[c-nsp] C876 - Forced to use NAT Virtual Interface
Gaurav Sabharwal
gaurav at inwire.net
Sun Mar 4 13:58:18 EST 2007
Oli,
I copied and pasted the wrong configuration (interface Virtual-PPP1)
earlier. However, below is the full picture.
We are using client initiated L2TP. We are not doing NAT on the PPPoE
connection. The only outside interface that has NAT enabled is the
Virtual-PPP interface.
There are only two routes pointing to the DSL interface (dialer1). The
two routes are for the firewall (192.168.100.1) and the LNS (172.17.101.1).
The configuration is attached. The result of NAT configuration is the
same irrespective of the outside interface used (Dialer1 or Virtual-PPP1).
Output of show version is below:
c87601# sh ver
Cisco IOS Software, C870 Software (C870-ADVENTERPRISEK9-M), Version
12.4(6)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 07-Oct-06 01:08 by kellythw
ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE
c87601 uptime is 2 days, 2 hours, 53 minutes
System returned to ROM by reload at 15:55:41 UTC Fri Mar 2 2007
System restarted at 15:56:39 UTC Fri Mar 2 2007
System image file is "flash:c870-adventerprisek9-mz.124-6.T5.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export at cisco.com.
Cisco 876W (MPC8272) processor (revision 0x200) with 118784K/12288K
bytes of memory.
Processor board ID FCZ102623WU
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
1 802.11 Radio
128K bytes of non-volatile configuration memory.
36864K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
Thanks,
- Gaurav
on 03/03/2007 08:25 PM Oliver Boehmer (oboehmer) said the following:
> Gaurav,
>
> I'm not entirely sure about the environment. can you show the full
> config and describe what you're trying to achieve? The presence of a
> dialer and a virtual-access interface as NAT outside suggests that
> you're already using NAT for a PPPoX connection, and also want to NAT
> packets going into the L2TP tunnel?
>
> oli
>
> Gaurav Sabharwal <> wrote on Wednesday, February 28, 2007 10:29 AM:
>
>> Have a Cisco 876 router running 12.4(6)T6 IOS release and have noticed
>> that classic NAT translation does not works. Below is the relevant
>> configuration.
>>
>> !
>> interface Virtual-PPP1
>> ip address negotiated
>> ip nat outside
>> ip virtual-reassembly
>> fair-queue
>> no cdp enable
>> ppp authentication chap callin
>> ppp chap hostname testuser
>> ppp chap password 0 testpass
>> ppp direction callout
>> pseudowire 172.17.101.1 10 pw-class pwclass1
>> !
>> interface Vlan1
>> ip address 192.168.10.1 255.255.255.128
>> ip nat inside
>> ip virtual-reassembly
>> !
>> ip nat source static 192.168.10.1 10.10.0.17
>> ip nat source static 192.168.10.2 10.10.0.18
>> ip nat source static 192.168.10.3 10.10.0.19
>> ip nat source static 192.168.10.4 10.10.0.20
>> !
>>
>> show classic NAT statistics
>>
>> rtr# sh ip nat stat
>> Total active translations: 0 (0 static, 0 dynamic; 0 extended)
>> Outside interfaces:
>> Dialer1, Virtual-Access1
>>
>> Inside interfaces:
>> Vlan1
>> Hits: 0 Misses: 0
>> CEF Translated packets: 0, CEF Punted packets: 0
>> Expired translations: 0
>> Dynamic mappings:
>>
>> Queued Packets: 0
>>
>> rtr# show ip nat stat
>> Total active translations: 0 (0 static, 0 dynamic; 0 extended)
>> Outside interfaces:
>> Dialer1, Virtual-Access1
>> Inside interfaces:
>> Vlan1
>>
>> Hits: 0 Misses: 0
>> CEF Translated packets: 0, CEF Punted packets: 0
>> Expired translations: 0
>> Dynamic mappings:
>> Queued Packets: 0
>>
>> show stats for NVI
>>
>> rtr# sh ip nat nvi stat
>> Total active translations: 4 (4 static, 0 dynamic; 0 extended)
>> NAT Enabled interfaces:
>>
>> Hits: 0 Misses: 0
>> CEF Translated packets: 0, CEF Punted packets: 0
>> Expired translations: 0
>> Dynamic mappings:
>>
>>
>> rtr# show ip nat nvi trans
>> Pro Source global Source local Destin local Destin
>> global
>> --- 10.10.0.17 192.168.10.1 --- ---
>> --- 10.10.0.18 192.168.10.2 --- ---
>> --- 10.10.0.19 192.168.10.3 --- ---
>> --- 10.10.0.20 192.168.10.4 --- ---
>>
>> Reading the documents, my understanding is that the NVI interface will
>> be triggered when "ip nat enable" command is used on the interfaces.
>> Anybody seen this issue or point the obvious thing that I am missing
>> in the configuration?
>>
>> Thanks,
>> - Gaurav
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: c876.txt
Url: https://puck.nether.net/pipermail/cisco-nsp/attachments/20070304/e7377fb4/attachment.txt
More information about the cisco-nsp
mailing list