Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3480
Views
0
Helpful
4
Replies

Is this a NAT traversal problem?

richard.dimond
Level 1
Level 1

‎05-31-2011 06:03 AM - edited ‎03-06-2019 05:16 PM

I have a 1841 router with vpn to the internet ISP.

From the outside world I can get to the mail server's outlook web access ip of xxx.xx.xx.140.

I have set up a guest access wirless lan using the 192.168.196.0 network addresses which is able to access ip addresses on the internet.

I need this outbound guest access from vlan 196 to come back in to also access the owa server.

I do not want this vlan to be accessing addresses on the local lan.

I believe thsi is a NAT Traversal problem but what config changes do I need to make on the 1841 router.

Do I simply need a crypto isakmp nat-traversal config entry

I have attached part of the configuration.

Thanks in advance

Richard

Labels:
87167-RDG-1841-nat.txt.zip
0 Helpful
4 Replies 4

Antonio Knox
Level 7
Level 7

‎05-31-2011 08:07 AM

I think some type of drawing would help me understand a bit more.  Can you put together a quick visio drawing?

0 Helpful

richard.dimond
Level 1
Level 1
In response to Antonio Knox

‎05-31-2011 08:38 AM

Hope this helps

87181-NAT.vsd.zip
0 Helpful

Antonio Knox
Level 7
Level 7

‎05-31-2011 09:14 AM

crypto isakmp nat-traversal

This command is actually an ASA CLI command, and is overal not required in this scenario.  Per Cisco documentation:

"NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated."

For more info on NAT Traversal and how it works in IOS, look here:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1027186

There is also good info on NAT transparency options available to you.

Please rate if helpful.

0 Helpful

manish arora
Level 6
Level 6
In response to Antonio Knox

‎05-31-2011 10:04 AM

This is not a Nat Traversal issue but is more of NAT HAIRPINNING issue. This problem can be solved easily on ASA/PIX but incase of an IOS router , you have couple of choises :-

1> Use dns doctoring that will change the dns reply packet from public ip to private. { but since you do not want the pricate vlan access from that guest wireless network ... this isn't a solution for you }.

2> you can have the same public ip on the server as a secondary ip and then make use of route map's on the router to set up a different Next hop for traffic originating from Guest wireless subnet and destined for that Public. This is a tricky solution and you have to research about it, on how to implement it in your case.

Manish

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card