[c-nsp] PPTP and NAT
Reuben Farrelly
reuben-cisco-nsp at reub.net
Mon Aug 7 05:44:15 EDT 2006
On 7/08/2006 9:08 p.m., Brett Looney wrote:
> At 16:57 7/08/2006, you wrote:
>> I have a customer who wants me to configure his router in order to have port
>> 1723 of one of his public addresses redirected to 192.168.254.5, and IP
>> protocol 47 forwarded to the same private IP.
>>
>> So I guess he wants to have incoming PPTP sessions.
>>
>> How do I do this with NAT? It seems that only UDP and TCP can be processed,
>> not IP protocol 47:
>
> You have to do a NAT on the entire IP address. No way of getting
> around it that I know of. And then you'll need to put in an ACL to
> allow only 1723/TCP and GRE through.
Not so. In very very early versions of IOS you did, but from about 12.1T
onwards you only needed to PAT through port 1723, and do not need a 1:1 static
translation. The GRE is automagically taken care of as long as the PAT rule is
in the config.
See example at
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
which shows not only working configs but the contents of the NAT translation
table that show the GRE being mapped through without any router config to
specifically do so.
I have configured several routers with PAT forwarding PPTP and ports through to
more than one device behind the router, and can vouch that it works just fine as
the document above describes.
However you will need of course to allow GRE through any ACL's on the inbound
interface. But that's a slightly separate matter to the NAT.
Reuben
More information about the cisco-nsp
mailing list