1. Home
  2. Cisco Systems
  3. PIX 515E and static NAT

PIX 515E and static NAT

Hi all:

I am using a pix 515E to do static NAT so that some of our clients can connect to an outside VPN connection that requires 1-1 NAT. So I have assigned static IP's to those users and then natted their addresses to a public IP's which allows them to connect to the VPN. The problem is that these users have problems accessing our internal LAN when I give them the static addresses. At first I thought it was only when they are connected to the VPN, but as soon as I assign them a static IP (that is natted to a public one) They have intermittent connectivity to LAN shares, printers etc.. Any help is greatly appreciated.

Reply to
m21att1
Loading thread data ...

You must configure NAT Transparency on the PIX.

The IPSec NAT Transparency feature introduces support for IPSec traffic to travel through NAT or Point Address Translation ( PAT ) points in the network by addressing many known incompatabilites between NAT and IPSec.

NAT Transparency uses User Datagram Protocol ( UDP ) port 4500 to encapsulate IPSec packets.

By default, PIX drops all inbound connections coming from the outside. You must open this port for NAT Transparency to work.

Issue this command:

Pix#config t Pix(config)#isakmp nat-traversal

IPSec NAT Transparency:

formatting link
NAT Traversal is a feature that is auto-detected by VPN devices.

There are no configuration steps for a router that runs Cisco IOS=AE Software Release 12.2(13)T and later.

If both VPN devices are NAT Transparency capable, NAT Traversal is auto-detected and auto-negotiated.

----------------------------------------------------

Hope this helps.

Brad Reese BradReese.Com - Cisco Network Engineer Directory

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant=20 Website:
formatting link

Reply to
BradReese.Com=A

Thanks Brad, this has definitely fixed the issue. Thanks so much.

Matt

Reply to
m21att1

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.