Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
0
Replies

Can PPTP client, NAT and CEF work together?

aleks222
Level 1
Level 1

‎03-15-2019 08:41 AM

Brief background:
https://community.cisco.com/t5/routing/help-me-setup-nat/m-p/3819225
https://community.cisco.com/t5/routing/help-me-to-understand-the-work-of-nat-via-pptp/m-p/3817794
 
Simple network:
client -> Cisco 881 -> ISP
Bit more details:
client(192.168.0.12) -> Vlan1(192.168.0.3, ip nat inside) -> Dialer0(90.157.26.245, ip nat outside) -> {PPTP tunnel} -> ISP
 
With "ip cef" enabled, NAT does not work properly.NAT transmission of packets coming to the external interface is NOT happening.
 

With "no ip cef" NAT does work properly.

 

The question is how to fix it?
In other words, to make CEF, NAT and PPTP work together.
 

 

cisco.k259#sho run
Building configuration...

Current configuration : 8031 bytes
!
! Last configuration change at 20:02:03 GMT Fri Mar 15 2019 by atest
! NVRAM config last updated at 20:00:34 GMT Fri Mar 15 2019 by atest
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname cisco.k259
!
boot-start-marker
boot-end-marker
!
!
logging discriminator FAN-FAIL severity drops 3 facility drops FAN mnemonics drops FAN_FAILED
logging buffered discriminator FAN-FAIL
no logging console
logging monitor discriminator FAN-FAIL
enable secret 5 $1$WSti$mDMsh6sXY2iguEI/Mchiy1
enable password xxxxxxxx_
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 5 0
!
crypto pki trustpoint TP-self-signed-3690135629
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3690135629
 revocation-check none
 rsakeypair TP-self-signed-3690135629
!
!
crypto pki certificate chain TP-self-signed-3690135629
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
        quit
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.7
!
ip dhcp pool k259
 import all
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 domain-name k259
 dns-server 192.168.0.12 8.8.8.8
 lease 0 2
!
!
!
ip domain name k259
ip name-server 192.168.0.12
ip name-server 8.8.8.8
ip inspect WAAS flush-timeout 10
no ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group PPTP_CLIENT
 description Rostelecom ISP
 request-dialin
  protocol pptp
  pool-member 1
 initiate-to ip 10.0.0.1
!
cts logging verbose
license udi pid CISCO881W-GN-E-K9 sn FCZ164190LZ
!
!
username atest privilege 15 secret 4 6in4Lru2ZZ8N8cUij4q7JvPlkL..hsURCkjm.d4NOR2
!
!
!
!
no cdp run
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 10.0.47.132 255.255.255.0
 ip flow ingress
 ip flow egress
 duplex auto
 speed auto
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 10.10.11.1 255.255.255.0
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 no ip address
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.0.5 255.255.255.0 secondary
 ip address 192.168.0.3 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $ETH-WAN$
 mtu 1450
 ip address negotiated
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1410
 shutdown
 dialer pool 1
 dialer idle-timeout 0
 dialer string 123
 dialer persistent
 dialer vpdn
 ppp authentication ms-chap-v2 callin
 ppp chap hostname 90.157.26.245
 ppp chap password 0 xxxxxxxxx
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
!
no ip ftp passive
ip dns server
ip nat translation max-entries all-host 400
ip nat inside source static tcp 192.168.0.12 3389 interface Dialer0 3389
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 3
ip route 10.0.0.1 255.255.255.255 10.0.47.1
ip route 10.10.11.0 255.255.255.0 wlan-ap0
!
dialer-list 1 protocol ip permit
!
snmp-server community k259 RO
access-list 1 remark internet
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.0.0 0.0.0.15
access-list 101 remark internet2
access-list 101 remark CCP_ACL Category=2
access-list 101 remark test 2
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
 vstack
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
^C
!
line con 0
 login local
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 access-class 23 in
 privilege level 15
 password xxxxxxxx
 login local
 transport input telnet ssh
!
ntp master
ntp update-calendar
ntp server ntp2.stratum2.ru
!
end

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card