Cisco 819 Integrated Services Routers Software Configuration Guide
Configuring PPP over Ethernet with NAT
Downloads: This chapterpdf (PDF - 175.0KB) The complete bookPDF (PDF - 4.61MB) | Feedback

Configuring PPP over Ethernet with NAT

Table Of Contents

Configuring PPP over Ethernet with NAT

PPPoE

NAT

Configuration Tasks

Configure the Virtual Private Dialup Network Group Number

Configure the Fast Ethernet WAN Interfaces

Configure the Dialer Interface

Configure Network Address Translation

Configuration Example

Verifying Your Configuration


Configuring PPP over Ethernet with NAT


This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and Network Address Translation (NAT) that can be configured on the Cisco 819 Integrated Services Routers (ISRs).

Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth. Figure 11-1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.

Figure 11-1 PPP over Ethernet with NAT

1

Multiple networked devices—Desktops, laptop PCs, switches

2

Fast Ethernet LAN interface (inside interface for NAT)

3

PPPoE client—Cisco 819 ISRs

4

Point at which NAT occurs

5

Fast Ethernet WAN interface (outside interface for NAT)

6

Cable modem or other server that is connected to the Internet

7

PPPoE session between the client and a PPPoE server


PPPoE

The PPPoE Client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.

A PPPoE session is initiated on the client side by the Cisco 819 ISRs. An established PPPoE client session can be terminated in one of two ways:

By entering the clear vpdn tunnel pppoe command. The PPPoE client session terminates, and the PPPoE client immediately tries to re-establish the session. This also occurs if the session has a timeout.

By entering the no pppoe-client dial-pool number command to clear the session. The PPPoE client does not attempt to re-establish the session.

NAT

NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.

Configuration Tasks

Perform the following tasks to configure this network scenario:

Configure the Virtual Private Dialup Network Group Number

Configure the Fast Ethernet WAN Interfaces

Configure the Dialer Interface

Configure Network Address Translation

An example showing the results of these configuration tasks is shown in the "Configuration Example" section.

Configure the Virtual Private Dialup Network Group Number

Configuring a virtual private dialup network (VPDN) enables multiple clients to communicate through the router by way of a single IP address.

Complete the following steps to configure a VPDN, starting from the global configuration mode.

SUMMARY STEPS

1. vpdn enable

2. vpdn-group name

3. request-dialin

4. protocol {l2tp | pppoe}

5. exit

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

vpdn enable

Example:

Router(config)# vpdn enable
Router(config)# 
 
        

Enables VPDN on the router.

Step 2 

vpdn-group name

Example:

Router(config)# vpdn-group 1
Router(config-vpdn)# 
 
        

Creates and associates a VPDN group with a customer or VPDN profile.

Step 3 

request-dialin

Example:

Router(config-vpdn)# request-dialin
Router(config-vpdn-req-in)# 
 
        

Creates a request-dialin VPDN subgroup, indicating the dialing direction, and initiates the tunnel.

Step 4 

protocol {l2tp | pppoe}

Example:

Router(config-vpdn-req-in)# protocol pppoe
Router(config-vpdn-req-in)# 
 
        

Specifies the type of sessions the VPDN subgroup can establish.

Step 5 

exit

Example:

Router(config-vpdn-req-in)# exit
Router(config-vpdn)# 
 
        

Exits request-dialin VPDN group configuration.

Step 6 

exit

Example:

Router(config-vpdn)# exit
Router(config)# 
 
        

Exits VPDN configuration, returning to global configuration mode.

Configure the Fast Ethernet WAN Interfaces

In this scenario, the PPPoE client (your Cisco router) communicates over a 10/100 Mbps-Ethernet interface on both the inside and the outside.

Perform these steps to configure the Fast Ethernet WAN interfaces, starting in global configuration mode:

SUMMARY STEPS

1. interface type number

2. pppoe-client dial-pool-number number

3. no shutdown

4. exit

 
Command
Purpose

Step 1 

interface type number

Example:

Router(config)# interface fastethernet 4
Router(config-if)# 
 
        

Enters interface configuration mode for a Fast Ethernet WAN interface.

Step 2 

pppoe-client dial-pool-number number

Example:

Router(config-if)# pppoe-client 
dial-pool-number 1
Router(config-if)# 
 
        

Configures the PPPoE client and specifies the dialer interface to use for cloning.

Step 3 

no shutdown

Example:

Router(config-if)# no shutdown
Router(config-if)# 
 
        

Enables the Fast Ethernet interface and the configuration changes just made to it.

Step 4 

exit

Example:

Router(config-if)# exit
Router(config)# 
 
        

Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.

Configure the Dialer Interface

The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. The dialer interface is also used for cloning virtual access. Multiple PPPoE client sessions can be configured on a Fast Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.

Complete the following steps to configure a dialer interface for one of the Fast Ethernet LAN interfaces on the router, starting in global configuration mode.

SUMMARY STEPS

1. interface dialer dialer-rotary-group-number

2. ip address negotiated

3. ip mtu bytes

4. encapsulation encapsulation-type

5. ppp authentication {protocol1 [protocol2...]}

6. dialer pool number

7. dialer-group group-number

8. exit

9. dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group}

10. ip route prefix mask {interface-type interface-number}

DETAILED STEPS

 
Command
Purpose

Step 1 

interface dialer dialer-rotary-group-number

Example:

Router(config)# interface dialer 0
Router(config-if)# 
 
        

Creates a dialer interface (numbered 0 to 255) and enters interface configuration mode.

Step 2 

ip address negotiated

Example:

Router(config-if)# ip address negotiated
Router(config-if)# 
 
        

Specifies that the IP address for the interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation.

Step 3 

ip mtu bytes

Example:

Router(config-if)# ip mtu 1492
Router(config-if)# 
 
        

Sets the size of the IP maximum transmission unit (MTU). The default minimum is 128 bytes. The maximum for Ethernet is 1492 bytes.

Step 4 

encapsulation encapsulation-type

Example:

Router(config-if)# encapsulation ppp
Router(config-if)# 
 
        

Sets the encapsulation type to PPP for the data packets being transmitted and received.

Step 5 

ppp authentication {protocol1 [protocol2...]}

Example:

Router(config-if)# ppp authentication chap
Router(config-if)# 
 
        

Sets the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP).

For details about this command and additional parameters that can be set, see Cisco IOS Security Command Reference.

Step 6 

dialer pool number

Example:

Router(config-if)# dialer pool 1
Router(config-if)# 
 
        

Specifies the dialer pool to use to connect to a specific destination subnetwork.

Step 7 

dialer-group group-number

Example:

Router(config-if)# dialer-group 1
Router(config-if)# 
 
        

Assigns the dialer interface to a dialer group (1 to 10).

Tip Using a dialer group controls access to your router.

Step 8 

exit

Example:

Router(config-if)# exit
Router(config)# 
 
        

Exits the dialer 0 interface configuration.

Step 9 

dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group}

Example:

Router(config)# dialer-list 1 protocol ip 
permit
Router(config)# 
 
        

Creates a dialer list and associates a dial group with it. Packets are then forwarded through the specified interface dialer group.

For details about this command and additional parameters that can be set, see Cisco IOS Dial Technologies Command Reference.

Step 10 

ip route prefix mask {interface-type interface-number}

Example:

Router(config)# ip route 10.10.25.2 
255.255.255.255 dialer 0
Router(config)# 
 
        
 
        

Sets the IP route for the default gateway for the dialer 0 interface.

For details about this command and additional parameters that can be set, see Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 and Cisco IOS IP Command Reference, Volume 2 of 4: Routing Protocols, Release 12.3.

Configure Network Address Translation

Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation. You can configure NAT for either static or dynamic address translations.

Perform these steps to configure the outside Fast Ethernet WAN interface with dynamic NAT, beginning in global configuration mode:

SUMMARY STEPS

1. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

2. ip nat inside source {list access-list-number} {interface type number | pool name} [overload]

3. interface type number

4. ip nat {inside | outside}

5. no shutdown

6. exit

7. interface type number

8. ip nat {inside | outside}

9. no shutdown

10. exit

11. access-list access-list-number {deny | permit} source [source-wildcard]

 
Command
Purpose

Step 1 

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Example:

Router(config)# ip nat pool pool1 
192.168.1.0 192.168.2.0 netmask 
255.255.252.0
Router(config)# 
 
        

Creates pool of global IP addresses for NAT.

Step 2 

ip nat inside source {list access-list-number} {interface type number | pool name} [overload]

Example:

Router(config)# ip nat inside source list 1 
interface dialer 0 overload
 
        

or

Example:

Router(config)# ip nat inside source list 
acl1 pool pool1
 
        

Enables dynamic translation of addresses on the inside interface.

The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the dialer interface 0.

The second example shows the addresses permitted by access list acl1 to be translated to one of the addresses specified in the NAT pool pool1.

For details about this command and additional parameters that can be set, as well as information about enabling static translation, see Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services.

Step 3 

interface type number

Example:

Router(config)# interface vlan 1
Router(config-if)# 
 
        

Enters configuration mode for the VLAN (on which the Fast Ethernet LAN interfaces [FE0-FE3] reside) to be the inside interface for NAT.

Step 4 

ip nat {inside | outside}

Example:

Router(config-if)# ip nat inside
Router(config-if)# 
 
        

Identifies the specified VLAN interface as the NAT inside interface.

For details about this command and additional parameters that can be set, as well as information about enabling static translation, see Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services.

Step 5 

no shutdown

Example:

Router(config-if)# no shutdown
Router(config-if)# 
 
        

Enables the configuration changes just made to the Ethernet interface.

Step 6 

exit

Example:

Router(config-if)# exit
Router(config)# 
 
        

Exits configuration mode for the Fast Ethernet interface.

Step 7 

interface type number

Example:

Router(config)# interface fastethernet 4
Router(config-if)# 
 
        

Enters configuration mode for the Fast Ethernet WAN interface (FE4) to be the outside interface for NAT.

Step 8 

ip nat {inside | outside}

Example:

Router(config-if)# ip nat outside
Router(config-if)# 
 
        

Identifies the specified WAN interface as the NAT outside interface.

For details about this command and additional parameters that can be set, as well as information about enabling static translation, see Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services.

Step 9 

no shutdown

Example:

Router(config-if)# no shutdown
Router(config-if)# 
 
        

Enables the configuration changes just made to the Ethernet interface.

Step 10 

exit

Example:

Router(config-if)# exit
Router(config)# 
 
        

Exits configuration mode for the Fast Ethernet interface.

Step 11 

access-list access-list-number {deny | permit} source [source-wildcard]

Example:

Router(config)# access-list 1 permit 
192.168.1.0 255.255.255.0

Defines a standard access list indicating which addresses need translation.

Note All other addresses are implicitly denied.

DETAILED STEPS


Note If you want to use NAT with a virtual-template interface, you must configure a loopback interface. See the "Basic Router Configuration" section for information on configuring a loopback interface.


For complete information on the NAT commands, see the Cisco IOS Release 12.3 documentation set. For more general information on NAT concept, see the "Cisco IOS Software Basic Skills" section.

Configuration Example

The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter.

The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside


Note Commands marked by "(default)" are generated automatically when you run the show running-config command.


vpdn enable 
vpdn-group 1 
request-dialin 
protocol pppoe 
! 
interface vlan 1 
ip address 192.168.1.1 255.255.255.0 
no ip directed-broadcast (default) 
ip nat inside 
interface FastEthernet 4 
no ip address  
no ip directed-broadcast (default) 
ip nat outside 
pppoe enable group global 
pppoe-client dial-pool-number 1 
no sh 
! 
interface dialer 0 
ip address negotiated 
ip mtu 1492 
encapsulation ppp 
ppp authentication chap 
dialer pool 1 
dialer-group 1 
! 
dialer-list 1 protocol ip permit 
ip nat inside source list 1 interface dialer 0 overload 
ip classless (default) 
ip route 10.10.25.2 255.255.255.255 dialer 0 
ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0 
ip nat inside source list acl1 pool pool1
!

Verifying Your Configuration

Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoE with NAT configuration. You should see verification output similar to the following example:

Router# show ip nat statistics 
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet4
Inside interfaces:
  Vlan1
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Dialer0 refcount 0
Queued Packets: 0