This document describes an issue where user using VPN client can not connect to internal network.
What is NAT & PAT?
NAT may be defined as the process in which translation of an IP address within one network to a different IP address.
NAT helps in ensuring security since each outgoing or incoming request should pass through the translation process.
NAT can be difined statically or can be made to use IP's from a pool dynamically. Cisco's version of NAT enable the administrator to create tables that could map:
A local IP to one global IP address statically
A local IP address to a rotating pool of global IP
A local IP with a defined TCP port to a global IP or to anyone IP from the pool
A global IP to any local IP from a pool with the help of round-robin basis
Port address translation (PAT) can be defined as a process with which multiple users within a local network to make minimum use of IP addresses. Its primary function is that PAT share only 1 IP public between multiple users who are using internet.
An example of PAT is mentioned below:
A user is working in home network which is connected to the Internet.The router which is used by the user is given a discrete IP address by ISP. Multiple users are accessing the Internet with same router, and each user is assigned a port number.
There is a Network Address Translation (NAT) or Port Address Translation (PAT) device in the middle which might not be translating Phase II Encapsulating Security Payload (ESP) traffic. ESP does not work with PAT. The Phase I Internet Key Exchange (IKE) session would establish since it uses User Datagram Protocol (UDP) port 500.
The VPN Client connecting to the VPN 3000 Concentrator has two options.
IPsec tunnel through UDP
Enable the IPsec/NAT feature on the VPN Client and VPN Concentrator.
For the VPN Client, select Options > Properties, and then check the Allow IPSec through NAT check box.
On the VPN Concentrator, select Configuration > User Management > Groups > Modify, and then check the Mode Config check box. Then go to the Mode Config tab and select IPSec over UDP. You can specify the UDP port.
IPsec tunnel through TCP
This procedure applies to VPN 3000 Software versions 3.5 and later.
For the VPN Client, select the Use IPSec over TCP radio button. When using TCP, enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000.
For the VPN Concentrator, select Configuration > System > Tunneling Protocols > IPSec > IPSec over TCP, and check Enabled. You can specify multiple ports.
Refer to NAT Support for IPSec ESP - Phase II for details on how to allow multiple concurrent IPsec Encapsulating Security Payload (ESP) tunnels or connections through a Cisco IOS® Network Address Translation (NAT) device configured in overload or Port Address Translation (PAT) mode.
I have 2 new FPR-1010 According to the documentation, on the first boot, I should get a EULA prompt and then a "Manage the device locally? (yes/no) [yes]: no"https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1010/firepower-1010-g...
We have two Data Centers, East and West. The West is considered our DR site (separate, but identical Hw). If the EDC data center craters, we would like to spin up the WDC using the EDC's Master System config.Currently we are using a tool to pu...
Hello, In our customer environment, the Node status of the secondary ISE node is showing up as "Replication Stopped".By logging into the CLI, we checked the ntp server configuration of both primary and secondary nodes they are the same. We tried...
First off a nod to ChiefSec-SF & Orlith for their contributions.Objective: Use PowerShell to create a new Event Stream. Define Authentication Credentials$Credentials = GET-CREDENTIAL –Credential (Get-Credential)
Hello. Hoping someone out there may be able to help us figure out a nagging issue with our ISE deployment. We are running ISE 2.4 along with 802.1x/MAB authentication for our Win 10 machines and Shoretel phones. We run 2960 switches at the acces...