Concentrator NAT and PAT

When connecting the VPN 3000 Concentrator to other networks, it might be necessary to translate the IP addresses of packets that pass through the concentrator. This is especially true when the remote networks to which you connect share the same IP subnets that reside behind the concentrator and an overlap occurs. By utilizing NAT and PAT, you can translate internal IP addresses into multiple or a single outside address. In these instances, you can define NAT rules in the VPN Concentrator that specify the networks that are to be translated into the outside IP address(es). These created NAT rules can be applied to either interfaces or LAN-to-LAN tunnels (discussed in the "IPSec LAN-to-LAN NAT" section).

In the Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify screen, you can define the parameters necessary to perform PAT on an interface. As represented in Figure 6.15, the NAT Interface Rules screen presents you with a choice of interfaces in which the NAT rule is going to be applied. The Private Address fields determine the IP address or IP network that is to be translated with PAT. In the check boxes that follow, specify whether you want portless protocols (non-TCP and non-UDP) to be translated. By default, the concentrator has the TCP and UDP port mappings checked so that outgoing TCP and UDP translation from the private network is mapped to the public interface's corresponding ports. In addition, if utilizing TCP port mapping, the VPN Concentrator can perform FTP proxy functions to maintain mappings for FTP data connections that are being initiated from the private network. This is necessary because FTP clients request a specific port for data transfer when connecting to an FTP server. If a NATing device uses a different port to translate the request, the host listening on its requested port does not receive the data back on that port and will not process the data.

A necessary final step to complete the NAT rule process is to enable the NAT rules. In the Configuration | Policy Management | Traffic Management | NAT | Enable screen, you are presented with two check boxes (Figure 6.16). Fill the check boxes accordingly to enable the defined NAT rules. It is recommended that you define the NAT rules before you enable them on this screen.