Configuring Web Interface ACL and NAT for Server Access and Resolving AR2200 LAC VPN Connectivity Issues

Solution

A: Web interface configuration process is as follows:

If the server and internal user segment are in the same subnet:

1. Under Security > ACL > Advanced ACL Configuration , create an ACL rule with the data source as the internal subnet, destination as the mapped public address, and action set to permit.

2. In IP Services > NAT > External Access , apply the ACL created in step 1 to the internal interface.

3. In IP Services > NAT > Static NAT , create a mapping, select the External Interface , and configure the public address, internal address, and corresponding port numbers.

4. In the same Static NAT section, create another mapping, this time selecting the Internal Interface ; the public address, internal address, and protocol/port numbers remain unchanged.

Note: This case only applies to versions that support specifying an interface in the IP Services > NAT > Static NAT location.

If the server and internal user segment are in different subnets, only steps 3 and 4 are required.

2. AR2200 as LAC – Internal Users Unable to Access LNS‑Side Server

Process

1. Verify that the L2TP VPN tunnel is established:

<LAC> display l2tp tunnel

Output shows one tunnel with LocalTID 102, RemoteAddress 60.X.X.2, Port 1701, Sessions 1, RemoteName lns.

<LAC> display l2tp session

Output shows one session with LocalSID 1, RemoteSID 1, LocalTID 1.

2. Check routing configurations on both devices to ensure they point to each other’s target subnets, with the next hop directed to the Virtual‑Template interface.

3. Ping from the AR side’s internal‑interface source IP to the server – connectivity is successful.

4. Ping from the PC to the server and examine the NAT session table:

<LAC> display nat session protocol icmp

Sample NAT session information:

Protocol: ICMP(1) SrcAddr Vpn: 172.168.3.100 // server address DestAddr Vpn: 192.168.2.3 // PC address Type Code IcmpId: 8 0 43981 NAT‑Info New SrcAddr: 192.168.2.1 // PC gateway, AR internal‑interface IP New DestAddr: ---- New IcmpId: 12060

Root Cause

The AR internal interface had NAT outbound enabled. The PC’s ICMP packet was routed through the VPN tunnel to the server, which then routed the reply back to the LAC; however, the outbound ACL on the internal interface matched the packet, performed NAT conversion, and caused the PC to drop the reply.

Relevant configuration:

acl name GigabitEthernet0/0/1 2999 rule 5 permit

interface GigabitEthernet0/0/1 ip address 192.168.2.1 255.255.255.0 nat outbound 2999

Solution

Remove the NAT outbound configuration on the internal interface, which resolves the connectivity issue.

Recommendations and Summary

For abnormal VPN traffic, verify that the tunnel is properly established, inspect relevant NAT and ACL tables, and consider packet capture for deeper analysis.