cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
268
Views
0
Helpful
3
Replies

Static NAT VPN Problem

mgriffin
Beginner
Beginner

Greetings,

I am having an issue with my NAT configuration. I am fairly knowledable on Cisco routers, but by no means an expert.

Configuration:

Cisco 2611 with two Ethernet ports.

E0/0 (WAN) - DHCP address (69.x.x.228) connected to a Time Warner Cable Modem

E0/1 (LAN) - 10.0.0.1 / 24

E0/0 is configured for NAT outside

E0/1 is configured for NAT inside

ip nat inside source list 115 interface E0/0 overload

10.x.x.x. clients have no issue access the internet and everything thing seems to work fine.

However, I have one client on 10.0.0.51 that is used to connect to a remote VPN site. I cannot connect using VPN. If I add the following statement:

ip nat inside source static 10.0.0.51 interface E0/0

Then VPN works just fine? however you can see that it breaks several other things.

I have tried to put in a static NAT with a specific port mapping for this address but that does not work either. Since I only have one "WAN" address I'm not sure how to get around this.

Any help would be appreciated.

Tnx,

MJG

3 Replies 3

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Hi

What is happening is that the PAT on your wan interface is changing the source ports from the VPN client. This is breaking the IKE/IPSEC negotiation.

What you probably need to do is use NAT-T which add a UDP header to the IPSEC packets. I've attached a link that explains what it is and how to enable it on a Cisco client (don't know if thats what you are using but all vpn clients should support it ).

http://www.cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client

You will need to talk to the people who control the remote site VPN device as that device has to have NAT-T enabled as well.

HTH

Jon

Jon,

Thanks for the info. I looked at the document and it refers to a PIX setup.

I also checked with our remote location and they do not support NAT-T nor does the client I am using.

Any other throughs on how to get this working?

Tnx again.

Jon,

I solved my own problem!!! ...although I dont quite understand how/why.

In the end I changed this statement:

ip nat inside source list 1 interface e0/0 overload

to:

ip nat inside source list 115 interface e0/0 overload.

ACL 1 was: permit 10.0.0.0 0.0.0.255

New ACL 115 is: permit ip 10.0.0.0 0.0.0.255 any

I'm not sure why using an extended ACL works when a standard one does not... but it works fine now and I can VPN outbound and all other services still work.

Tnx,

MJG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers