[c-nsp] C876 - Forced to use NAT Virtual Interface
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Mar 5 00:07:51 EST 2007
Hi,
I haven't really worked with NAT Virtual interface, but your config
seems to include both legacy-NAT (ip nat inside/outside) as well as NVI
syntax (ip nat source static <src> <dst>). Can you try a legacy
konfiguration using "ip nat inside source static <src> <dst>" instead
and see if it works?
oli
Gaurav Sabharwal <mailto:gaurav at inwire.net> wrote on Sunday, March 04,
2007 7:58 PM:
> Oli,
>
> I copied and pasted the wrong configuration (interface Virtual-PPP1)
> earlier. However, below is the full picture.
>
> We are using client initiated L2TP. We are not doing NAT on the PPPoE
> connection. The only outside interface that has NAT enabled is the
> Virtual-PPP interface.
>
> There are only two routes pointing to the DSL interface (dialer1). The
> two routes are for the firewall (192.168.100.1) and the LNS
> (172.17.101.1).
>
> The configuration is attached. The result of NAT configuration is the
> same irrespective of the outside interface used (Dialer1 or
> Virtual-PPP1).
>
> Output of show version is below:
>
> c87601# sh ver
> Cisco IOS Software, C870 Software (C870-ADVENTERPRISEK9-M), Version
> 12.4(6)T5, RELEASE SOFTWARE (fc1)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2006 by Cisco Systems, Inc.
> Compiled Sat 07-Oct-06 01:08 by kellythw
>
> ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE
>
> c87601 uptime is 2 days, 2 hours, 53 minutes
> System returned to ROM by reload at 15:55:41 UTC Fri Mar 2 2007
> System restarted at 15:56:39 UTC Fri Mar 2 2007
> System image file is "flash:c870-adventerprisek9-mz.124-6.T5.bin"
> Last reload reason: Reload Command
>
> This product contains cryptographic features and is subject to United
> States and local country laws governing import, export, transfer and
> use. Delivery of Cisco cryptographic products does not imply
> third-party authority to import, export, distribute or use encryption.
> Importers, exporters, distributors and users are responsible for
> compliance with U.S. and local country laws. By using this product you
> agree to comply with applicable laws and regulations. If you are
> unable
> to comply with U.S. and local laws, return this product immediately.
>
> A summary of U.S. laws governing Cisco cryptographic products may be
> found at:
> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>
> If you require further assistance please contact us by sending email
> to export at cisco.com.
>
> Cisco 876W (MPC8272) processor (revision 0x200) with 118784K/12288K
> bytes of memory.
> Processor board ID FCZ102623WU
> MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
> 4 FastEthernet interfaces
> 1 ISDN Basic Rate interface
> 1 ATM interface
> 1 802.11 Radio
> 128K bytes of non-volatile configuration memory.
> 36864K bytes of processor board System flash (Intel Strataflash)
>
> Configuration register is 0x2102
>
> Thanks,
> - Gaurav
> on 03/03/2007 08:25 PM Oliver Boehmer (oboehmer) said the following:
>> Gaurav,
>>
>> I'm not entirely sure about the environment. can you show the full
>> config and describe what you're trying to achieve? The presence of a
>> dialer and a virtual-access interface as NAT outside suggests that
>> you're already using NAT for a PPPoX connection, and also want to NAT
>> packets going into the L2TP tunnel?
>>
>> oli
>>
>> Gaurav Sabharwal <> wrote on Wednesday, February 28, 2007 10:29 AM:
>>
>>> Have a Cisco 876 router running 12.4(6)T6 IOS release and have
>>> noticed that classic NAT translation does not works. Below is the
>>> relevant configuration.
>>>
>>> !
>>> interface Virtual-PPP1
>>> ip address negotiated
>>> ip nat outside
>>> ip virtual-reassembly
>>> fair-queue
>>> no cdp enable
>>> ppp authentication chap callin
>>> ppp chap hostname testuser
>>> ppp chap password 0 testpass
>>> ppp direction callout
>>> pseudowire 172.17.101.1 10 pw-class pwclass1
>>> !
>>> interface Vlan1
>>> ip address 192.168.10.1 255.255.255.128
>>> ip nat inside
>>> ip virtual-reassembly
>>> !
>>> ip nat source static 192.168.10.1 10.10.0.17
>>> ip nat source static 192.168.10.2 10.10.0.18
>>> ip nat source static 192.168.10.3 10.10.0.19
>>> ip nat source static 192.168.10.4 10.10.0.20
>>> !
>>>
>>> show classic NAT statistics
>>>
>>> rtr# sh ip nat stat
>>> Total active translations: 0 (0 static, 0 dynamic; 0 extended)
>>> Outside interfaces: Dialer1, Virtual-Access1
>>>
>>> Inside interfaces:
>>> Vlan1
>>> Hits: 0 Misses: 0
>>> CEF Translated packets: 0, CEF Punted packets: 0
>>> Expired translations: 0
>>> Dynamic mappings:
>>>
>>> Queued Packets: 0
>>>
>>> rtr# show ip nat stat
>>> Total active translations: 0 (0 static, 0 dynamic; 0 extended)
>>> Outside interfaces: Dialer1, Virtual-Access1
>>> Inside interfaces:
>>> Vlan1
>>>
>>> Hits: 0 Misses: 0
>>> CEF Translated packets: 0, CEF Punted packets: 0
>>> Expired translations: 0
>>> Dynamic mappings:
>>> Queued Packets: 0
>>>
>>> show stats for NVI
>>>
>>> rtr# sh ip nat nvi stat
>>> Total active translations: 4 (4 static, 0 dynamic; 0 extended)
>>> NAT Enabled interfaces:
>>>
>>> Hits: 0 Misses: 0
>>> CEF Translated packets: 0, CEF Punted packets: 0
>>> Expired translations: 0
>>> Dynamic mappings:
>>>
>>>
>>> rtr# show ip nat nvi trans
>>> Pro Source global Source local Destin local Destin
>>> global
>>> --- 10.10.0.17 192.168.10.1 --- ---
>>> --- 10.10.0.18 192.168.10.2 --- ---
>>> --- 10.10.0.19 192.168.10.3 --- ---
>>> --- 10.10.0.20 192.168.10.4 --- ---
>>>
>>> Reading the documents, my understanding is that the NVI interface
>>> will be triggered when "ip nat enable" command is used on the
>>> interfaces. Anybody seen this issue or point the obvious thing that
>>> I am missing in the configuration?
>>>
>>> Thanks,
>>> - Gaurav
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list