I assume that the log file you posted was from the 837 router. From what I can tell, it did accept the ike parms that the client sent, and was trying to send a reply and that reply never made it back to the client. I did see messages about NAT-T, so my qustion is how is your client setup? Is it using nat-t over udp port 4500?

Hi,

Yes, the log file was from the 837. Hmm don't know about Nat-T. My client is my PC which is using a private address supplied by my Linksys router which is doing NAT as I have a single ip address from my ISP at home. The PC is running Windows XP Pro SP2. I shall have to look at Nat-T as I have not come across the term before or port 4500. My office runs on the 10 network and my home network runs on the 192.168 network so that eliminates any problems there. I shall research more on Nat-t problems as it seems to point to the Linksys. If I get chance I should have a spare modem/router around somewhere in the office.

Any suggestions appreciated in the meantime.

Thanks

Phil

Check your pc vpn client connection settings - under transport it will list whether or not you are using nat-t. I believe that it is on by defualt and it will use udp not tcp. Let me know what your transport settings are.

Also what version of code is running on the Linksys router?

Hi

Right. Spoke to linksys and the wag54g does not support nat-t. Nor will it ever support this.There are two which do a R082 and aB series with vpn in the title.

So, dug out my usb modem and lo and behold i can now connect as XP SP2 has ther fix for nat-t in it. However one of the internal servers runs on port 81 and i cannot access it. I don't know why unless it is the windows firewall? but that wouldnt make sense would it?

phil

I would check the win firewall settings, as it would not surprise me that port 81 access would be blocked by default, but I cannot say for certain what is and what is not allowed by default.

If the win fw settings do allow the connection to port 81 then I would check the 837 vpn gw config to insure that it allows connections on port 81 from the clients. If you still need help, please post the 837 config here and I can take a look at it to help out further.

Hi

I have switched the internal Win XP firewall off. Still no joy. The Cisco VPN client seens to suggest it has an internal firewall (its on the options menu and says Stateful firewall(Always On)). I have had a look at the access lists but these seem to apply to traffic arriving at the interface.

My understanding is that if it is tunnelled then the connection should bypass these lists as I am in a tunnel and the ports etc encapsulated. The packets should just splurge out on to the network I have connected to? Otherwise I would be punching a hole in the firewall.

I have attached my config in aid of any enlightenment you may be able to give.

Thanks

Phil

ps yes, i know i have a lot of stuff open for http, telnet, ping but i am leaving it there while i troubleshoot :)

I believe that you have to add this line in access-list 111:

access-list 111 permit tcp any any eq 81

as that is the inbound acl on the dialer 1 interface.

Try adding that entry before the explicit deny ip any any line and let me know how it works. Note that you may be able to add your entry anywhere in the acl since you are running 12.3 code, but that may not be the case and by default, it would be added at the end so you may need to remove the explicit deny, add the permit to port 81 and then re-add the deny.

One note about the cisco vpn clinet integrated firewall: It does not allow rules to do the way the normal fw code would but it will only allow connections from your ws, not to it when it is turned on. Passive mode ftp will work, but port mode will not; as port mode means the ftp server will initiate a data-channel connection back to the client whereas passive means the client initiates both the data and the channel control ports.

The stateful fw is only active if there is a check mark next to the words stateful firewall (always on). If it is not checked, then it is not active.

So try the change in acl 111 and let me know how it works for you.