 1024+?

I have NAT configured on a 2801 so all inside addresses matching a certain list are NAT'ed to a certain external IP address with overloading enabled.

This is causing problems with outbound client VPN sessions which use NAT traversal. (directed to a Nortel Extranet switch).

The first outbound VPN session always works fine. The inside local source port for one of the UDP streams is 500 and the inside global source port is 500.

If a second or subsequent VPN session is opened from inside the network however, the inside local source port is 500 but the inside global source port is in the range 0-511 (often around 20). This is expected.

All VPN sessions other than the first fail to connect. I strongly suspect this is due to the VPN concentrator (or a firewall in front of it) dropping UDP packets from some or all low source port numbers. When we route outbound traffic via another router/firewall box (linux-based) which uses high port numbers > 48000) we don't have the issue.

We don't have control of the remote VPN concentrator and I'd rather not waste public addresses by using multiple NAT pools (or hack the NAT client so it uses another source port which might be free when translated) - but I suspect I may not have a choice.

Any advice would be appreciated.

bbaley · ‎11-21-2006

Are you assigning more than one ip address to a pool?

tdrais · ‎11-21-2006

I suspect your problem is that the concetrator on the far end is not supporting nat transversal (NATT). It is almost impossible to get 2 IPSEC sessions over a nat connection because they expect only certain port numbers.

This was the reason that NATT came about. Many times this is a client option. The concentrators may accept both type of connection.

The only way to get around this would be to use a pooled nat without overload for these sessions and overload everything else into a single IP. It depends on how many public ip's you have and how many sessions you run. Your pool of ip would need to be a little bigger than your peak load of user sessions.

b.henshaw · ‎11-21-2006

Thanks for the responses.

I only have one address in the pool. I know the remote concentrator supports NAT-T because the client logs show it is in use. And I know multiple sessions can work, because they do through our linux-based firewall (which I suspect is because its PAT function rewrites the source port of UDP 500 to UDP > 40000) - I've had up to 4 simultaneous outbound sessions to the same concentrator, with NAT/PAT translating to a single external address.

I will create a dedicated multi-address pool for the VPN sessions if I have to - I'd just rather not blow the address space on this if there's a way to force the router to map the outbound session's source ports to different numbers or number ranges.