cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1672
Views
0
Helpful
4
Replies

Cisco 7201: NAT inside VRF and PPTP VPN Passthrough support

Hi everyone,

I have an issue with PPTP tunnels behind a 7201 router which does NAT Overloading for inside LAN hosts via VRF.

Users in LAN are unable to establish outgoing PPTP connections to some outside Internet servers.

I had this network up and running with older Cisco3745 with c3745-adventerprisek9-mz.124-12.bin

And  I didn't have such issues. No specific NAT configuration were exist,  just a ACL with NAT overload statement for outside interface.

Now I have Cisco 7201 router with c7200p-advipservicesk9-mz.124-24.T3.bin IOS image.

Currently NAT is running inside VRF instance.

I found a bug case:


CSCec30921

Symptoms: Point-to-Point Tunneling Protocol (PPTP) Network Address Translation (NAT) may fail.

Conditions: This symptom is observed on a Cisco router that has the VRF  aware NAT feature enabled when the inside interface is part of a Virtual  Private Network (VPN) routing and forwarding (VRF) instance and the  outside interface is a global interface.

Workaround: Disable Cisco Express Forwarding (CEF). However, this may  not be a viable workaround because the Multiprotocol Label Switching  (MPLS) VPN requires CEF to be enabled.

But I think it doesn't apply to my case as I have both "inside" and "outside" interfaces belong to VRF, not just "inside" as it is described above.

I've been wondering if PPTP Passthrough feature is supported in this IOS version\platform\design.

If  yes, I would like to know how to enable it, cause on 3745 I did't make  any specific tuning to NAT overloading to have PPTP work.

I have to keep the VRF aware NAT design in my situation (due to some design limitations). So any suggestions are welcome.

Thanks in advance.

Everyone's tags (5)
4 REPLIES 4
Highlighted

Re: Cisco 7201: PPTP VPN Passthrough support

Highlighted

Re: Cisco 7201: NAT inside VRF and PPTP VPN Passthrough support

Does anyone have an idea how to fix this issue? Thanks.

Highlighted
Cisco Employee

Re: Cisco 7201: NAT inside VRF and PPTP VPN Passthrough support

That bugid does not apply to 12.4.

Highlighted

Re: Cisco 7201: NAT inside VRF and PPTP VPN Passthrough support

Hi Phillip,

I do realize it, but this is only thing I can think of in relation to my situation\issue.

My config looks like this:

interface GigabitEthernet0/0.13
encapsulation dot1Q 13
ip vrf forwarding Internet

ip address y.y.y.1 255.255.255.224 secondary

ip address y.y.y.2 255.255.255.224 secondary
ip address x.x.x.x 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/0.17
encapsulation dot1Q 17
ip vrf forwarding Internet
ip address z.z.z.z 255.255.255.0
ip nat inside

!

ip nat pool POOL_1 y.y.y.1 y.y.y.1 netmask 255.255.255.224

ip nat pool POOL_2 y.y.y.2 y.y.y.2 netmask 255.255.255.224
ip nat inside source list NAT_1 pool POOL_1 vrf Internet overload

ip nat inside source list NAT_2 pool POOL_2 vrf Internet overload

With NAT overload config I have an issue with PPTP tunnels.

If I change NAT config to static 1:1 configuration for some selected LAN hosts - the problem disappears.

Any suggestions are welcome. Thanks.