[c-nsp] NAT hairpin on IOS 15

Brett Looney brett at looney.id.au
Sun Aug 1 22:23:49 EDT 2010


Greets,

Running 15.0(1)M2 on a 1941 and have a very simple config:

	ip local pool vpnpool 192.168.8.20 192.168.8.150

	vpdn-group 1
	accept-dialin
	  protocol pptp
	  virtual-template 1

	interface Virtual-Template1
	 ip unnumbered GigabitEthernet0/0
	 ip nat inside
	 peer default ip address pool vpnpool
	 ppp authentication ms-chap-v2 ms-chap

	interface GigabitEthernet0/0
	 ip address 192.168.0.254 255.255.255.0
	 ip nat inside

	interface GigabitEthernet0/1
	 ip address <external> 255.255.255.252
	 ip nat outside

	ip nat inside source list NAT interface GigabitEthernet0/1 overload

Users coming in via PPTP can connect find and access local resources but can't access the Internet - NAT hairpin appears to be broken. "debug ip nat" shows nothing from those users. Internal (192.168.0.0/24 and other private networks) work fine.

Doing a "show run virtual-access2.1" shows the "ip nat inside" command cloned across to the interface.

I've changed the config to use the newer NAT NVI stuff (ip nat enable) but the result is the same. Before I go off and download 15.0(1)M3 is there anything else I should be trying?

BTW - yes, I realise there is no "ppp encrypt mppe auto" in the Virtual-Template1 - this is also broken in 15.0 - it should be available with the security feature set but it just doesn't appear as an option to configure - the feature navigator says it is there. Waiting for Cisco to resolve this one too...

B.




More information about the cisco-nsp mailing list