NAT server and NAT static

Latest reply: Oct 14, 2019 03:11:14 341 2 6 3

NAT server and NAT static are two commonly used techniques.

For the access from the public network to the private network, the NAT server and NAT static modes are the same. For the access from the private network to the public network, the NAT server mode translates only the IP address, while the NAT static mode translates both the IP address and port. This is easy to confuse. Let me share a related case with you.

Problem Description

Topology: device --- Tunnel ---AR1220----

The AR1220 establishes an IPSEC tunnel with the peer device. After the tunnel is established, The internal IP addresses of the two ends can be pinged. However, the internal network gateway of the ar1220( cannot telnet the internal network gateway of the peer device.

Handling Procedure

1. Check the encryption data flow and IPSEC SA tunnel information at both ends. The information is normal. The related information is as follows:

dis ipsec sa
Interface: GigabitEthernet0/0/0
Path MTU: 1500
  IPSec policy name: "center_vpn"
  Sequence number  : 1
  Acl group        : 0
  Acl rule         : 0
  Mode             : Template
    Connection ID     : 1481
    Encapsulation mode: Tunnel
    Tunnel local      : 172.x.20.10
    Tunnel remote     : 172.x.10.10
    Flow source       : 0/0
    Flow destination  : 0/0
    Qos pre-classify  : Disable
    Qos group         : -

    [Outbound ESP SAs]
      SPI: 3354115212 (0xc7ebbc8c)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 0/2949
      Outpacket count       : 0          
      Outpacket encap count : 0          
      Outpacket drop count  : 0          
      Max sent sequence-number: 0        
      UDP encapsulation used for NAT traversal: N
    [Inbound ESP SAs]                    
      SPI: 1560642734 (0x5d0584ae)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 0/2949
      Inpacket count        : 0
      Inpacket decap count  : 0
      Inpacket drop count   : 0
      Max received sequence-number: 0
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N
dis ike sa
    Conn-ID  Peer            VPN   Flag(s)                Phase 
     1481    172.x.10.10   0     RD                     2    
     1478    172.x.10.10   0     RD                     1    

2. display ipsec statis esp, No packet statistics are collected in the telnet test, and packet statistics are collected in the ping test.

dis ipsec statistics esp                                  

Inpacket count            : 0

Inpacket auth count       : 0

Inpacket decap count      : 0

Outpacket count           : 0

Outpacket auth count      : 0

Outpacket encap count     : 0

Inpacket drop count       : 0

Outpacket drop count      : 0

BadAuthLen count          : 0

AuthFail count            : 0

InSAAclCheckFail count    : 0

PktDuplicateDrop count    : 0

PktSeqNoTooSmallDrop count: 0

PktInSAMissDrop count     : 0

3. The captured packets and traffic statics show that the AR1220 has sends Telnet packets.

Interface: Vlanif1
Traffic policy inbound: a
Rule number: 1
Current status: OK!
Item                    Sum(Packets/Bytes)               Rate(pps/bps)
Matched                           1/90                          1/96          
   Passed                          1/90                          1/96          
   Dropped                         0/0                           0/0           
     Filter                        0/0                           0/0           
     CAR                           0/0                           0/0           
   Queue Matched                   0/0                           0/0           
     Enqueued                      0/0                           0/0           
     Discarded                     0/0                           0/0           
   CAR                             0/0                           0/0           
     Green packets                 0/0                           0/0           
     Yellow packets                0/0                           0/0           
     Red packets                   0/0                           0/0      

The preceding information indicates that the AR1220 sends telnet packets from the 192.168.9. 253 but does not forward the packets through IPSec encryption. It is suspected that the device performs IPSec encryption for ICMP packets and other forwarding processes for non-ICMP packets.

4. Check the configuration on the interface. It is found that NAT SERVER is configured for the address so that external network can access the intranet address and its port number. 

interface GigabitEthernet0/0/0
description to_Internet

tcp adjust-mss 1200
ip address 172.XX.20.10
nat server protocol tcp global current-interface 8080 inside 8080
nat outbound 3000
ipsec policy center_vpn

Check the NAT session of the address. It is found that the data packets are translated to the public network when the accesses the peer address.


5. After the nat server is changed to nat static, telnet is normal.

nat static protocol tcp global current-interface 8080 inside 8080

Root Cause

Nat server is configured on the outbound interface of the public network. As a result, NAT is performed on all the TCP packets sent from the Therefore, the translated packets cannot enter the IPSec tunnel. After the configuration is changed to nat static protocol tcp global current-interface 8080 inside 8080, services are normal. Nat static NAT is performed only when the source address is and the TCP port number is 8080. Therefore, the communication is normal after the Nat server is changed to nat static.

  • x
  • convention:

MVE Created Oct 11, 2019 13:24:36 Helpful(0) Helpful(0)

  • x
  • convention:

Admin Created Oct 14, 2019 03:11:14 Helpful(0) Helpful(0)

We often mix them up.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits