[c-nsp] C876 - Forced to use NAT Virtual Interface

Gaurav Sabharwal gaurav at inwire.net
Sun Mar 4 13:58:18 EST 2007 

Oli,

I copied and pasted the wrong configuration (interface Virtual-PPP1) 
earlier. However, below is the full picture.

We are using client initiated L2TP. We are not doing NAT on the PPPoE 
connection. The only outside interface that has NAT enabled is the 
Virtual-PPP interface.

There are only two routes pointing to the DSL interface (dialer1). The 
two routes are for the firewall (192.168.100.1) and the LNS (172.17.101.1).

The configuration is attached. The result of NAT configuration is the 
same irrespective of the outside interface used (Dialer1 or Virtual-PPP1).

Output of show version is below:

c87601# sh ver
Cisco IOS Software, C870 Software (C870-ADVENTERPRISEK9-M), Version 
12.4(6)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 07-Oct-06 01:08 by kellythw

ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE

c87601 uptime is 2 days, 2 hours, 53 minutes
System returned to ROM by reload at 15:55:41 UTC Fri Mar 2 2007
System restarted at 15:56:39 UTC Fri Mar 2 2007
System image file is "flash:c870-adventerprisek9-mz.124-6.T5.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be 
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export at cisco.com.

Cisco 876W (MPC8272) processor (revision 0x200) with 118784K/12288K 
bytes of memory.
Processor board ID FCZ102623WU
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
1 802.11 Radio
128K bytes of non-volatile configuration memory.
36864K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Thanks,
- Gaurav
on 03/03/2007 08:25 PM Oliver Boehmer (oboehmer) said the following:
> Gaurav,
> 
> I'm not entirely sure about the environment. can you show the full
> config and describe what you're trying to achieve? The presence of a
> dialer and a virtual-access interface as NAT outside suggests that
> you're already using NAT for a PPPoX connection, and also want to NAT
> packets going into the L2TP tunnel?
> 
> 	oli
> 
> Gaurav Sabharwal <> wrote on Wednesday, February 28, 2007 10:29 AM:
> 
>> Have a Cisco 876 router running 12.4(6)T6 IOS release and have noticed
>> that classic NAT translation does not works. Below is the relevant
>> configuration.
>>
>> !
>> interface Virtual-PPP1
>>   ip address negotiated
>>   ip nat outside
>>   ip virtual-reassembly
>>   fair-queue
>>   no cdp enable
>>   ppp authentication chap callin
>>   ppp chap hostname testuser
>>   ppp chap password 0 testpass
>>   ppp direction callout
>>   pseudowire 172.17.101.1 10 pw-class pwclass1
>> !
>> interface Vlan1
>>   ip address 192.168.10.1 255.255.255.128
>>   ip nat inside
>>   ip virtual-reassembly
>> !
>> ip nat source static 192.168.10.1 10.10.0.17
>> ip nat source static 192.168.10.2 10.10.0.18
>> ip nat source static 192.168.10.3 10.10.0.19
>> ip nat source static 192.168.10.4 10.10.0.20
>> !
>>
>> show classic NAT statistics
>>
>> rtr# sh ip nat stat
>> Total active translations: 0 (0 static, 0 dynamic; 0 extended)
>> Outside interfaces:
>>    Dialer1, Virtual-Access1
>>
>> Inside interfaces:
>>    Vlan1
>> Hits: 0  Misses: 0
>> CEF Translated packets: 0, CEF Punted packets: 0
>> Expired translations: 0
>> Dynamic mappings:
>>
>> Queued Packets: 0
>>
>> rtr# show ip nat stat
>> Total active translations: 0 (0 static, 0 dynamic; 0 extended)
>> Outside interfaces:
>>    Dialer1, Virtual-Access1
>> Inside interfaces:
>>    Vlan1
>>
>> Hits: 0  Misses: 0
>> CEF Translated packets: 0, CEF Punted packets: 0
>> Expired translations: 0
>> Dynamic mappings:
>> Queued Packets: 0
>>
>> show stats for NVI
>>
>> rtr# sh ip nat nvi stat
>> Total active translations: 4 (4 static, 0 dynamic; 0 extended)
>> NAT Enabled interfaces:
>>
>> Hits: 0  Misses: 0
>> CEF Translated packets: 0, CEF Punted packets: 0
>> Expired translations: 0
>> Dynamic mappings:
>>
>>
>> rtr# show ip nat nvi trans
>> Pro Source global      Source local       Destin  local      Destin 
>> global 
>> --- 10.10.0.17         192.168.10.1       ---                ---
>> --- 10.10.0.18         192.168.10.2       ---                ---
>> --- 10.10.0.19         192.168.10.3       ---                ---
>> --- 10.10.0.20         192.168.10.4       ---                ---
>>
>> Reading the documents, my understanding is that the NVI interface will
>> be triggered when "ip nat enable" command is used on the interfaces.
>> Anybody seen this issue or point the obvious thing that I am missing
>> in the configuration?
>>
>> Thanks,
>> - Gaurav
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: c876.txt
Url: https://puck.nether.net/pipermail/cisco-nsp/attachments/20070304/e7377fb4/attachment.txt

More information about the cisco-nsp mailing list