[mdlug] Cisco 2651XM NAT(?) Issues

Tony Bemus tony at bemushosting.com
Tue Aug 26 10:09:21 EDT 2014 

Would this line be denying connections:
ip prefix-list dfnet seq 2 deny 69.XX.XX.0/24 le 32

and being showing in the the Nat log Lines 34,35,38,39,42,43...:*Mar  1 21:16:37.606: NAT*: s=10.13.8.251->69.14.XX.XX, d=172.56.XX.XX [46039]

-- 
Tony Bemus
Bemus Website Hosting, Design, and Computer Svcs
http://www.bemushosting.com
Phone: 734-258-7009


From: Adam Tauno Williams <awilliam at whitemice.org>
Reply-to: awilliam at whitemice.org, MDLUG's Main discussion list 
<mdlug at mdlug.org>
To: mdlug at mdlug.org
Subject: Re: [mdlug] Cisco 2651XM NAT(?) Issues
Date: Mon, 25 Aug 2014 06:26:17 -0400
 
On Sun, 2014-08-24 at 16:06 -0400, John R Ayer wrote:
>  I'm having some issues with my Cisco router, not exactly Linux; 
> however,
>  I've seen a lot of knowledge here and hoping someone can help me 
> out with
>  it.
>  I cannot connect to my Ubuntu based VPN server through a Cisco 
> 2651XM
>  router; however, I can connect through a consumer grade TP-Link 
> router.
>  Network map looks like:
>  Router: Cisco 2651XM (10.13.8.254) <--> Switch: Cisco Catalyst
>  WS-C2960G-24TC-L (10.13.8.21) <--> Ubuntu VPN Server (10.13.8.251)
>  I can see the initial connection hit the server; however, the 
> connection
>  times out shortly after. I know I am missing something stupid but I 
> cannot
>  put my finger on it. The connection attempt is coming from my cell 
> phone
>  (T-Mobile LTE) which is the same device that worked before 
> installing the
>  2651.
>  Does anyone want to point out the obvious to me?
 
What type of VPN?  I notice you only seem to be NATing TCP & UDP.  What
about GRE, AH, ESP, etc... which are *protocols* [as in /etc/protocols,
not /etc/services].  VPNs are the typical users of these protocols.
 
>  I did not include the config files for the VPN server because it 
> works with
>  a consumer grade router instead of the Cisco. If they are relevant 
> let me
>  know and I will update.
 
Consumer grade routers tend to take a NAT-everything approach,
regardless if that is generally a good idea or not; personally NAT'ing
GRE, etc... should always be a box someone has to check, but... that
requires the consumer to do something, and we know how consumers hate
being forced to act in their own best interest.
 
With an enterprise device like Cisco ISO you need to explicitly state
that you want to NAT the 'weird stuff'.
 
>  2651 config: http://pastebin.com/ZPtamrV6
>  2651 nat debug: http://pastebin.com/481KrAgm
>  Syslog: http://pastebin.com/s0tqVMn3
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://mdlug.org/pipermail/mdlug/attachments/20140826/f96acb76/attachment.sig>

More information about the mdlug mailing list