[c-nsp] Windows VPN (PPTP) not getting through NAT (NVI) out of VRF

Ísak Jón Benjamínsson isak at nethonnun.is
Mon Nov 13 05:01:06 EST 2006 

Hi list,

This is my first post to this list, but I've searched the archives for a similar problem, but not been successful. It would be great if anyone could share some insight on my problem.

Scenerio:

We run a few managed networks for enterprise customers, we host their internal servers, they connect to us via various methods, mostly ADSL or leased lines, connect directly to their own "internal network" at our facilities, and in one case (so far) provide Internet connectivity from this private network of theirs.

For seperation of customers, we use VRF lite, VRF's trunked on VLAN's between routers (not all the equipment knows MPLS, just 2 routers and a handful of VRF's).

We also provide customers with VPN access into their network (their

VRF) via Cisco 1841 ((C1841-ADVIPSERVICESK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)) router.

For Internet access out of each VRF, we use the same 1841 router and the "ip nat enable" syntax. The problem with this, however, is that computers on the internal network can't seem to connect to a 3rd party Windows based VPN service, using PPTP.

We've tried connecting to the Windows VPN service from machines behind NAT on cheapo SOHO routers, that works fine, but not behind this NAT from VRF solution of ours.

I have configured all ACL's on the way to allow "GRE" and "ip any any"

I'm including the relevant configuration below, any insight would be greatly appreciated.


--
Best regards,
Isak Ben.

!

! - X.Y.Z.35 is the default router on the X.Y.Z.32/28 subnet !

ip route vrf CUST 0.0.0.0 0.0.0.0 FastEthernet0/1.50 X.Y.Z.35 global

ip nat log translations syslog

ip nat translation port-timeout tcp 25 600

ip nat source list nat-CUST interface FastEthernet0/1.50 vrf CUST overload

ip nat source static tcp 172.17.5.32 25 X.Y.Z.34 25 vrf CUST extendable

ip nat source static tcp 172.17.5.100 80 X.Y.Z.34 80 vrf CUST extendable

ip nat source static tcp 172.17.5.100 110 X.Y.Z.34 110 vrf CUST extendable

ip nat source static tcp 172.17.5.100 143 X.Y.Z.34 143 vrf CUST extendable

ip nat source static tcp 172.17.5.100 443 X.Y.Z.34 443 vrf CUST extendable

ip nat source static tcp 172.17.5.100 1812 X.Y.Z.34 1812 vrf CUST extendable

ip nat source static tcp 172.17.5.100 1813 X.Y.Z.34 1813 vrf CUST extendable

ip nat source static tcp 172.17.5.100 3389 X.Y.Z.34 3389 vrf CUST extendable

ip nat source static tcp 172.17.5.100 8080 X.Y.Z.34 8080 vrf CUST extendable

ip access-list extended nat-CUST

permit ip 172.17.5.0 0.0.0.255 any

permit ip 172.17.6.0 0.0.0.255 any

permit gre 172.17.5.0 0.0.0.255 any log

permit icmp 172.17.5.0 0.0.0.255 any

permit icmp 172.17.6.0 0.0.0.255 any

interface FastEthernet0/1.809

encapsulation dot1Q 809

ip vrf forwarding CUST

ip address 10.9.8.2 255.255.255.252

ip nat enable

!

 

interface FastEthernet0/1.50

encapsulation dot1Q 50

ip address X.Y.Z.33 255.255.255.240

ip nat enable

!

More information about the cisco-nsp mailing list