[c-nsp] NAT hairpin on IOS 15
Brett Looney
brett at looney.id.au
Sun Aug 1 22:23:49 EDT 2010
Greets,
Running 15.0(1)M2 on a 1941 and have a very simple config:
ip local pool vpnpool 192.168.8.20 192.168.8.150
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
ip nat inside
peer default ip address pool vpnpool
ppp authentication ms-chap-v2 ms-chap
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/1
ip address <external> 255.255.255.252
ip nat outside
ip nat inside source list NAT interface GigabitEthernet0/1 overload
Users coming in via PPTP can connect find and access local resources but can't access the Internet - NAT hairpin appears to be broken. "debug ip nat" shows nothing from those users. Internal (192.168.0.0/24 and other private networks) work fine.
Doing a "show run virtual-access2.1" shows the "ip nat inside" command cloned across to the interface.
I've changed the config to use the newer NAT NVI stuff (ip nat enable) but the result is the same. Before I go off and download 15.0(1)M3 is there anything else I should be trying?
BTW - yes, I realise there is no "ppp encrypt mppe auto" in the Virtual-Template1 - this is also broken in 15.0 - it should be available with the security feature set but it just doesn't appear as an option to configure - the feature navigator says it is there. Waiting for Cisco to resolve this one too...
B.
More information about the cisco-nsp
mailing list