02-17-2011 10:30 PM - edited 03-11-2019 12:52 PM
Hi everyone,
I have an issue with PPTP tunnels behind a 7201 router which does NAT Overloading for inside LAN hosts via VRF.
Users in LAN are unable to establish outgoing PPTP connections to some outside Internet servers.
I had this network up and running with older Cisco3745 with c3745-adventerprisek9-mz.124-12.bin
And I didn't have such issues. No specific NAT configuration were exist, just a ACL with NAT overload statement for outside interface.
Now I have Cisco 7201 router with c7200p-advipservicesk9-mz.124-24.T3.bin IOS image.
Currently NAT is running inside VRF instance.
I found a bug case:
•CSCec30921
Symptoms: Point-to-Point Tunneling Protocol (PPTP) Network Address Translation (NAT) may fail.
Conditions: This symptom is observed on a Cisco router that has the VRF aware NAT feature enabled when the inside interface is part of a Virtual Private Network (VPN) routing and forwarding (VRF) instance and the outside interface is a global interface.
Workaround: Disable Cisco Express Forwarding (CEF). However, this may not be a viable workaround because the Multiprotocol Label Switching (MPLS) VPN requires CEF to be enabled.
But I think it doesn't apply to my case as I have both "inside" and "outside" interfaces belong to VRF, not just "inside" as it is described above.
I've been wondering if PPTP Passthrough feature is supported in this IOS version\platform\design.
If yes, I would like to know how to enable it, cause on 3745 I did't make any specific tuning to NAT overloading to have PPTP work.
I have to keep the VRF aware NAT design in my situation (due to some design limitations). So any suggestions are welcome.
Thanks in advance.
02-17-2011 10:39 PM
02-20-2011 08:39 PM
Does anyone have an idea how to fix this issue? Thanks.
02-20-2011 08:45 PM
That bugid does not apply to 12.4.
02-20-2011 09:08 PM
Hi Phillip,
I do realize it, but this is only thing I can think of in relation to my situation\issue.
My config looks like this:
interface GigabitEthernet0/0.13
encapsulation dot1Q 13
ip vrf forwarding Internet
ip address y.y.y.1 255.255.255.224 secondary
ip address y.y.y.2 255.255.255.224 secondary
ip address x.x.x.x 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/0.17
encapsulation dot1Q 17
ip vrf forwarding Internet
ip address z.z.z.z 255.255.255.0
ip nat inside
!
ip nat pool POOL_1 y.y.y.1 y.y.y.1 netmask 255.255.255.224
ip nat pool POOL_2 y.y.y.2 y.y.y.2 netmask 255.255.255.224
ip nat inside source list NAT_1 pool POOL_1 vrf Internet overload
ip nat inside source list NAT_2 pool POOL_2 vrf Internet overload
With NAT overload config I have an issue with PPTP tunnels.
If I change NAT config to static 1:1 configuration for some selected LAN hosts - the problem disappears.
Any suggestions are welcome. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide