Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3373
Views
0
Helpful
0
Comments

VPN Client cannot connect to internal network - NAT/PAT device is not translating Phase II traffic

TCC_2
Level 10
Level 10

‎06-22-2009 03:36 PM - edited ‎08-23-2017 09:53 PM

 

Introduction:

This document describes an issue where user using VPN client can not connect to internal network.

 

What is NAT & PAT?

 

  • NAT may be defined as the process in which translation of an IP address within one network to a different IP address.
  • NAT helps in ensuring security since each outgoing or incoming request should pass through the translation process.
  • NAT can be difined statically or can be made to use IP's from a pool dynamically. Cisco's version of NAT enable the  administrator to create tables that could map:

                  A local IP  to one global IP address statically

   A local IP address to a rotating pool of global IP 

   A local IP with a defined TCP port to a global IP or to anyone IP from the pool

   A global IP to any local IP from a pool with the help of round-robin basis

 

PAT:

 

Port address translation (PAT) can be defined as a process with which multiple users within a local network to make minimum use of IP addresses. Its primary function is that PAT share only 1 IP public between multiple users who are using internet. 

 

An example of PAT is mentioned below:

A user is working in home network which is connected to the Internet.The  router which is used by the user is given a discrete IP address by ISP. Multiple users are accessing the Internet with same router, and each user is assigned a port number.

Core issue

 

There is a Network Address Translation (NAT) or Port Address Translation (PAT) device in the middle which might not be translating Phase II Encapsulating Security Payload (ESP) traffic. ESP does not work with PAT. The Phase I Internet Key Exchange (IKE) session would establish since it uses User Datagram Protocol (UDP) port 500.

 

Resolution

 

The VPN Client connecting to the VPN 3000 Concentrator has two options.

 

    • IPsec tunnel through UDP


      Enable the IPsec/NAT feature on the VPN Client and VPN Concentrator.

       

      • For the VPN Client, select Options > Properties, and then check the Allow IPSec through NAT check box.

         

      • On the VPN Concentrator, select Configuration > User Management > Groups > Modify, and then check the Mode Config check box. Then go to the Mode Config tab and select IPSec over UDP. You can specify the UDP port.

 

  • IPsec tunnel through TCP


    This procedure applies to VPN 3000 Software versions 3.5 and later.

     

    • For the VPN Client, select the Use IPSec over TCP radio button. When using TCP, enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000.

       

    • For the VPN Concentrator, select Configuration > System > Tunneling Protocols > IPSec > IPSec over TCP, and check Enabled. You can specify multiple ports.

 

Refer to NAT Support for IPSec ESP - Phase II for  details on how to allow multiple concurrent IPsec Encapsulating Security Payload (ESP) tunnels or connections through a Cisco IOS® Network Address Translation (NAT) device configured in overload or Port Address Translation (PAT) mode.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents