[c-nsp] C876 - Forced to use NAT Virtual Interface

Gaurav Sabharwal gaurav at inwire.net
Mon Mar 5 03:24:46 EST 2007 

Oli,

Thanks for pointing it out. That was exactly the problem. Still can't 
believe, I was missing that in my configuration.

Regards,
- Gaurav
on 03/05/2007 06:07 AM Oliver Boehmer (oboehmer) said the following:
> Hi,
> 
> I haven't really worked with NAT Virtual interface, but your config
> seems to include both legacy-NAT (ip nat inside/outside) as well as NVI
> syntax (ip nat source static <src> <dst>). Can you try a legacy
> konfiguration using "ip nat inside source static <src> <dst>" instead
> and see if it works?
> 
> 	oli
> 
> Gaurav Sabharwal <mailto:gaurav at inwire.net> wrote on Sunday, March 04,
> 2007 7:58 PM:
> 
>> Oli,
>>
>> I copied and pasted the wrong configuration (interface Virtual-PPP1)
>> earlier. However, below is the full picture.
>>
>> We are using client initiated L2TP. We are not doing NAT on the PPPoE
>> connection. The only outside interface that has NAT enabled is the
>> Virtual-PPP interface.
>>
>> There are only two routes pointing to the DSL interface (dialer1). The
>> two routes are for the firewall (192.168.100.1) and the LNS
>> (172.17.101.1). 
>>
>> The configuration is attached. The result of NAT configuration is the
>> same irrespective of the outside interface used (Dialer1 or
>> Virtual-PPP1). 
>>
>> Output of show version is below:
>>
>> c87601# sh ver
>> Cisco IOS Software, C870 Software (C870-ADVENTERPRISEK9-M), Version
>> 12.4(6)T5, RELEASE SOFTWARE (fc1)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 1986-2006 by Cisco Systems, Inc.
>> Compiled Sat 07-Oct-06 01:08 by kellythw
>>
>> ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE
>>
>> c87601 uptime is 2 days, 2 hours, 53 minutes
>> System returned to ROM by reload at 15:55:41 UTC Fri Mar 2 2007
>> System restarted at 15:56:39 UTC Fri Mar 2 2007
>> System image file is "flash:c870-adventerprisek9-mz.124-6.T5.bin"
>> Last reload reason: Reload Command
>>
>> This product contains cryptographic features and is subject to United
>> States and local country laws governing import, export, transfer and
>> use. Delivery of Cisco cryptographic products does not imply
>> third-party authority to import, export, distribute or use encryption.
>> Importers, exporters, distributors and users are responsible for
>> compliance with U.S. and local country laws. By using this product you
>> agree to comply with applicable laws and regulations. If you are
>> unable 
>> to comply with U.S. and local laws, return this product immediately.
>>
>> A summary of U.S. laws governing Cisco cryptographic products may be
>> found at:
>> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>>
>> If you require further assistance please contact us by sending email
>> to export at cisco.com.
>>
>> Cisco 876W (MPC8272) processor (revision 0x200) with 118784K/12288K
>> bytes of memory.
>> Processor board ID FCZ102623WU
>> MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
>> 4 FastEthernet interfaces
>> 1 ISDN Basic Rate interface
>> 1 ATM interface
>> 1 802.11 Radio
>> 128K bytes of non-volatile configuration memory.
>> 36864K bytes of processor board System flash (Intel Strataflash)
>>
>> Configuration register is 0x2102
>>
>> Thanks,
>> - Gaurav
>> on 03/03/2007 08:25 PM Oliver Boehmer (oboehmer) said the following:
>>> Gaurav,
>>>
>>> I'm not entirely sure about the environment. can you show the full
>>> config and describe what you're trying to achieve? The presence of a
>>> dialer and a virtual-access interface as NAT outside suggests that
>>> you're already using NAT for a PPPoX connection, and also want to NAT
>>> packets going into the L2TP tunnel?
>>>
>>> 	oli
>>>
>>> Gaurav Sabharwal <> wrote on Wednesday, February 28, 2007 10:29 AM:
>>>
>>>> Have a Cisco 876 router running 12.4(6)T6 IOS release and have
>>>> noticed that classic NAT translation does not works. Below is the
>>>> relevant configuration. 
>>>>
>>>> !
>>>> interface Virtual-PPP1
>>>>   ip address negotiated
>>>>   ip nat outside
>>>>   ip virtual-reassembly
>>>>   fair-queue
>>>>   no cdp enable
>>>>   ppp authentication chap callin
>>>>   ppp chap hostname testuser
>>>>   ppp chap password 0 testpass
>>>>   ppp direction callout
>>>>   pseudowire 172.17.101.1 10 pw-class pwclass1
>>>> !
>>>> interface Vlan1
>>>>   ip address 192.168.10.1 255.255.255.128
>>>>   ip nat inside
>>>>   ip virtual-reassembly
>>>> !
>>>> ip nat source static 192.168.10.1 10.10.0.17
>>>> ip nat source static 192.168.10.2 10.10.0.18
>>>> ip nat source static 192.168.10.3 10.10.0.19
>>>> ip nat source static 192.168.10.4 10.10.0.20
>>>> !
>>>>
>>>> show classic NAT statistics
>>>>
>>>> rtr# sh ip nat stat
>>>> Total active translations: 0 (0 static, 0 dynamic; 0 extended)
>>>>    Outside interfaces: Dialer1, Virtual-Access1
>>>>
>>>> Inside interfaces:
>>>>    Vlan1
>>>> Hits: 0  Misses: 0
>>>> CEF Translated packets: 0, CEF Punted packets: 0
>>>> Expired translations: 0
>>>> Dynamic mappings:
>>>>
>>>> Queued Packets: 0
>>>>
>>>> rtr# show ip nat stat
>>>> Total active translations: 0 (0 static, 0 dynamic; 0 extended)
>>>>    Outside interfaces: Dialer1, Virtual-Access1
>>>> Inside interfaces:
>>>>    Vlan1
>>>>
>>>> Hits: 0  Misses: 0
>>>> CEF Translated packets: 0, CEF Punted packets: 0
>>>> Expired translations: 0
>>>> Dynamic mappings:
>>>> Queued Packets: 0
>>>>
>>>> show stats for NVI
>>>>
>>>> rtr# sh ip nat nvi stat
>>>> Total active translations: 4 (4 static, 0 dynamic; 0 extended)
>>>> NAT Enabled interfaces:
>>>>
>>>> Hits: 0  Misses: 0
>>>> CEF Translated packets: 0, CEF Punted packets: 0
>>>> Expired translations: 0
>>>> Dynamic mappings:
>>>>
>>>>
>>>> rtr# show ip nat nvi trans
>>>> Pro Source global      Source local       Destin  local      Destin
>>>> global 
>>>> --- 10.10.0.17         192.168.10.1       ---                ---
>>>> --- 10.10.0.18         192.168.10.2       ---                ---
>>>> --- 10.10.0.19         192.168.10.3       ---                ---
>>>> --- 10.10.0.20         192.168.10.4       ---                ---
>>>>
>>>> Reading the documents, my understanding is that the NVI interface
>>>> will be triggered when "ip nat enable" command is used on the
>>>> interfaces. Anybody seen this issue or point the obvious thing that
>>>> I am missing in the configuration? 
>>>>
>>>> Thanks,
>>>> - Gaurav
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list