06-21-2005 09:22 AM - edited 03-02-2019 11:10 PM
I have a 2621 set up with nat. I am having issues getting my cisco VPN client connecting through this device.
Is there a command or configuration that I need to perform to let this traffic through.
Thanks,
06-21-2005 10:58 PM
Hello,
can you post the configuration of your 2621 ?
Regards,
GP
06-28-2005 05:20 AM
!
! Last configuration change at 14:42:45 Arizona Mon Jun 20 2005 by
!
version 12.2
service tcp-keepalives-in
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Firewall
!
logging buffered 4096 debugging
aaa new-model
enable secret 5 xxxxxx
enable password 7 xxxxxxxx
!
clock timezone Arizona -7
ip subnet-zero
!
!
no ip domain-lookup
ip name-server 24.221.30.1
ip name-server 192.168.0.5
!
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
ip address 24.x.x.x 255.255.255.0
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.0.251 255.255.255.0
ip nat inside
duplex auto
speed auto
arp timeout 600
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 24.221.52.106
no ip http server
!
logging facility syslog
logging 192.168.0.15
access-list 1 permit 192.168.0.0 0.0.0.255 log
access-list 10 permit 24.221.52.122 log
access-list 10 permit 192.168.0.0 0.0.0.255 log
access-list 10 permit 63.226.32.0 0.0.0.255 log
access-list 10 permit 65.121.28.0 0.0.0.255 log
snmp-server community xxxxx RW
no snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
alias exec rt show ip route
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
access-class 10 in
exec-timeout 420 0
password 7 xxxxxxxxxx
!
ntp clock-period 17180773
ntp server 130.159.196.118
ntp server 130.88.202.49 source FastEthernet0/0 prefer
end
06-28-2005 09:23 PM
hi
dont find antything in your config related to dynamic ipsec vpn for your remote clients.
wud suggest to chek this link out to have some clarity on meeting up ur requirement,the link points out about creating dynamic ipsec on ur boxes.
regds
06-29-2005 06:49 AM
This 2621 is not being used as a "VPN termination" point. It is used as an entry/exit point for a small LAN. I am just trying to pass traffic through it. I have been able to successfully connect to the remote concentrator(i.e. I get an IP address) but I cannot pass traffic. This issue has been bugging me for awhile. As a work around I am using a "smoothwall" firewall to get by but would like to use the 2621 in the long run.
Thanks for the time...
06-29-2005 07:02 AM
Make sure you have "nat traversal" enabled on the VPN concentrator. This adds a UDP layer to the tunneled traffic and allows it to work properly across NAT/PAT.
Your symptoms describe a NAT/PAT problem with VPNs to a tee. "can authenticate but can't pass tunneled traffic."
06-29-2005 08:14 AM
John,
Unfortunately, I do not have access to the concentrator(s). Let me ask you this. As a workaround I am using a firewall that does NAT as well and the VPN connections work fine with both concentrators.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide