[nsp] PPPoE and NAT on the LNS

Dan Armstrong dan at beanfield.com
Wed Sep 17 17:29:43 EDT 2003


Back in the day when we had only one box acting as an LNS/GW router we did it
like this:  Now we have more than one, and we have to use radius to plop each
L2TP user into an MPLS VRF.  The LNS routers are in an mpls vrf mesh with
special gw routers appointed to do nothing but NAT.


LNS3.tor2#sh run int virtual-template 100
Building configuration...

Current configuration : 158 bytes
!
interface Virtual-Template100
 description Nexxia L2TP GAS
 no ip address
 ip mtu 1492
 no ip route-cache cef
 ip mroute-cache
 ppp authentication pap


Radius profile:

Framed-Protocol  | PPP
Service-Type     | Framed-User
Cisco-AVPair     | lcp:interface-config=ip unnumbered loopback10
Cisco-AVPair     | ip:addr-pool=routedsubnetgasnatpool
Cisco-AVPair     | lcp:interface-config=ip nat inside
Cisco-AVPair     | ip:dns-servers=66.207.192.4
Framed-Filter-ID | 150.in

-int loo10 just has a dummy private IP on it.
-ACL 150 just blocks all traffic --> an RFC1918 subnet so that all the NATed
users cannot see each other.
-Just make sure the subnet(s) involved are in the ACL that controls NAT.

You are good to go!



Dan.




Krzysztof Adamski wrote:

> I'm trying to avoid using a separate box just for NAT since I'm doing
> inbound NAT also.
>
> K
>
> On Wed, 17 Sep 2003, Ralph Doncaster wrote:
>
> > I tried this a long time ago running 12.0(7)T, and recall having
> > difficulties.  Instead I setup a route-map to forward packets from the NAT
> > IPs to a separate NAT box.
> >
> > Ralph Doncaster, IStop.com president
> > 6042147 Canada Inc.
> >
> > On Wed, 17 Sep 2003, Krzysztof Adamski wrote:
> >
> > > Is it possible to NAT users that come to an LNS through PPPoE.
> > > My virtual template contains nat inside:
> > > interface Virtual-Template1
> > >  mtu 1492
> > >  ip address 10.253.254.1 255.255.255.0
> > >  ip nat inside
> > >  peer default ip address pool CMLPOOL
> > >
> > > and #sh ip nat statistics
> > > Total active translations: 15 (12 static, 0 dynamic; 10 extended)
> > > Outside interfaces:
> > >   Ethernet0
> > > Inside interfaces:
> > >   Loopback0, Virtual-Access1, Virtual-Access2, Virtual-Access3
> > >   Virtual-Access4, Virtual-Template1
> > > Hits: 28  Misses: 0
> > > Expired translations: 0
> > > Dynamic mappings:
> > > -- Inside Source
> > > [Id: 1] route-map NONAT interface Ethernet0 refcount 0
> > >
> > > and here are the bits from the NAT config:
> > > ip nat inside source route-map NONAT interface Ethernet0 overload
> > > access-list 131 deny   ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
> > > access-list 131 permit ip 10.0.0.0 0.0.0.255 any
> > > route-map NONAT permit 10
> > >  match ip address 131
> > >
> > > NAT is not working, debugging NAT shows nothing, is this even possible?
> > > I'm running Version 12.2(17a)
> > >
> > > TIA
> > > K
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > >
> >
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list