Showing results for 
Search instead for 
Did you mean: 
Jordan Dalley

L2TP VPDN to VPN provider over a Dialer interface and NAT not working

Hi All,

Really strange one. I have a Cisco 2901 (Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1)) which I'm using to initiate an L2TP VPDN connection to an upstream VPN provider (NordVPN).

It works! I get an IP on the Dialer interface, I can ping IP's through the Dialer interface. However when I ping a host through my NAT from the LAN it doesnt work.

Here's a summary:

Inside Interface: Gi0/1
Internet Interface: Gi0/0
VPN Interface: Dialer0


vpdn enable
vpdn-group l2tp-nordvpn
protocol l2tp
pool-member 1
! NordVPN AU Server
initiate-to ip
no l2tp tunnel authentication
interface Dialer0
description NordVPN Dialer
ip address negotiated
ip mtu 1400
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer persistent
dialer vpdn
ppp acfc local request
ppp acfc remote apply
ppp authentication ms-chap-v2 callin
ppp chap hostname <nordvpn username>
ppp chap password <nordvpn password>
no cdp enable
interface GigabitEthernet0/1
ip address
! other settings removed
ip nat inside
interface GigabitEthernet0/0
ip address
ip nat inside source list nat interface Dialer0 overload
ip access-list standard nat
ip route GigabitEthernet0/0
ip route Dialer0

Ok.. so here's the output from Dialer0
Dialer0 is up, line protocol is up
Internet address is
Broadcast address is
Address determined by IPCP

I can also ping from the router...

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/43/60 ms

Traceroute also shows traffic going via the L2TP tunnel...

If I ping from my workstation on I get...

"debug ip nat" shows..

May 14 17:38:44.099 AEST: NAT*: s=>, d= [19990]
May 14 17:38:49.099 AEST: NAT*: s=>, d= [19991]

Should work right? Nope..

The weird thing is.. if I try and ping from the router using the LAN interface of Gi0/1 as the source.. it works..

router1#ping source g0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/38/52 ms
May 14 17:41:28.872 AEST: NAT: s=>, d= [35]
May 14 17:41:28.904 AEST: NAT*: s=, d=> [6598]
May 14 17:41:28.908 AEST: NAT: s=>, d= [36]
May 14 17:41:28.960 AEST: NAT*: s=, d=> [6599]
May 14 17:41:28.960 AEST: NAT: s=>, d= [37]
May 14 17:41:28.996 AEST: NAT*: s=, d=> [6618]
May 14 17:41:29.000 AEST: NAT: s=>, d= [38]
May 14 17:41:29.032 AEST: NAT*: s=, d=> [6637]
May 14 17:41:29.032 AEST: NAT: s=>, d= [39]
May 14 17:41:29.068 AEST: NAT*: s=, d=> [6673]

Any ideas people??? I'm lost.. this type of NAT setup always works..

The NAT works from the router itself but not for clients on the same LAN segment. Quite obviously a bug??


Jordan Dalley

I've also tried the oldest firmware I can get off the Cisco website..

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M10, RELEASE SOFTWARE (fc1)

Still not working.. at a loss :(

The weirdest thing.. if I disable ip cef "no ip cef" it works... bizarre as.

Jordan Dalley

Thanks to this article:

I had to add an access list log which forced cef to process the packets..

ip access-list standard di0-out
permit any log
interface Dialer0
ip access-group di0-out out

Now all is working. Obviously a bug, but if it works, I'm happy :)


Hi Jordan,

I tried to configure my cisco 1841 to connect with NordVPN but the command pool-member 1 is no longer availabe, can you give me please any suggestion?


I got this working on IOS 15, the pool-member command can be activated by activating "service internal"
I spent much time searching for a solution, so i hope this helps others.
I have no idea what else is activated by this command, so use with caution!

Recognize Your Peers
Content for Community-Ad