PIX 515E and static NAT

Discussion in 'Cisco' started by m21att1@gmail.com, Jun 9, 2006.

  1. Guest

    Hi all:

    I am using a pix 515E to do static NAT so that some of our clients can
    connect to an outside VPN connection that requires 1-1 NAT. So I have
    assigned static IP's to those users and then natted their addresses to
    a public IP's which allows them to connect to the VPN. The problem is
    that these users have problems accessing our internal LAN when I give
    them the static addresses. At first I thought it was only when they
    are connected to the VPN, but as soon as I assign them a static IP
    (that is natted to a public one) They have intermittent connectivity to
    LAN shares, printers etc.. Any help is greatly appreciated.
    , Jun 9, 2006
    #1
    1. Advertising

  2. You must configure NAT Transparency on the PIX.

    The IPSec NAT Transparency feature introduces support for IPSec traffic
    to travel through NAT or Point Address Translation ( PAT ) points in
    the network by addressing many known incompatabilites between NAT and
    IPSec.

    NAT Transparency uses User Datagram Protocol ( UDP ) port 4500 to
    encapsulate IPSec packets.

    By default, PIX drops all inbound connections coming from the outside.
    You must open this port for NAT Transparency to work.

    Issue this command:

    Pix#config t
    Pix(config)#isakmp nat-traversal

    IPSec NAT Transparency:

    http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

    NAT Traversal is a feature that is auto-detected by VPN devices.

    There are no configuration steps for a router that runs Cisco IOS®
    Software Release 12.2(13)T and later.

    If both VPN devices are NAT Transparency capable, NAT Traversal is
    auto-detected and auto-negotiated.

    ----------------------------------------------------

    Hope this helps.

    Brad Reese
    BradReese.Com - Cisco Network Engineer Directory
    http://www.bradreese.com/network-engineer-directory.htm
    1293 Hendersonville Road, Suite 17
    Asheville, North Carolina USA 28803
    USA & Canada: 877-549-2680
    International: 828-277-7272
    Fax: 775-254-3558
    AIM: R2MGrant
    Website: http://www.bradreese.com/contact-us.htm
    =?iso-8859-1?q?BradReese.Com=AE_-_Leverage_Your_Ci, Jun 10, 2006
    #2
    1. Advertising

  3. Guest

    BradReese.Com® - Leverage Your Cisco Network wrote:
    > You must configure NAT Transparency on the PIX.
    >
    > The IPSec NAT Transparency feature introduces support for IPSec traffic
    > to travel through NAT or Point Address Translation ( PAT ) points in
    > the network by addressing many known incompatabilites between NAT and
    > IPSec.
    >
    > NAT Transparency uses User Datagram Protocol ( UDP ) port 4500 to
    > encapsulate IPSec packets.
    >
    > By default, PIX drops all inbound connections coming from the outside.
    > You must open this port for NAT Transparency to work.
    >
    > Issue this command:
    >
    > Pix#config t
    > Pix(config)#isakmp nat-traversal
    >
    > IPSec NAT Transparency:
    >
    > http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html
    >
    > NAT Traversal is a feature that is auto-detected by VPN devices.
    >
    > There are no configuration steps for a router that runs Cisco IOS®
    > Software Release 12.2(13)T and later.
    >
    > If both VPN devices are NAT Transparency capable, NAT Traversal is
    > auto-detected and auto-negotiated.
    >
    > ----------------------------------------------------
    >
    > Hope this helps.
    >
    > Brad Reese
    > BradReese.Com - Cisco Network Engineer Directory
    > http://www.bradreese.com/network-engineer-directory.htm
    > 1293 Hendersonville Road, Suite 17
    > Asheville, North Carolina USA 28803
    > USA & Canada: 877-549-2680
    > International: 828-277-7272
    > Fax: 775-254-3558
    > AIM: R2MGrant
    > Website: http://www.bradreese.com/contact-us.htm


    Thanks Brad, this has definitely fixed the issue. Thanks so much.

    Matt
    , Jun 14, 2006
    #3
  4. keshav

    Joined:
    Jun 6, 2006
    Messages:
    15
    For information IPSEC over TCP is not yet supported in Pix releases prior to version 7.0 although it is supported in VPN concentrator which explains why the cisco vpn client has an option to configure IPSEC over TCP
    keshav, Jun 25, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rainer Blaes
    Replies:
    3
    Views:
    1,650
    Rainer Blaes
    Oct 18, 2004
  2. Ronald de Leeuw
    Replies:
    2
    Views:
    14,142
  3. Steve Herman
    Replies:
    3
    Views:
    1,242
    mcaissie
    Oct 26, 2005
  4. wtpandar

    policy nat and static NAt

    wtpandar, Sep 12, 2006, in forum: Cisco
    Replies:
    0
    Views:
    711
    wtpandar
    Sep 12, 2006
  5. Replies:
    1
    Views:
    463
    Brian V
    Sep 22, 2007
Loading...

Share This Page