Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
0
Helpful
5
Replies

VPN over Dynamic NAT

vjokhoo
Level 1
Level 1

‎03-07-2007 05:37 AM

Hi folks,

I have this problem. I built out a LAN for a customer using private IP addressing. On the WAN side I'm using a pool of public IP Addresses to provide NAT. The LAN works for most Internet applications including voice but I have an issue with users who want to connect to VPNs. WHen the user launches their client the VPN takes a very long time to connect and then no traffic passes in the tunnel so the VPN is unuseable at that point. If I set up a 1:1 static NAT for a user then they can successfully use their VPN.

Could it be because I'm using a pool of addresses for NAT the public address coulel be changing? Any way to get around this?

This happens whether they are using Cisco, Nortel or any other VPN.

Labels:
0 Helpful
5 Replies 5

acomiskey
Level 10
Level 10

‎03-07-2007 05:56 AM

This is an issue with nat-traversal. It's not an issue with your device, NAT-T needs enabled on the far end if they want users to be able to connect behind PAT.

0 Helpful

vjokhoo
Level 1
Level 1
In response to acomiskey

‎03-07-2007 07:26 AM

Well the thing is, I am having the same problem when trying to connect to my VPN and I know for a fact that NAT Traversal is enabled on my VPN router.

If I use a 1:1 static NAT I can successfully connect. How about instead of using a pool of public addresses I use just one public address for NAT instead. The total number of users on the network will not cross 80-100 or so.

0 Helpful

kaachary
Cisco Employee
Cisco Employee
In response to vjokhoo

‎03-07-2007 03:24 PM

Hi,

Waht is the code on the VPN Router ?

-Kanishka

0 Helpful

vjokhoo
Level 1
Level 1
In response to kaachary

‎03-07-2007 04:16 PM

the vpn router is a nortel vpn router. nat traversal is enabled on it. but i discovered something today, i can use my cisco vpn. cisco vpn router is actually a 7401 router with vpn ios installed on it.

0 Helpful

johnnykman
Level 1
Level 1

‎04-20-2007 01:32 PM

When the Nortel VPN client can't connect, are you using PAT? I have a 506e with 6.3(5) and was not able to connect to a Nortel Contivity 5000 with Nat-t set to always encap udp 10001. After checking with a sniffer, I noticed that the source port of the PATed isakmp packets from the client was 0. The connection table showed a port translation of udp 500 to udp 500 on the PIX. Turns out, the sniffer was right. We were blocking the lower source ports to our VPN on our Internet router. With thoose lower ports open, Nortel VPN client works perfect.

0 Helpful
Customers Also Viewed These Support Documents