cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3207
Views
0
Helpful
4
Replies

Is this a NAT traversal problem?

richard.dimond
Level 1
Level 1

I have a 1841 router with vpn to the internet ISP.

From the outside world I can get to the mail server's outlook web access ip of xxx.xx.xx.140.

I have set up a guest access wirless lan using the 192.168.196.0 network addresses which is able to access ip addresses on the internet.

I need this outbound guest access from vlan 196 to come back in to also access the owa server.

I do not want this vlan to be accessing addresses on the local lan.

I believe thsi is a NAT Traversal problem but what config changes do I need to make on the 1841 router.

Do I simply need a crypto isakmp nat-traversal config entry

I have attached part of the configuration.

Thanks in advance

Richard

4 Replies 4

Antonio Knox
Level 7
Level 7

I think some type of drawing would help me understand a bit more.  Can you put together a quick visio drawing?

Hope this helps

Antonio Knox
Level 7
Level 7

crypto isakmp nat-traversal

This command is actually an ASA CLI command, and is overal not required in this scenario.  Per Cisco documentation:

"NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated."

For more info on NAT Traversal and how it works in IOS, look here:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1027186

There is also good info on NAT transparency options available to you.

Please rate if helpful.

This is not a Nat Traversal issue but is more of NAT HAIRPINNING issue. This problem can be solved easily on ASA/PIX but incase of an IOS router , you have couple of choises :-

1> Use dns doctoring that will change the dns reply packet from public ip to private. { but since you do not want the pricate vlan access from that guest wireless network ... this isn't a solution for you }.

2> you can have the same public ip on the server as a secondary ip and then make use of route map's on the router to set up a different Next hop for traffic originating from Guest wireless subnet and destined for that Public. This is a tricky solution and you have to research about it, on how to implement it in your case.

Manish

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco