Re: Help me to understand the work of NAT via PPTP

aleks222 · ‎03-11-2019

I can not understand the work of NAT.

1. Cisco 881

2. PPTP tunnel to the internet provider.

3. NAT on the tunnel.

4. DNS queries pass through NAT successfully.

Mar 11 17:26:05.767: NAT: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [1331]
Mar 11 17:26:05.811: NAT: s=8.8.8.8, d=90.157.26.245->192.168.0.12 [2313]

5. All other requests (ping, RDP, http) do not pass through NAT. More precisely, NAT request conversion is present, but the answer is not present at all. As if there is no server response.

Mar 11 17:26:06.527: NAT*: s=192.168.0.12->90.157.26.245, d=213.189.197.94 [29678]
Mar 11 17:26:07.527: NAT*: s=192.168.0.12->90.157.26.245, d=213.189.197.94 [29679]
Mar 11 17:26:09.527: NAT*: s=192.168.0.12->90.157.26.245, d=213.189.197.94 [29680]

cisco.k259#ping 213.189.197.94 df-bit size 1436
Sending 5, 1436-byte ICMP Echos to 213.189.197.94, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms

Help me understand the essence of the error.

cisco.k259#show run
Building configuration...

Current configuration : 7255 bytes
!
! Last configuration change at 22:08:00 GMT Mon Mar 11 2019 by atest
! NVRAM config last updated at 14:43:41 GMT Sun Mar 10 2019 by atest
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname cisco.k259
!
boot-start-marker
boot-end-marker
!
!
logging discriminator FAN-FAIL severity drops 3 facility drops FAN mnemonics drops FAN_FAILED
logging buffered discriminator FAN-FAIL
no logging console
logging monitor discriminator FAN-FAIL
enable secret 5 $1$WSti$mDMsh6sXY2iguEI/Mchiy1
enable password xxxxxxxx_
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 5 0
!
crypto pki trustpoint TP-self-signed-3690135629
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3690135629
revocation-check none
rsakeypair TP-self-signed-3690135629
!
!
crypto pki certificate chain TP-self-signed-3690135629
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.7
!
ip dhcp pool k259
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.3
domain-name k259
dns-server 192.168.0.12 8.8.8.8
lease 0 2
!
!
!
ip domain name k259
ip name-server 192.168.0.12
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group PPTP_CLIENT
description Rostelecom ISP
request-dialin
protocol pptp
pool-member 1
initiate-to ip 10.0.0.1
!
cts logging verbose
license udi pid CISCO881W-GN-E-K9 sn FCZ164190LZ
!
!
username atest privilege 15 secret 4 6in4Lru2ZZ8N8cUij4q7JvPlkL..hsURCkjm.d4NOR2
!
!
!
!
no cdp run
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 10.0.47.132 255.255.255.0
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.10.11.1 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
!
interface Dialer0
description $ETH-WAN$
mtu 1436
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer persistent
dialer vpdn
ppp authentication ms-chap-v2 callin
ppp chap hostname 90.157.26.245
ppp chap password 0 XXXXXXXXXX
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
!
no ip ftp passive
ip dns server
ip nat translation max-entries all-host 400
ip nat inside source static tcp 192.168.0.12 3389 interface Dialer0 3389
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 3
ip route 10.0.0.1 255.255.255.255 10.0.47.1
ip route 10.10.11.0 255.255.255.0 wlan-ap0
!
dialer-list 1 protocol ip permit
!
snmp-server community k259 RO
access-list 1 remark internet
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.0.0 0.0.0.15
access-list 101 remark internet2
access-list 101 remark CCP_ACL Category=2
access-list 101 remark test 2
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 remark WAN rule
access-list 150 remark CCP_ACL Category=1
access-list 150 remark WAN rule entry
access-list 150 permit ip any any
!
vstack
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
^C
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 23 in
privilege level 15
password xxxxxxxx
login local
transport input telnet ssh
!
ntp master
ntp update-calendar
ntp server ntp2.stratum2.ru
!
end

Deepak Kumar · ‎03-11-2019

Hi,

I am looking that you had configured NAT limit 400. Is it tested in your network? I have two suggestions for you-

1. Remove the rate limit command

no ip nat translation max-entries all-host 400

2. Increase MSS and MTU on the WAN and LAN interface.

interface Dialer0
description $ETH-WAN$
mtu 1492
ip tcp adjust-mss 1452

!

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip tcp adjust-mss 1452

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

aleks222 · ‎03-12-2019

I am grateful to you for the answer, but it does not solve the main contradiction - DNS packets are successfully transmitted, all others are not.

Your suggestions may improve performance, but it is unclear how they will solve the problem of impassable packages.

Georg Pauwen · ‎03-12-2019

Hello,

on a side note, PING uses the outgoing interface by default, that is probably why you see the debug you posted. Try:

cisco.k259#ping 213.189.197.94 df-bit size 1436 source 192.168.0.3

aleks222 · ‎03-12-2019

Quoted debug log for client from intranet.

Georg Pauwen · ‎03-12-2019

Hello,

192.168.0.12 is the DNS and IP name server configured on your router. What debug output do you get from a different PC, not the name server ?

aleks222 · ‎03-12-2019

There are no other client computers on the network. This is a test environment.
But how is this client different from any other?

paul driver · ‎03-12-2019

Hello

@aleks222 wrote:

5. All other requests (ping, RDP, http) do not pass through NAT. More precisely, NAT request conversion is present, but

FYI - Sometimes Nat wont translate from the rtr itself so you may not see any translation , Best to test internally from host behind the stated inside interface

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎03-12-2019

This is the result from using the inside interface as source:

R1#ping 8.8.8.8 df-bit size 1436 source gigabitEthernet 0/1
Type escape sequence to abort.
Sending 5, 1436-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 15/15/16 ms
R1#
*Mar 12 08:39:58.415: NAT: s=192.168.10.1->192.168.122.14, d=8.8.8.8 [37]
*Mar 12 08:39:58.428: NAT*: s=8.8.8.8, d=192.168.122.14->192.168.10.1 [65354]
*Mar 12 08:39:58.430: NAT: s=192.168.10.1->192.168.122.14, d=8.8.8.8 [38]
*Mar 12 08:39:58.444: NAT*: s=8.8.8.8, d=192.168.122.14->192.168.10.1 [65355]
*Mar 12 08:39:58.447: NAT: s=192.168.10.1->192.168.122.14, d=8.8.8.8 [39]
*Mar 12 08:39:58.461: NAT*: s=8.8.8.8, d=192.168.122.14->192.168.10.1 [65356]
*Mar 12 08:39:58.464: NAT: s=192.168.10.1->192.168.122.14, d=8.8.8.8 [40]
*Mar 12 08:39:58.478: NAT*: s=8.8.8.8, d=192.168.122.14->192.168.10.1 [65357]
*Mar 12 08:39:58.480: NAT: s=192.168.10.1->192.168.122.14, d=8.8.8.8 [41]

paul driver · ‎03-12-2019

Hello

@Georg Pauwen cheers for this validation, I assume that was domain based nat you tested?

I don't have access to test myself at present but if you could you try Domain-less (NVI nat) and see if you obtain the same results My understanding it may not work because to the nat order is different with the double rib check it performs.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎03-12-2019

@Georg Pauwen

FYI here are the results from NVI NAT as I stated earlier today - Showing failure when sourced from the wan rtr lan facing natted interface

Test 1 - Wan rtr lan facing interface using NVI nat
Sh ip nat nvi translations
debug ip nat
debg ip packet detail

Fa0/1
ip nat enable

ping 8.8.8.8 source fa0/1 repeat 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.15.1

*Mar 1 03:21:46.911: IP: tableid=0, s=10.1.15.1 (local), d=8.8.8.8 (FastEthernet0/0), routed via FIB <- rib look up is perfromed and not forwarded to NVI interface so no translation as result 8.8.8.8 doesn't have a route back to 10.1.15.1
*Mar 1 03:21:46.911: IP: s=10.1.15.1 (local), d=8.8.8.8 (FastEthernet0/0), len 100, sending
*Mar 1 03:21:46.911: ICMP type=8, code=0.
*Mar 1 03:21:48.911: IP: tableid=0, s=10.1.15.1 (local), d=8.8.8.8 (FastEthernet0/0), routed via FIB
*Mar 1 03:21:48.911: IP: s=10.1.15.1 (local), d=8.8.8.8 (FastEthernet0/0), len 100, sending
*Mar 1 03:21:48.911: ICMP type=8, code=0.
Success rate is 0 percent (0/2) <---------------------FAILED

sh ip nat nvi translations
<----------empty

Test 2 - Lan host 1 (10.1.15.5) located behind fa0/1 of the lan facing interface on wan rtr using NVI nat
LanHost 1
ping 8.8.8.8 re 2
Mar 1 03:24:55.475: IP: tableid=0, s=8.8.8.8 (FastEthernet0/0), d=10.1.16.1 (FastEthernet0/0), routed via RIB <- return path rib lookup first
*Mar 1 03:24:55.475: IP: tableid=0, s=8.8.8.8 (FastEthernet0/0), d=10.1.15.5 (FastEthernet0/1), routed via RIB Then nat translation
*Mar 1 03:24:55.475: IP: s=8.8.8.8 (FastEthernet0/0), d=10.1.15.5 (FastEthernet0/1), g=10.1.15.5, len 100, forward
*Mar 1 03:24:55.475: ICMP type=0, code=0
*Mar 1 03:24:55.519: IP: tableid=0, s=8.8.8.8 (FastEthernet0/0), d=10.1.16.1 (FastEthernet0/0), routed via RIB -
*Mar 1 03:24:55.519: IP: tableid=0, s=8.8.8.8 (FastEthernet0/0), d=10.1.15.5 (FastEthernet0/1), routed via RIB
*Mar 1 03:24:55.519: IP: s=8.8.8.8 (FastEthernet0/0), d=10.1.15.5

WANrtr# (FastEthernet0/1), g=10.1.15.5, len 100, forward
*Mar 1 03:24:55.519: ICMP type=0, code=0

sh ip nat nvi translations
Pro Source global Source local Destin local Destin global
icmp 10.1.16.1:16 10.1.15.5:16 8.8.8.8:16 8.8.8.8:16 <---- Success

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎03-12-2019

Hello

@aleks222 wrote:

ip dhcp pool k259
import all <------------------------either import dhcp option from you upstream or dont
dns-server 192.168.0.12 8.8.8.8----<---------not required if your using import , if you need your users to use a public dns server then use Ciscos umbrella public dns - 208.67.220.220. 208.67.222.222

ip name-server 192.168.0.12 <----------------why do you need the router to perform dns forwarding?
ip inspect WAAS flush-timeout 10<--------------no cbac applied not required
ip dns server <-------------------------why do you need the rtr to be a dns server?
ntp master <----------------------------ntp master -- not required suggest point to a ntp server

access-list101 <——- change to a /24 subnet

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aleks222 · ‎03-12-2019

What do we have to do with DHCP? It is not used.
Yes, I plan to use the router as a DNS server.
Yes, I want to use the router as a central time server.

How does this affect packet passing through NAT?

paul driver · ‎03-12-2019

Hello

@aleks222 wrote:

What do we have to do with DHCP? It is not used.
Yes, I plan to use the router as a DNS server.
Yes, I want to use the router as a central time server.

How does this affect packet passing through NAT?

No dhcp - then you need to make sure all your hosts are configured with non duplicate ip addresses with a default gateway of the wan rtrs lan interface wth specified dns servers

Wan rtr as dns server - so what your reasoning to have such a small rtr perform dns resolution and forwarding ?

ntp stratum master - again for such a small rtr why would you want to -

these last two above will only incur unwarranted cpu-memory on the rtr - if you want to use these features why not have server perform the job instead?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aleks222 · ‎03-12-2019

A network of up to 10 clients is not an excessive load.