Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Results 1 to 4 of 4

Thread: VPN needs 1 to 1 Nat connection [CISCO 2620]

  1. 10-14-2005, 11:01 AM #1
    Dirtibird
    Dirtibird is offline Geek Disciple
    Join Date
    Oct 2005
    Posts
    44

    VPN needs 1 to 1 Nat connection [CISCO 2620]

    Anyone know how to configure a Cisco 2620 router for a 1 to 1 Nat connection. Trying to set up a Verizon VPN connection. Was told that I need to hard coat the local IPs statically, and set up a 1 to 1 Nat connection to the external location. problem is; i've never so much as even heard of a "nat" connection. I have NO idea how to do this. I've set up a hyperterminal, and have connectivity to the router right now, but I don't know the first thing about doing this...

    Any ideas???
    Reply With Quote Reply With Quote
  2. 10-18-2005, 09:41 PM #2
    juniper
    juniper is offline Ascendant Master Geek
    Join Date
    Nov 2003
    Posts
    399
    Well Im a "certified cisco firewall specialist" and have setup several hundred VPNs but Im not sure what you are saying? Are you setting up a site to site VPN between two routers? If so then you only have to do a 1-1 NAT if you have overlapping IP address schemes at both sites. for instance if you have 2 sites that both have 192.168.1.0/24 networks and computers on each side have the same IP addresses you can do a 1-1 NAT so they see each other by a different address, is this what you are doing? otherwise if you have a site with 192.168.1.0/24 and a site with 192.168.2.0/24 then you configure the VPN and use ACLs to define interesting traffic to go through the tunnel.
    Reply With Quote Reply With Quote
  3. 10-20-2005, 06:09 PM #3
    Variable
    Variable is offline Exalted Grand Master Geek
    Join Date
    Apr 2002
    Location
    NC
    Posts
    2,384
    The idea is simple enough. Here is how it works.
    Assume you have a working router connected via DSL to the internet and have been assigned an extra IP from your ISP - like 204.27.11.14.

    On the router:
    You take the valid internet address, 204.27.11.14 and you want VPN traffic to travel to that IP then have it translated via NAT into an internal statically assigned IP, lets say 192.168.1.140 . You assign this 192.168.x.x IP to your computer that will be the end point for the VPN. When the traffic comes into the cisco 2600 you also need to tell it what port. Let's assume PPTP and port 1723. You could do this
    ena
    conf t
    ip nat inside source static tcp 192.168.11.14 1723 204.27.11.14 1723 extendable
    int eth 0 (or whatever your interface is)
    ip nat inside

    This applys the static mapping to the interface.


    what this says is traffic coming to 204.27.11.14 on port 1723 is mapped to 192.168.11.14 on port 1723

    You will want to set up an ACL as well but, the basic of adding a NAT public -->Private mapping is above. This can work for any port.

    Look here for more detailed help.
    http://vpn.shmoo.com/vpn/vpn-howto.html
    Reply With Quote Reply With Quote
  4. 10-20-2005, 10:33 PM #4
    juniper
    juniper is offline Ascendant Master Geek
    Join Date
    Nov 2003
    Posts
    399
    OK, Lets play nice this time. I see what you are saying and is what I explained in the other VPN post but they had a single public address and NAT-T would be used, but the command you used was a port forwarding command not NAT 1-1. I know sounds stuppid but a big difference here. Lets see if I can explain cause this is really important to understand, If I had a router setup with a public address that was set for PAT (overload) allowing all the computers inside my LAN to use that single address to talk to the internet and then put your port forwarding command with a second public address the server would actualy respond out the PAT public address like it always did before so basicly it would recieve on the second IP address and send out the first address which would be bad, with a NAT 1:1 it will send and recieve using the second NAT address. remember NAT is a one-one translation only the IP address gets translated, with PAT it is a many to one translation so the port and the IP get translated which is why they use NAT-T on the clients. (I actualy put a sniffer in and watched this happen when studdying for my advance PIX firewall test doing a site to site VPN betwwen an IOS firewall router and a PIX very kool)

    so the command would be

    ip nat inside source static 192.168.11.14 204.27.11.14

    with an ACL to only allow the VPN through

    ip access-list extended VPNACL
    permit tcp any host 204.27.11.14 eq 1723
    deny ip any any

    This way all ports to and from the server are translated as a one to one with the public secondary address.

    There are a lot of scenerios this could be, I am assuming the router will be the VPN end point and they need to either NAT all the internal clients or tell it not to PAT them through the tunnel. But really need a better description for what they are trying to do.

    Was told that I need to hard coat the local IPs statically, and set up a 1 to 1 Nat connection to the external location.
    PAT is also referred to as NAPT network address port translation
    Last edited by juniper; 10-20-2005 at 10:58 PM.
    Everything I write is just my opinion so dont hold me liable.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules