[nsp] Really strange NAT Problem

Adam Debus adam-lists at reachone.com
Fri Feb 13 18:29:32 EST 2004 

I've got a really odd NAT problem with a Cisco 3620 running 12.2.10d

In this particular scenario my router is acting as the middleman between the
Internet (and another one of my customers) and a private access network for
another customer.

On the side of my customer, they have a Checkpoint firewall (NGAI) running
on a Win2k box.
On the side of the county, they have a PIX 515 protecting a Cisco 3005 VPN
Concentrator.

I have the aforementioned 3620, at the physical location of the private
access network, with two connections to the outside world: 1 FastEthernet to
a wireless network and 1 T1. I have a second FastEthernet port to the
private network. I'm running routing protocols on the outside ports to
provide high-availability. I have a Loopback port setup with a public IP for
the nat translations.

What is happening is this: Both sides report that the VPN tunnel is being
established. When the customer with the PIX tries to ping via the VPN to the
customer with the checkpoint my 3620 gives me the following info from a
"debug ip nat":

Feb 13 14:51:50 PST: NAT: translation failed (A), dropping packet
s=192.168.x.252 d=x.x.232.14

Additionally, when the VPN is not configured on the Checkpoint, I can do a
"ping ip" and ping from the 234.137 address to the 232.14 address. However,
when the VPN is configured on the Checkpoint, I cannot. I can ping from any
other address on the router, and it works fine no matter what.

Here's the relevant portions of my configuration:

interface Loopback0
 ip address x.x.234.137 255.255.255.255
 ip nat outside
!
interface FastEthernet0/0
 ip address x.x.237.18 255.255.255.248
 no ip redirects
 no ip unreachables
 ip nat outside
 ip rip authentication key-chain Wireless
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0
 ip address x.x.232.22 255.255.255.252
 ip nat outside
 ip route-cache flow
!
interface FastEthernet0/1
 ip address 192.168.x.253 255.255.255.0
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto

ip nat inside source list 1 interface Loopback0 overload
ip nat inside source static tcp 192.168.x.252 10000 interface Loopback0
10000
ip nat inside source static udp 192.168.x.252 4500 interface Loopback0 4500
ip nat inside source static udp 192.168.x.252 500 interface Loopback0 500
ip nat inside source static tcp 192.168.x.252 500 interface Loopback0 500
ip nat inside source static udp 192.168.x.252 51 interface Loopback0 51
ip nat inside source static tcp 192.168.x.252 51 interface Loopback0 51
ip nat inside source static udp 192.168.x.252 50 interface Loopback0 50
ip nat inside source static tcp 192.168.x.252 50 interface Loopback0 50

access-list 1 permit 192.168.x.0 0.0.0.255
access-list 1 deny   any
Thanks,

Adam Debus
Network Engineer, ReachONE Internet
adam at reachone.com

More information about the cisco-nsp mailing list