How to exclude NAT to occur ?

Unanswered Question
Nov 14th, 2008

Dear colleagues,

I'm using Cisco 2811 for gateway router in our office. It's not a big deal, just a few services but now I'm experiencing the following problem.

I've got dedicated range of IPv4 addresses which are provided by local ISP. I'm using one of these addresses to create static translations from outside-to-inside (I have a mail,web and dns server that must be reached from all over the world). Moreover, I've installed cisco eazyvpn to terminate our mobile users who travel with their notebooks, phones and etc. I'm mentioning the EasyVPN because it's the primary reason to use cisco's 'ip nat enable' feature instead of 'ip nat inside/outside' applied on interface (Because I want all the network traffic generated from mobile users to be translated by our router. Since there is no other way to make `inside` interface `outside` (because all the traffic is comming/going through the WAN interface where the crypto map is applyed) I have to use the NVI interface for that purpose. Also, I have to use PPtP for devices that don't support Cisco's VPN service and this is the main problem! Everything works fine, except one thing - static translation!

Let me introduce you my current configuration:

interface FastEthernet0/0.301 (WAN LINK)

encapsulation dot1Q 301

ip address X.X.X.X 255.255.255.X

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat enable

ip virtual-reassembly

no cdp enable

crypto map IPSec

interface FastEthernet0/1.302 (LAN LINK)

bandwidth 100

encapsulation dot1Q 302

ip address

ip nbar protocol-discovery

ip nat enable

ip virtual-reassembly

interface Virtual-Template1 (PPTP IF)

ip address

ip mtu 1460

ip virtual-reassembly

ip tcp adjust-mss 1400

ip nat enable

ip ospf network point-to-point

ip ospf 100 area 0

load-interval 30

keepalive 3600 168

compress mppc

ppp encrypt mppe auto

ppp authentication ms-chap ms-chap-v2


NAT config:

ip nat source list office interface FastEthernet0/0.301 overload

ip nat source static tcp 8888 interface FastEthernet0/0.301 8888

Router#show ip nat nvi translations

Pro Source global Source local Destin local Destin global

tcp X.X.X.X:8888 --- ---

Now, when I log into VPN using PPTP, I'm recieving ip address Whit this address, I'm trying to open the following URL:

And the result actually is my real problem:

border#show ip nat nvi translations verbose

tcp X.X.X.X:8888

create 00:00:40, use 00:00:19 timeout:300000, left 00:00:40,


extended, limited, nvi-entry, use_count: 0, entry-id: 131634, lc_entries: 0

tcp X.X.X.X:8888

create 00:00:19, use 00:00:10 timeout:300000, left 00:00:49,


extended, limited, nvi-entry, use_count: 0, entry-id: 131669, lc_entries: 0

tcp X.X.X.X:8888

create 00:00:16, use 00:00:06 timeout:300000, left 00:00:53,


extended, limited, nvi-entry, use_count: 0, entry-id: 131671, lc_entries: 0

tcp X.X.X.X:8888 --- ---

create 23:33:09, use 00:00:16 timeout:0, timing-out,


The router didn't route my request but actually is trying to do NAT because of 'ip nat enable' rule on both interfaces (Virtual-X and Fa0/0.301) And nothing happen! The page timed out!

border#show ip nat nvi statistics

NAT Enabled interfaces:

FastEthernet0/0.301, FastEthernet0/1.302, Virtual-Template1


So my question is, how to handle with this? In PIX/ASA there is a nonat rule (zero rule) which can perfectly be used here but unfortunately this is not a firewall. So I hope that you've got my issue and I really hope that someone can give me a clue!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
danail-petrov Mon, 11/17/2008 - 23:40

Any piece of advice? Anyone? C'mon guys there should be something to be done ...


Danail Petrov

danail-petrov Tue, 11/18/2008 - 23:40


I'm wondering, did you understood my issue in question? Maybe the reason for this "silence" is because of wrong description/explanation? If so - please, let me know!


This Discussion