Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3463
Views
0
Helpful
5
Replies

L2TP VPDN to VPN provider over a Dialer interface and NAT not working

Jordan Dalley
Level 1
Level 1

‎05-14-2016 12:43 AM

Hi All,

Really strange one. I have a Cisco 2901 (Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1)) which I'm using to initiate an L2TP VPDN connection to an upstream VPN provider (NordVPN).

It works! I get an IP on the Dialer interface, I can ping IP's through the Dialer interface. However when I ping a host through my NAT from the LAN it doesnt work.

Here's a summary:

Inside Interface: Gi0/1
Internet Interface: Gi0/0
VPN Interface: Dialer0

Config:

vpdn enable
!
vpdn-group l2tp-nordvpn
request-dialin
protocol l2tp
pool-member 1
! NordVPN AU Server
initiate-to ip 107.181.128.59
no l2tp tunnel authentication
!
interface Dialer0
description NordVPN Dialer
ip address negotiated
ip mtu 1400
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer persistent
dialer vpdn
ppp acfc local request
ppp acfc remote apply
ppp authentication ms-chap-v2 callin
ppp chap hostname <nordvpn username>
ppp chap password <nordvpn password>
no cdp enable
!
interface GigabitEthernet0/1
ip address 10.10.0.1 255.255.255.0
! other settings removed
ip nat inside
!
interface GigabitEthernet0/0
ip address 10.15.0.2 255.255.255.0
!
ip nat inside source list nat interface Dialer0 overload
!
ip access-list standard nat
permit 10.10.0.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.15.0.1
ip route 8.8.8.8 255.255.255.255 Dialer0
!

Ok.. so here's the output from Dialer0
Dialer0 is up, line protocol is up
Internet address is 10.9.9.11/32
Broadcast address is 255.255.255.255
Address determined by IPCP
............

I can also ping 8.8.8.8 from the router...


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/43/60 ms

Traceroute also shows traffic going via the L2TP tunnel...

If I ping 8.8.8.8 from my workstation on 10.10.0.22 I get...

"debug ip nat" shows..

May 14 17:38:44.099 AEST: NAT*: s=10.10.0.22->10.9.9.11, d=8.8.8.8 [19990]
May 14 17:38:49.099 AEST: NAT*: s=10.10.0.22->10.9.9.11, d=8.8.8.8 [19991]

Should work right? Nope..

The weird thing is.. if I try and ping 8.8.8.8 from the router using the LAN interface of Gi0/1 as the source.. it works..

router1#ping 8.8.8.8 source g0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/38/52 ms
router1#
May 14 17:41:28.872 AEST: NAT: s=10.10.0.1->10.9.9.11, d=8.8.8.8 [35]
May 14 17:41:28.904 AEST: NAT*: s=8.8.8.8, d=10.9.9.11->10.10.0.1 [6598]
May 14 17:41:28.908 AEST: NAT: s=10.10.0.1->10.9.9.11, d=8.8.8.8 [36]
May 14 17:41:28.960 AEST: NAT*: s=8.8.8.8, d=10.9.9.11->10.10.0.1 [6599]
May 14 17:41:28.960 AEST: NAT: s=10.10.0.1->10.9.9.11, d=8.8.8.8 [37]
May 14 17:41:28.996 AEST: NAT*: s=8.8.8.8, d=10.9.9.11->10.10.0.1 [6618]
May 14 17:41:29.000 AEST: NAT: s=10.10.0.1->10.9.9.11, d=8.8.8.8 [38]
May 14 17:41:29.032 AEST: NAT*: s=8.8.8.8, d=10.9.9.11->10.10.0.1 [6637]
May 14 17:41:29.032 AEST: NAT: s=10.10.0.1->10.9.9.11, d=8.8.8.8 [39]
May 14 17:41:29.068 AEST: NAT*: s=8.8.8.8, d=10.9.9.11->10.10.0.1 [6673]
router1#

Any ideas people??? I'm lost.. this type of NAT setup always works..

The NAT works from the router itself but not for clients on the same LAN segment. Quite obviously a bug??

Cheers,
Jordan.

Labels:
0 Helpful
5 Replies 5

Jordan Dalley
Level 1
Level 1

‎05-14-2016 02:45 AM

I've also tried the oldest firmware I can get off the Cisco website..

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M10, RELEASE SOFTWARE (fc1)

Still not working.. at a loss :(

0 Helpful

Jordan Dalley
Level 1
Level 1
In response to Jordan Dalley

‎05-14-2016 03:02 AM

The weirdest thing.. if I disable ip cef "no ip cef" it works... bizarre as.

0 Helpful

Jordan Dalley
Level 1
Level 1

‎05-14-2016 03:18 AM

Thanks to this article: https://supportforums.cisco.com/discussion/11876091/cef-broken-packets-going-through-ip-nat-inside-vlan-interface

I had to add an access list log which forced cef to process the packets..

ip access-list standard di0-out
permit any log
!
interface Dialer0
ip access-group di0-out out

Now all is working. Obviously a bug, but if it works, I'm happy :)

0 Helpful

ateulodo
Level 1
Level 1

‎03-06-2017 08:55 AM

Hi Jordan,

I tried to configure my cisco 1841 to connect with NordVPN but the command pool-member 1 is no longer availabe, can you give me please any suggestion?

Thanks!

0 Helpful

CChristiansen
Level 1
Level 1
In response to ateulodo

‎03-27-2018 03:43 AM - edited ‎03-27-2018 03:43 AM

Hi,
I got this working on IOS 15, the pool-member command can be activated by activating "service internal"
I spent much time searching for a solution, so i hope this helps others.
I have no idea what else is activated by this command, so use with caution!

0 Helpful
Customers Also Viewed These Support Documents