Setting Up VPN Connections With NAT

[mesagreg]

Hi All,

I have both static and dynamic overload NAT translations set up on a router connecting us to the Internet. On the Ethernet port to which my LAN is connected, I have ip NAT inside set up to allow hosts to reach the Internet. On the serial port that connects to our ISP, I have ip NAT outside to allow outside hosts to reach our web servers.

I have received a request for five hosts on our LAN that have addresses in the 192.168.10.xx range to be able to use PPTP to connect to remote servers across the Internet. I have tried connecting with a host that is part of the dynamic overload pool, as well as with it statically mapped to a single ip address. Neither seems to work.

Can anyone point me in the right direction on how to make this work?

Thanks in advance,

Greg

 

[jeter]

how many static ip's do you have? you can direct an internal lan ip address to a specific WAN ip.



ip nat inside source static 10.1.1.10 140.16.1.254

ip nat outside source static 10.1.1.10 192.168.1.254

ip nat pool iga 140.16.1.1 140.16.1.253 netmask 255.255.255.0

ip nat pool ola 192.168.1.1 192.168.1.253 netmask 255.255.255.0

ip nat inside source list 1 pool iga


ip nat outside source list 2 pool ola


access-list 1 permit 10.2.17.0 .255.255.255.0
! Translate all traffic from 10.2.17 internal hosts

access-list 2 permit 10.0.0.0 255.0.0.0
! Translate all externally originated traffic


Q. What is Port Address Translation (PAT), or "NAT overloading"?

A. Port Address Translation (PAT) or Overloading, is a feature of Cisco IOS NAT and can be used to translate "internal" (inside local) private addresses to one or more "outside" (inside global—usually registered) IP addresses. Unique source port numbers on each translation are used to distinguish between the conversations.

With NAT Overload, a translation table entry containing full address and source port information is created.

Q. When configuring for PAT or Overloading, what is the maximum number of translations that can be made per inside global IP address?

A. PAT (Overloading) divides the available ports per global IP Address into 3 ranges "0-511, 512-1023, and 1024-65535". PAT (Overloading), assigns a unique Source Port for each UDP or TCP sessions. It will attempt to assign the same port value of the original request, but if the original source port has already been used it will start scanning from the beginning of the particular port range to find the first available port and assign it to the conversation.

Q. How does PAT work?

A. PAT with 1 IP Address:

1. NAT/PAT inspects traffic and matches to a translation rule

2. Rule matches to a PAT config

3. Does PAT know about the traffic type and does that traffic type have "a specific, set of specific ports, or ports it negotiates" that it will use, if so set them aside and do not allocate them as unique identifiers.

4. Session with no special Port requirements attempts to connect out, PAT translates the IP Source address and check availability of the originated source port e.g. 433

Groups are 1-511, 512-1023, 1024-65535.

Note: For TCP and UDP, groups are 1-511, 512-1023, 1024-65535. For ICMP the first group starts at 0.

5. If the requested source port is available it assigns the source port and the session continues.

6. If the requested source port is not available, NAT starts searching from the beginning of the relevant group. In this example starting at 1 for TCP or UDP applications and 0 for ICMP.

7. If a port is available it is assigned and the session continues.

8. If no ports are available, the packet is dropped.

Jeter@LasVegas.com
J.Fisher CCNA

 

[mesagreg]

Jeter,

Thanks for your response. I think I'm pretty clear on the basics of static NAT and PAT. I'm just not sure why my internal hosts, which I am statically assigning a global inside ip address, cannot successfully log on to the VPN server at the other network. I assume it is a NAT-related issue, since I have other hosts on my DMZ that have global ip addresses, and they can log on successfully.

I have found several posts in this forum that appear to state that you must use a mapping between the internal hosts that need remote (dial-out) access and a global ip. i.e., you can't use PAT on those hosts. But even when I assign them a static ip address in my NAT table, I can't successfully connect. I have removed all access lists, and still no luck.