05-11-2003 02:11 PM - edited 03-09-2019 03:14 AM
hi,
i try to configure a cisco 827(configure with nat) for ip nat traversal . a vpn client behind this router can establish a vpn connection to remote pix.
but i can't ping any device behind the pix (doing also nat).
here my configuration on the cisco router (ios 12.2.T13) :
version 12.2
no parser cache
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname "sas827"
!
logging buffered 10000 warnings
logging monitor informational
enable secret 5 $1$dOFa$/wJ7UXsfgEfHzz6IHyMZb1
enable password 7 02140542
!
sas password 7 045F0A0D06321D
clock timezone CET 1
clock summer-time CET recurring
aaa new-model
!
!
aaa authentication banner * WELCOME TO RAY NETWORK *
aaa authentication login userauthen local group tacacs+
aaa authentication login no_tacacs enable
aaa authentication ppp local group tacacs+
aaa authorization network groupautho local group tacacs+
aaa session-id common
ip subnet-zero
ip name-server x.x.x.x
ip dhcp excluded-address 192.168.20.1 192.168.20.49
ip dhcp excluded-address 192.168.20.101 192.168.20.254
!
ip dhcp pool netclient
network 192.168.20.0 255.255.255.0
dns-server 193.252.19.3 193.252.19.4
domain-name xxxxxx
default-router 192.168.20.1
lease 1 12
!
ip inspect audit-trail
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 300
crypto isakmp key raycyr address x.x.x.x
crypto isakmp keepalive 10 10
crypto isakmp nat keepalive 25
!
!
crypto ipsec transform-set desmd5 esp-des esp-md5-hmac
!
crypto map mode client authentication list userauthen
crypto map mode isakmp authorization list groupautho
crypto map mode client configuration address initiate
crypto map mode 1 ipsec-isakmp
description Tunnel IPSEC vers cyr
set peer x.x.x.x
set transform-set desmd5
match address 130
reverse-route
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.0.0
!
interface Ethernet0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxx
ppp chap password 7 0878594A0B085C1C
ppp pap sent-username xxxxxx password 7 10171C1D07064B00
crypto map mode
!
ip nat inside source route-map nonat 110 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 110 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
access-list 130 permit ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
dialer-list 110 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 110
!
radius-server authorization permit missing Service-Type
!
line con 0
login authentication no_tacacs
stopbits 1
line vty 0 4
exec-timeout 4 4
length 0
!
scheduler max-task-time 5000
end
help,
thanks .
05-16-2003 06:53 AM
Can't see anything wrong in the config. So need to know what you are trying to ping. To troubleshoot that You can use "traceroute x.x.x.x" command for the ip address to be pinged and see how far the packets go towards that ip address. You will see a point of block/failure there.
Make sure the pix is configured accordingly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide