[c-nsp] Dial VPN not able to connect when using NAT Pool

Brian Feeny signal at shreve.net
Mon Mar 14 07:45:58 EST 2005 

I posted a message earlier about this problem, this message contains 
more information and a link to the complete config which has been 
changed up just a bit.

Here is a summary of what is happening.  Ignore the VPN and Tunnel 
connectivity for the most part, that is used for internal traffic, and 
is working properly.  The problem I am having is with users using a 
dial VPN client to connect to a site out on the Internet.  That site is 
170.97.79.74.

As you can see in the config, users are NATed behind a single IP when 
going out the internet.  They may take the default route going to ISP-A 
or they may take the default route going to ISP-B, either way, thats 
fine, the appropriate NAT wizardry is built in to make sure they get 
NAT'ed behind the proper interface IP regardless of where they are 
going.

However, there is one site in particular where this must change.  They 
have an application that connects them to a dial vpn to 170.97.79.74.  
That site does not want to see multiple people coming from the same IP 
address.  They would rather each dial VPN session come from a unique IP 
address.   I do have an 8 IP pool from ISP-A, but only a single ip from 
ISP-B. So I set a
route to 170.97.79.74 thru ISP-A.  Then I create the pool, and a 
route-map for NAT so that if the users are trying to goto 170.97.79.74, 
then they use the pool (without overload).  This way, they should be 
able to establish 8 unique sessions to 170.97.79.74.

With my config in place, when users goto 170.97.79.74, I do see them 
start to use the pool.  When they go other places, they do not use the 
pool.  This is the correct behavior.  But something is not right 
because the dial VPN never completes its connection.  I am going to 
"try" to get a window so I can run some extensive debugs, but right now 
all I have to go on is my config and an explaination of whats 
happening.

When I pull the pool config out, and overload all users behind Serial0, 
they can establish all the dial VPN's they want, without a problem.  
Introducing the NAT Pool, makes the dial VPN's not work.

The thing is, my "policy/route-map" for using the pool works, I can see 
the translations built, but something is wrong.

It does not make sense to me that a PAT session would work with dial 
VPN but a NAT session should fail.  There must be something in my 
config that is wrong.  If you see anything, let me know.

The config is at http://homepage.mac.com/bfeeny/temp/cisco-nsp.cfg

Thanks for your help.

Brian

More information about the cisco-nsp mailing list