Cisco VPN client through 2621.

syancy · ‎06-21-2005

I have a 2621 set up with nat. I am having issues getting my cisco VPN client connecting through this device.

Is there a command or configuration that I need to perform to let this traffic through.

Thanks,

Georg Pauwen · ‎06-21-2005

Hello,

can you post the configuration of your 2621 ?

Regards,

GP

syancy · ‎06-28-2005

!

! Last configuration change at 14:42:45 Arizona Mon Jun 20 2005 by

!

version 12.2

service tcp-keepalives-in

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname Firewall

!

logging buffered 4096 debugging

aaa new-model

enable secret 5 xxxxxx

enable password 7 xxxxxxxx

!

clock timezone Arizona -7

ip subnet-zero

!

no ip domain-lookup

ip name-server 24.221.30.1

ip name-server 192.168.0.5

!

ip audit notify log

ip audit po max-events 100

!

call rsvp-sync

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

ip address 24.x.x.x 255.255.255.0

ip nat outside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address 192.168.0.251 255.255.255.0

ip nat inside

duplex auto

speed auto

arp timeout 600

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 24.221.52.106

no ip http server

!

logging facility syslog

logging 192.168.0.15

access-list 1 permit 192.168.0.0 0.0.0.255 log

access-list 10 permit 24.221.52.122 log

access-list 10 permit 192.168.0.0 0.0.0.255 log

access-list 10 permit 63.226.32.0 0.0.0.255 log

access-list 10 permit 65.121.28.0 0.0.0.255 log

snmp-server community xxxxx RW

no snmp-server enable traps tty

!

dial-peer cor custom

!

alias exec rt show ip route

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

access-class 10 in

exec-timeout 420 0

password 7 xxxxxxxxxx

!

ntp clock-period 17180773

ntp server 130.159.196.118

ntp server 130.88.202.49 source FastEthernet0/0 prefer

end

spremkumar · ‎06-28-2005

hi

dont find antything in your config related to dynamic ipsec vpn for your remote clients.

wud suggest to chek this link out to have some clarity on meeting up ur requirement,the link points out about creating dynamic ipsec on ur boxes.

http://cisco.com/en/US/partner/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a0080186fda.shtml

regds

syancy · ‎06-29-2005

This 2621 is not being used as a "VPN termination" point. It is used as an entry/exit point for a small LAN. I am just trying to pass traffic through it. I have been able to successfully connect to the remote concentrator(i.e. I get an IP address) but I cannot pass traffic. This issue has been bugging me for awhile. As a work around I am using a "smoothwall" firewall to get by but would like to use the 2621 in the long run.

Thanks for the time...

jroyster · ‎06-29-2005

Make sure you have "nat traversal" enabled on the VPN concentrator. This adds a UDP layer to the tunneled traffic and allows it to work properly across NAT/PAT.

Your symptoms describe a NAT/PAT problem with VPNs to a tee. "can authenticate but can't pass tunneled traffic."

syancy · ‎06-29-2005

John,

Unfortunately, I do not have access to the concentrator(s). Let me ask you this. As a workaround I am using a firewall that does NAT as well and the VPN connections work fine with both concentrators.