- Preface
- Product Overview
- Basic Router Configuration
- Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
- Configuring Power Management
- Configuring Security Features
- Configuring Secure Storage
- Configuring Backup Data Lines and Remote Management
- Configuring Ethernet Switches
- Configuring Voice Functionality
- Configuring the Serial Interface
- Configuring Wireless Devices
- Configuring PPP over Ethernet with NAT
- Configuring PPP over ATM with NAT
- Environmental and Power Management
- Configuring a LAN with DHCP and VLANs
- Configuring a VPN Using Easy VPN and an IPSec Tunnel
- Configuring Cisco Multimode G.SHDSL EFM/ATM
- Configuring VDSL2 Bonding and Single-Wire Pair
- Configuring Cisco IOx
- Deployment Scenarios
- Troubleshooting Cisco 800 Series Routers
- Cisco IOS Software Basic Skills
- Concepts
- ROM Monitor
- Index
Cisco 800 Series Integrated Services Routers Software Configuration Guide
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- May 3, 2018
Chapter: Configuring PPP over Ethernet with NAT
Configuring PPP over Ethernet with NAT
This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT) that can be configured on the Cisco 819, Cisco 860, Cisco 880, and Cisco 890 series Integrated Services Routers (ISRs).
Overview
Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth. Figure 15 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.
|
1 |
Multiple networked devices—Desktops, laptop PCs, switches |
|
2 |
Fast Ethernet LAN interface (inside interface for NAT) |
|
3 |
PPPoE client—Cisco 860, Cisco 880, or Cisco 890 ISRs |
|
4 |
Point at which NAT occurs |
|
5 |
Fast Ethernet WAN interface (outside interface for NAT) |
|
6 |
Cable modem or other server that is connected to the Internet |
|
7 |
PPPoE session between the client and a PPPoE server |
PPPoE
The PPPoE client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
A PPPoE session is initiated on the client side by the Cisco 819, Cisco 860, or Cisco 880 ISRs. An established PPPoE client session can be terminated in one of two ways:
- By entering the clear vpdn tunnel pppoe command. The PPPoE client session is terminated, and the PPPoE client immediately tries to reestablish the session. This also occurs if the session has a timeout.
- By entering the no pppoe-client dial-pool number command to clear the session. The PPPoE client does not attempt to reestablish the session.
NAT
NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.
Configuration Tasks
Perform the following tasks to configure this network scenario:
An example showing the results of these configuration tasks is shown in the Configuration Example.
- Configure the Virtual Private Dialup Network Group Number
- Configure Ethernet WAN Interfaces
- Configure the Dialer Interface
- Configure Network Address Translation
Configure the Virtual Private Dialup Network Group Number
Configuring a virtual private dialup network (VPDN) enables multiple clients to communicate through the router by way of a single IP address.
To configure a VPDN, perform the following steps, starting in global configuration mode:
1.
vpdn
enable
2. vpdn-group name
3.
request-dialin
4. protocol {l2tp | pppoe}
5.
exit
6.
exit
DETAILED STEPS
Configure Ethernet WAN Interfaces
In this scenario, the PPPoE client (your Cisco router) communicates over a 10/100 Mbps-Ethernet interface on both the inside and the outside.
To configure the Fast Ethernet WAN interfaces, perform these steps, starting in global configuration mode:
1. interface type number
2.
pppoe-client
dial-pool-number
number
3.
no
shutdown
4.
exit
DETAILED STEPS
Ethernet Operations, Administration, and Maintenance
Ethernet Operations, Administration, and Maintenance (OAM) is a protocol for installing, monitoring, and troubleshooting Ethernet metropolitan-area networks (MANs) and Ethernet WANs. It relies on a new, optional sublayer in the data link layer of the Open Systems Interconnection (OSI) model. The OAM features covered by this protocol are Discovery, Link Monitoring, Remote Fault Detection, Remote Loopback, and Cisco Proprietary Extensions.
For setup and configuration information about Ethernet OAM, see Using Ethernet Operations, Administration, and Maintenance at: Carrier Ethernet Configuration Guide.
Configure the Dialer Interface
The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. The dialer interface is also used for cloning virtual access. Multiple PPPoE client sessions can be configured on a Fast Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
To configure a dialer interface for one of the Fast Ethernet LAN interfaces on the router, complete the following steps, starting in global configuration mode:
1.
interface
dialer
dialer-rotary-group-number
2.
ip
address
negotiated
3.
ip
mtu
bytes
4.
encapsulation
encapsulation-type
5.
ppp
authentication {protocol1 [protocol2...]}
6.
dialer
pool
number
7.
dialer-group
group-number
8.
exit
9.
dialer-listdialer-group
protocolprotocol-name
{permit |
deny |
list
access-list-number |
access-group}
10. ip routeprefix mask {interface-type interface-number}
DETAILED STEPS
Configure Network Address Translation
Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation. You can configure NAT for either static or dynamic address translations.
To configure the outside Fast Ethernet WAN interface with dynamic NAT, perform these steps, beginning in global configuration mode:
1.
ip
nat
pool
name
start-ip
end-ip {netmask
netmask |
prefix-length
prefix-length}
2.
Do one of the
following:
3. interface type number
4. ip nat {inside | outside}
5.
no
shutdown
6.
exit
7. interface type number
8. ip nat {inside | outside}
9.
no
shutdown
10.
exit
11.
access-list
access-list-number {deny |
permit}
source
[source-wildcard]
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | ip
nat
pool
name
start-ip
end-ip {netmask
netmask |
prefix-length
prefix-length}
Example: Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0 |
Creates pool of global IP addresses for NAT. | ||
| Step 2 | Do one of the following: |
Enables dynamic translation of addresses on the inside interface. The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the dialer interface 0 . The second example shows the addresses permitted by access list acl1 to be translated to one of the addresses specified in the NAT pool pool1 . | ||
| Step 3 | interface type
number
Example: Router(config)# interface vlan 1 |
Enters configuration mode for the VLAN (on which the Fast Ethernet LAN interfaces [FE0–FE3] reside) to be the inside interface for NAT. | ||
| Step 4 | ip
nat {inside |
outside}
Example: Router(config-if)# ip nat inside |
Identifies the specified VLAN interface as the NAT inside interface. | ||
| Step 5 | no
shutdown
Example: Router(config-if)# no shutdown |
Enables the configuration changes just made to the Ethernet interface. | ||
| Step 6 | exit
Example: Router(config-if)# exit |
Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode. | ||
| Step 7 | interface type
number
Example: Router(config)# interface fastethernet 4 |
Enters configuration mode for the Fast Ethernet WAN interface (FE4) to be the outside interface for NAT. | ||
| Step 8 | ip
nat {inside |
outside}
Example: Router(config-if)# ip nat outside |
Identifies the specified WAN interface as the NAT outside interface. | ||
| Step 9 | no
shutdown
Example: Router(config-if)# no shutdown |
Enables the configuration changes just made to the Ethernet interface. | ||
| Step 10 | exit
Example: Router(config-if)# exit |
Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode. | ||
| Step 11 | access-list
access-list-number {deny |
permit}
source
[source-wildcard]
Example: Router(config)# access-list 1 permit 192.168.1.0 255.255.255.0 |
Defines a standard access list indicating which addresses need translation.
|
 Note | To use NAT with a virtual-template interface, you must configure a loopback interface. See Chapter 3, “Basic Router Configuration,” for information on configuring a loopback interface. |
For complete information on the NAT commands, see the Cisco NX-OS Release 4.1 documentation set. For more general information on NAT concepts, see Appendix A, “Cisco IOS Software Basic Skills”.
Configuration Example
The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter.
The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside
Note | Commands marked by “(default)” are generated automatically when you run the show running-config command. |
vpdn enable vpdn-group 1 request-dialin protocol pppoe ! interface vlan 1 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast (default) ip nat inside interface FastEthernet 4 no ip address no ip directed-broadcast (default) ip nat outside pppoe enable group global pppoe-client dial-pool-number 1 no sh ! interface dialer 0 ip address negotiated ip mtu 1492 encapsulation ppp ppp authentication chap dialer pool 1 dialer-group 1 ! dialer-list 1 protocol ip permit ip nat inside source list 1 interface dialer 0 overload ip classless (default) ip route 10.10.25.2 255.255.255.255 dialer 0 ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0 ip nat inside source list acl1 pool pool1 !
Verifying Your Configuration
Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoE with NAT configuration. You should see verification output similar to the following example:
Router# show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: FastEthernet4 Inside interfaces: Vlan1 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id: 1] access-list 1 interface Dialer0 refcount 0 Queued Packets: 0
Feedback