02-04-2014 05:23 AM
I'm in the process of troubleshooting a customer's challenge with certain VPN traffic (drops I'm told). I'm going to site tomorrow to see what the traffic looks like (I.e. NAT-T, but possibly something else).
In the meantime, I'm looking at the controller remotely, wondering if it's something to do with NAT limits.
The controller is NAT'ing users, to a single public IP at the moment. There's about 1500 users.
Can anyone suggest a CLI command that accurately shows a summary of the current outbound NAT translations and/or sessions? In terms of maximum possible and current active? Rather than looking through the entire session table which is massive as you'd expect!
02-04-2014 12:03 PM
This isn't necessarily what you looking for but maybe it could help :
(HOME-MASTER-CONTROLLER) #show datapath nat table
Datapath NAT Table Entries
Pool SIP Start SIP End DIP
---- --------------- --------------- ---------------
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
02-05-2014 02:23 AM
I have a suspicion that the VPN traffic type my customer has in question is PPTP. Haven't got to site yet due to transport disruption!
My understanding is that throughout the AOS lifecycle, support for PPTP over NAT was been added and removed at various stages.
The customer is currently on 22.214.171.124.
So, I guess I have 3 questions.
1. Is PPTP supported in this version? If not, does anybody have an authoritative view of what versions do support it?
2. Does anybody know if you can do the equivalent of a static PAT (like you could on a Cisco ASA) within any NAT configuration context or role rule/policy? I.e. don't translate the source port? I've looked and can't see an obvious way?
3. My understanding (which might be wrong), is that half the problem with PPTP, is that it doesn't like source ports being changed. Am I wrong? If this is the case, I can't see that it's worth me looking at implementing an external NAT pool, to increase translation potential over multiple source IPs?