Allowing NAT isakmp port 500

liamr44 · ‎12-09-2022

Hi All

Hoping you can help with an issue we have with Catalyst 9300

I am trying to SNAT traffic from our inside interface to our outside interface GigabitEthernet1/0/10

ip nat inside source list 1 interface GigabitEthernet1/0/10 overload

ip access-list standard 1
10 permit (source address)x.x.x.x log

When looking at ip nat translations I can see NAT is working for tcp and udp traffic. But not for isakmp port 500 or 4500

nothing appearing in the logs

Would we need additional commands to allow NAT to work on port 500 or 4500?

I have also tried

ip nat inside source static udp x.x.x.x 500 x.x.x.x 500 extendable

and

ip nat inside source static udp x.x.x.x 4500 x.x.x.x 4500 extendable

note - we are not terminating any ipsec connection on the device just passing through

Many Thanks

Liam

MHM Cisco World · ‎12-09-2022

You add staitc pat,

Do you check

Show ip nat translation

Do you see Udp 500 and udp 4500?

liamr44 · ‎12-12-2022

Hi Thanks for the reply

We have tried adding a static nat

ip nat inside source static x.x.x.x(source address) x.x.x.x(global address)

I can see the following in ip nat translations, and NAT is working for tcp packets, icmp and udp when testing on ncat but still wont NAT port 500 or 4500

Pro Inside global                          Inside local                     Outside local         Outside global
--- x.x.x.x(global address)          x.x.x.x(local address)          ---                   ---

MHM Cisco World · ‎12-12-2022

I think the IPsec config wrong and that why the NAT not work.
can I see IPsec config of both side