[mdlug] Cisco 2651XM NAT(?) Issues

[Adam Tauno Williams]

On Sun, 2014-08-24 at 16:06 -0400, John R Ayer wrote: 
> I'm having some issues with my Cisco router, not exactly Linux; however,
> I've seen a lot of knowledge here and hoping someone can help me out with
> it.
> I cannot connect to my Ubuntu based VPN server through a Cisco 2651XM
> router; however, I can connect through a consumer grade TP-Link router.
> Network map looks like:
> Router: Cisco 2651XM (10.13.8.254) <--> Switch: Cisco Catalyst
> WS-C2960G-24TC-L (10.13.8.21) <--> Ubuntu VPN Server (10.13.8.251)
> I can see the initial connection hit the server; however, the connection
> times out shortly after. I know I am missing something stupid but I cannot
> put my finger on it. The connection attempt is coming from my cell phone
> (T-Mobile LTE) which is the same device that worked before installing the
> 2651.
> Does anyone want to point out the obvious to me?

What type of VPN?  I notice you only seem to be NATing TCP & UDP.  What
about GRE, AH, ESP, etc... which are *protocols* [as in /etc/protocols,
not /etc/services].  VPNs are the typical users of these protocols.

> I did not include the config files for the VPN server because it works with
> a consumer grade router instead of the Cisco. If they are relevant let me
> know and I will update.

Consumer grade routers tend to take a NAT-everything approach,
regardless if that is generally a good idea or not; personally NAT'ing
GRE, etc... should always be a box someone has to check, but... that
requires the consumer to do something, and we know how consumers hate
being forced to act in their own best interest.

With an enterprise device like Cisco ISO you need to explicitly state
that you want to NAT the 'weird stuff'.

> 2651 config: http://pastebin.com/ZPtamrV6
> 2651 nat debug: http://pastebin.com/481KrAgm
> Syslog: http://pastebin.com/s0tqVMn3

-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA