Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
2
Replies

PIX 501 and 801 isdn router

frywool
Level 1
Level 1

‎07-14-2003 08:50 PM - edited ‎02-20-2020 10:51 PM

I have just set up an 801 router to dial my ISP, the dialer interface is given a Dynamic IP I am also using NAT between this and the ethernet interface. On E0 of the router I have a PIX 501 configured to establish a VPN to another PIX 501 using Dymanic-to-Static VPN. The problem is that when the tunnel is established it will not pass any traffic across the VPN. Do I have to add a command to the 801 to allow traffic to pass through the VPN?? I assume that the router is doing just that...Routing, does it matter what traffic is passed through the router?? Is NAT on the router causing the problem. I am confident of the PIX configuration as it is a tried and tested config that has not posed any problems in the past. a copy of the router config is below....

ip subnet-zero

!

isdn switch-type basic-net3

!

interface Ethernet0

ip address 192.168.6.1 255.255.255.0

ip nat inside

!

interface BRI0

no ip address

encapsulation ppp

dialer pool-member 1

isdn switch-type basic-net3

ppp authentication chap callin

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer remote-name dialconnect

dialer idle-timeout 600

dialer string ##############

dialer-group 1

ppp authentication chap callin

ppp chap hostname #############

ppp chap password #############

!

ip nat inside source list 101 interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

!

!

access-list 101 permit ip 192.168.6.0 0.0.0.255 any

access-list 101 permit gre any any

dialer-list 1 protocol ip list 101

!

line con 0

login

stopbits 1

line vty 0 4

login

!

no rcapi server

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎07-14-2003 11:38 PM

The fact the router is doing NAT overload (PAT) is causing your problem. The IPSec packets the PIX's are sending don't have a TCP/UDP port number in them, and therefore the router has trouble PAT'ing them properly and is dropping them.

PAT support for IPsec came into IOS in 12.2(13)T (see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatesp.htm) for details. If you upgrade the 801 to this code then it should automatically allow you to send ESP packets through it (no configuration on the router is required other than the NAT config which you already have.

Similarly, in PIX code v6.3 they introduced support for NAT-T (NAT Transparency), where the devices automatically discover during tunnel negotiation that there's a device doing PAT in between them, and they start to encapsulate everything in UDP port 4500 packets, which the 801 can then PAT successfully (regardless of hat IOS version it's running). You need to upgrade both PIX to 6.3 and configure them with the command:

> isakmp nat-traversal

to enable this feature. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 or details.

0 Helpful

frywool
Level 1
Level 1
In response to gfullage

‎07-15-2003 03:19 PM

My current IOS is 12.3(1) I assume that this release would already have to update that you speak of?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card