Introduction:
This document describes an issue where user using VPN client can not connect to internal network.
What is NAT & PAT?
- NAT may be defined as the process in which translation of an IP address within one network to a different IP address.
- NAT helps in ensuring security since each outgoing or incoming request should pass through the translation process.
- NAT can be difined statically or can be made to use IP's from a pool dynamically. Cisco's version of NAT enable the administrator to create tables that could map:
A local IP to one global IP address statically
A local IP address to a rotating pool of global IP
A local IP with a defined TCP port to a global IP or to anyone IP from the pool
A global IP to any local IP from a pool with the help of round-robin basis
PAT:
Port address translation (PAT) can be defined as a process with which multiple users within a local network to make minimum use of IP addresses. Its primary function is that PAT share only 1 IP public between multiple users who are using internet.
An example of PAT is mentioned below:
A user is working in home network which is connected to the Internet.The router which is used by the user is given a discrete IP address by ISP. Multiple users are accessing the Internet with same router, and each user is assigned a port number.
Core issue
There is a Network Address Translation (NAT) or Port Address Translation (PAT) device in the middle which might not be translating Phase II Encapsulating Security Payload (ESP) traffic. ESP does not work with PAT. The Phase I Internet Key Exchange (IKE) session would establish since it uses User Datagram Protocol (UDP) port 500.
Resolution
The VPN Client connecting to the VPN 3000 Concentrator has two options.
Refer to NAT Support for IPSec ESP - Phase II for details on how to allow multiple concurrent IPsec Encapsulating Security Payload (ESP) tunnels or connections through a Cisco IOS® Network Address Translation (NAT) device configured in overload or Port Address Translation (PAT) mode.