[mdlug] Cisco 2651XM NAT(?) Issues

John R Ayer for.i.am.root at gmail.com
Tue Aug 26 20:53:43 EDT 2014


HI:

>What type of VPN?  I notice you only seem to be NATing TCP & UDP.  What
>about GRE, AH, ESP, etc... which are *protocols* [as in /etc/protocols,
>not /etc/services].  VPNs are the typical users of these protocols.

The server is an L2TP/ipsec VPN setup using PSK:

options.xl2tpd: http://pastebin.com/CEPpGyDr
xl2tpd.conf: http://pastebin.com/Lw36Yu89
ipsec.conf: http://pastebin.com/VrCmQUjb
protocols: http://pastebin.com/ebVVV3EN

I also changed around the configuration of the router some after doing some
more research:

running config: http://pastebin.com/Y8JTsi1C
new debug: http://pastebin.com/Y8JTsi1C

The debug is acquired via an access-list (75) with permit 172.56.10.0 and
permit 10.13.8.251 and the command debug ip nat 75.

>Consumer grade routers tend to take a NAT-everything approach,
>regardless if that is generally a good idea or not; personally NAT'ing
>GRE, etc... should always be a box someone has to check, but... that
>requires the consumer to do something, and we know how consumers hate
>being forced to act in their own best interest.

>With an enterprise device like Cisco ISO you need to explicitly state
>that you want to NAT the 'weird stuff'.

That makes sense. I'm just not sure what else to forward or what to look
for in the router to find out. I have never had to deal with NAT on Cisco
IOS.

>Would this line be denying connections:
>ip prefix-list dfnet seq 2 deny 69.XX.XX.0/24 le 32

>and being showing in the the Nat log Lines 34,35,38,39,42,43...:*Mar  1
21:16:37.606: NAT*: s=10.13.8.251->69.14.XX.XX, d=172.56.XX.XX [46039]

That line is for the BGP tunnel. I don't think it is affecting the
connection here; however, I am not sure. I may remove that rule for further
testing.

All help is greatly appreciated.

Thanks!


More information about the mdlug mailing list