PPTP VPN service is unavailable after NAT is configured on an AR

11

No matter whether the PPTP server is on the public or private network, a NAT-enabled AR cannot translate the Data field that contains IP addresses or port numbers. To resolve this problem, enable the NAT ALG function.
For example, enable the NAT ALG function for PPTP as follows:
<Huawei> system-view  
[Huawei] nat alg pptp enable
NAT supported by PPTP is used in either of the following scenarios: PPTP client on the private network or PPTP server on the private network.
When the PPTP client is on the private network and the PPTP server is on the public network, the Client-Call-ID field is translated.
When the PPTP server is on the private network and the PPTP client is on the public network, the Server-Call-ID field is translated.

Other related questions:
IPSec is unavailable when both IPSec and NAT are configured on an interface of the AR
If NAT is configured on the interface to which an IPSec policy is applied, IPSec does not take effect because the device executes the NAT configuration first. Use either of the following methods: -Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec. - Ensure that the ACL rule referenced by IPSec matches the NAT-translated IP address. Note: After the deny rule is defined, you are advised to run the reset session all or reset nat session all command to reestablish the flow table, ensuring that there are no incorrect NAT entries. If services are transmitted unidirectionally, check whether the NAT policy is applied to the device. If so, perform operations according to the preceding method.

FTP server cannot be accessed after NAT is configured on an AR
No matter whether intranet users access the FTP server on the public network or the IP address of the FTP server on the private network is mapped to a public IP address by a NAT server, the NAT ALG function for FTP needs to be enabled.
For example, enable the NAT ALG function for FTP as follows:
<Huawei> system-view  
[Huawei] nat alg ftp enable
Reason:
NAT and NAPT can translate only IP addresses in the IP packet header and the port numbers in the TCP/UDP header. For some special protocols such as FTP, IP addresses or port numbers may be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP addresses or port numbers. A good way to solve the NAT issue for these special protocols is to use the application level gateway (ALG) function.
As a special translation agent for application protocols, the ALG interacts with the NAT-enabled device to establish states. It uses NAT state information to change the specific data in the Data field of IP datagram and complete other necessary work, so that application protocols can run across private and public networks.
For example, when an FTP server with a private IP address sets up a session with a host on the public network, the server may need to send its IP address to the host. NAT cannot translate this IP address because the IP address is carried in the Data field. The host on the external network then uses the private address carried in the IP packet and finds that the FTP server is unreachable.
After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT device. Otherwise, the application protocol cannot work normally.
If the FTP server on the intranet is available and port mapping is configured, after NAT ALG is enabled for FTP, the FTP service can be used after the mapping between port and FTP is configured.
After NAT ALG is enabled for FTP, FTP packets can traverse the NAT device. Because port mapping is configured, the device does not know that packets sent from port 27 are FTP packets. Therefore, the device does not send FTP packets to the ALG, affecting the FTP service.
To solve this problem, configure the mapping between port and FTP:
[huawei] acl 2005
[huawe-acl-basic-2005]rule permit
[huawe-acl-basic-2005]quit
[huawei] port-mapping ftp  port 27 acl 2005

How do I configure NAT ALG
On a Huawei AR router, you can run the nat alg { all | protocol-name } enable command to enable NAT ALG for an application protocol. After NAT ALG for an application protocol is enabled, packets of the application protocol can traverse the NAT device. Note: In the command, all indicates that NAT ALG is enabled for DNS, FTP, SIP, PPTP, and RSTP. protocol-name indicates that NAT ALG is enabled for a specified protocol. The value can be dns, ftp, sip, pptp, or rtsp. The AR510 does not support NAT ALG for SIP.

Dialing up extranet PPTP VPN on the USG6000
The device does not support PPTP VPN.

Dialing up extranet PPTP VPN on the USG2000
The device does not support PPTP VPN.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top