Tunnel Configuration Through NAT Examples

PPTP uses enhanced GRE encapsulation for PPP payloads. After the PPTP tunnel setup process, PPP packets are exchanged using GRE encapsulation. It is critical that a NAT device that resides between PPTP client and PPTP server allow GRE flows.

This section contains NAT configuration examples for both inside and outside PPTP tunnel setup through NAT.

Clients on an Inside Network

In this example, a subscriber on the inside network is initiating PPTP tunnels to a PPTP server located in the outside network. The PPTP connection to the server traverses an E Series router that has NAT enabled.

Figure 10: PPTP Tunnels on an Inside Network

PPTP Tunnels on an Inside Network

The router has installed an inside source static simple translation in its translation table as follows:

Inside Local Address

Inside Global Address

13.1.2.3

20.0.0.1

The PPTP client initiates its tunnels to the server at 11.11.11.1. The E Series router translates the SA from inside local 13.1.2.3 to inside global SA 20.0.0.1. Because GRE traffic can pass through NAT, all matching PPTP control packets are translated and forwarded to the destination.

Clients on an Outside Network

In this example, an outside subscriber initiates PPTP tunnels to a PPTP server located in the service provider network. The PPTP connection to the server traverses an E Series router that has NAT enabled.

Figure 11: PPTP Tunnels on an Outside Network

PPTP Tunnels on an Outside Network

The router has installed an inside source static simple translation in its translation table as follows:

Inside Local Address

Inside Global Address

11.11.11.1

20.0.0.1

The PPTP client initiates its tunnels to the inside global address 20.0.0.1. The E Series router translates packets destined for address 20.0.0.1 and forwards them to the inside local address of 11.11.11.1. Because GRE traffic can pass through NAT, all matching PPTP control packets are translated and forwarded to the destination.