[c-nsp] NAT hairpin on IOS 15

Brett Looney brett at looney.id.au
Sun Aug 1 23:35:18 EDT 2010


Never mind - dumb user problem on my part. That'll teach me to do stuff on a
Monday morning.

I was looking at the ACL and it was:

	permit ip 192.168.0.0 0.0.0.255 any

whereas it should have been:

	permit ip 192.168.0.0 0.0.255.255 any

All good now. Thanks for sharing in my embarrassment.

B.



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Looney
Sent: Monday, 2 August 2010 10:24
To: 'cisco_nsp'
Subject: [c-nsp] NAT hairpin on IOS 15

Greets,

Running 15.0(1)M2 on a 1941 and have a very simple config:

	ip local pool vpnpool 192.168.8.20 192.168.8.150

	vpdn-group 1
	accept-dialin
	  protocol pptp
	  virtual-template 1

	interface Virtual-Template1
	 ip unnumbered GigabitEthernet0/0
	 ip nat inside
	 peer default ip address pool vpnpool
	 ppp authentication ms-chap-v2 ms-chap

	interface GigabitEthernet0/0
	 ip address 192.168.0.254 255.255.255.0
	 ip nat inside

	interface GigabitEthernet0/1
	 ip address <external> 255.255.255.252
	 ip nat outside

	ip nat inside source list NAT interface GigabitEthernet0/1 overload

Users coming in via PPTP can connect find and access local resources but
can't access the Internet - NAT hairpin appears to be broken. "debug ip nat"
shows nothing from those users. Internal (192.168.0.0/24 and other private
networks) work fine.

Doing a "show run virtual-access2.1" shows the "ip nat inside" command
cloned across to the interface.

I've changed the config to use the newer NAT NVI stuff (ip nat enable) but
the result is the same. Before I go off and download 15.0(1)M3 is there
anything else I should be trying?

BTW - yes, I realise there is no "ppp encrypt mppe auto" in the
Virtual-Template1 - this is also broken in 15.0 - it should be available
with the security feature set but it just doesn't appear as an option to
configure - the feature navigator says it is there. Waiting for Cisco to
resolve this one too...

B.


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list