[mdlug] Cisco 2651XM NAT(?) Issues
John R Ayer
for.i.am.root at gmail.com
Tue Aug 26 20:53:43 EDT 2014
HI:
>What type of VPN? I notice you only seem to be NATing TCP & UDP. What
>about GRE, AH, ESP, etc... which are *protocols* [as in /etc/protocols,
>not /etc/services]. VPNs are the typical users of these protocols.
The server is an L2TP/ipsec VPN setup using PSK:
options.xl2tpd: http://pastebin.com/CEPpGyDr
xl2tpd.conf: http://pastebin.com/Lw36Yu89
ipsec.conf: http://pastebin.com/VrCmQUjb
protocols: http://pastebin.com/ebVVV3EN
I also changed around the configuration of the router some after doing some
more research:
running config: http://pastebin.com/Y8JTsi1C
new debug: http://pastebin.com/Y8JTsi1C
The debug is acquired via an access-list (75) with permit 172.56.10.0 and
permit 10.13.8.251 and the command debug ip nat 75.
>Consumer grade routers tend to take a NAT-everything approach,
>regardless if that is generally a good idea or not; personally NAT'ing
>GRE, etc... should always be a box someone has to check, but... that
>requires the consumer to do something, and we know how consumers hate
>being forced to act in their own best interest.
>With an enterprise device like Cisco ISO you need to explicitly state
>that you want to NAT the 'weird stuff'.
That makes sense. I'm just not sure what else to forward or what to look
for in the router to find out. I have never had to deal with NAT on Cisco
IOS.
>Would this line be denying connections:
>ip prefix-list dfnet seq 2 deny 69.XX.XX.0/24 le 32
>and being showing in the the Nat log Lines 34,35,38,39,42,43...:*Mar 1
21:16:37.606: NAT*: s=10.13.8.251->69.14.XX.XX, d=172.56.XX.XX [46039]
That line is for the BGP tunnel. I don't think it is affecting the
connection here; however, I am not sure. I may remove that rule for further
testing.
All help is greatly appreciated.
Thanks!
More information about the mdlug
mailing list