Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
5
Replies

IPsec passthough

1_1
Level 1
Level 1

‎03-18-2013 08:59 AM - edited ‎03-04-2019 07:20 PM

                   Ok first I'll go over my setup and then the problem I have.

Comcast SMCD3 cable gateway (required for statics with bisiness class service.

Cisco 3745 w/ NM-1GE (link to the SMC) and 2x NME-16ES-1G-P

the NM-1GE is GI 2/0

the links to the etherswitches are Gi 1/0 and GI 3/0

Then I have OSPF routing between all three, and the etherswitches are handleing the intervlan routing (the DHCP server is handing out 2 default routers to the DHCP clients which then for the ones that support it load balance between the two.

the inside IP layout is

3745

gi 1/0 10.254.254.1 /30

gi 3/0 10.254.254.5 /30

Etherswitch one

Vlan 200 10.254.254.2 /30

with vlan interface IP's ending in 1

Etherswitch two

Vlan 201 10.254.254.6 /30

with vlan interface IP's ending in 253

Vlan 2 10.0.2.0 /24

Vlan 3 10.0.3.0 /24

Vlan 4 10.0.4.0 /24

Now on to the problem

from a computer on vlan 2 (or any of the vlans) I can't open a microsoft ipsec tunnel to a ISA server out on the internet

if I plug directly into the SMC with the computer and make use of my spare public IP then I can

It used to work at some point in the past it worked, though I haven't tested vpn after every network change (as I don't vpn that offten)

ok and heres the nat config

interface GigabitEthernet1/0

description Link to NME-16ES-1G-p

ip address 10.254.254.1 255.255.255.252

ip nat enable

ip virtual-reassembly

ip ospf 1 area 0

ipv6 address --------:200::1/64

ipv6 ospf 1 area 0

interface GigabitEthernet3/0

description Link to NME-16ES-1G-p (number 2)

ip address 10.254.254.5 255.255.255.252

ip nat enable

ip virtual-reassembly

ip ospf 1 area 0

ipv6 address --------:201::1/64

ipv6 ospf 1 area 0

interface GigabitEthernet2/0

description Link to Comcast

bandwidth 76000

ip address 75.x.x.35 255.255.255.248 secondary

ip address 75.x.x.36 255.255.255.248 secondary

ip address 75.x.x.37 255.255.255.248 secondary

ip address 75.x.x.33 255.255.255.248

ip access-group 110 in

ip nat enable

ip virtual-reassembly

ip ospf 1 area 0

negotiation auto

ip route 0.0.0.0 0.0.0.0 75.x.x.38

ip nat pool RLH1 75.x.x.35 75.x.x.35 netmask 255.255.255.248 add-route

ip nat pool RLH2 75.x.x.36 75.x.x.36 netmask 255.255.255.248 add-route

ip nat pool RLH3 75.x.x.37 75.x.x.37 netmask 255.255.255.248 add-route

ip nat source list 1 pool RLH1 overload

ip nat source list 2 pool RLH2 overload

ip nat source list 3 pool RLH3 overload

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 1 deny any

access-list 2 permit 10.0.3.0 0.0.0.255

access-list 2 deny any

access-list 3 permit 10.0.4.0 0.0.0.255

access-list 3 deny any interface GigabitEthernet1/0
description Link to NME-16ES-1G-p
ip address 10.254.254.1 255.255.255.252
ip nat enable
ip virtual-reassembly
ip ospf 1 area 0
ipv6 address --------:200::1/64
ipv6 ospf 1 area 0

interface GigabitEthernet3/0
description Link to NME-16ES-1G-p (number 2)
ip address 10.254.254.5 255.255.255.252
ip nat enable
ip virtual-reassembly
ip ospf 1 area 0
ipv6 address --------:201::1/64
ipv6 ospf 1 area 0

interface GigabitEthernet2/0
description Link to Comcast
bandwidth 76000
ip address 75.x.x.35 255.255.255.248 secondary
ip address 75.x.x.36 255.255.255.248 secondary
ip address 75.x.x.37 255.255.255.248 secondary
ip address 75.x.x.33 255.255.255.248
ip access-group 110 in
ip nat enable
ip virtual-reassembly
ip ospf 1 area 0
negotiation auto

ip route 0.0.0.0 0.0.0.0 75.x.x.38

ip nat pool RLH1 75.x.x.35 75.x.x.35 netmask 255.255.255.248 add-route
ip nat pool RLH2 75.x.x.36 75.x.x.36 netmask 255.255.255.248 add-route
ip nat pool RLH3 75.x.x.37 75.x.x.37 netmask 255.255.255.248 add-route
ip nat source list 1 pool RLH1 overload
ip nat source list 2 pool RLH2 overload
ip nat source list 3 pool RLH3 overload

access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 deny any
access-list 2 permit 10.0.3.0 0.0.0.255
access-list 2 deny any
access-list 3 permit 10.0.4.0 0.0.0.255
access-list 3 deny any

Labels:
0 Helpful
5 Replies 5

1_1
Level 1
Level 1

‎03-22-2013 07:55 PM

Anyone have any suggestions?

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to 1_1

‎03-22-2013 09:18 PM

Hi Ricky,

What kind of IPsec client are you using? Is it a Cisco VPN Client v5.x or some other client? I wonder if it supports NAT Traversal for IPsec by UDP-encapsulating it so that it can pass through a NAT/PAT box. You could perhaps do a Wireshark dump on the PC running the IPsec client to see what kind of packets are being sent - and perhaps if any packets get back in return.

In addition, your Gi2/0 interface is configured with ACL 110 in the inbound direction. What exactly does this ACL contain? Assuming your IPsec client indeed supports NAT-T then this ACL should allow UDP segments sourced from UDP ports 500, 4500 and 10000. Can you verify this?

Best regards,

Peter

0 Helpful

1_1
Level 1
Level 1
In response to Peter Paluch

‎03-22-2013 10:35 PM

THe client is the default MS client the vpn server is a MS ISA server

I know it worked in the past but as I didn't recularly test it I'm not really sure when it stopped working, though my microcell (ATT mini personal cell tower thing) which has to vpn to att stoped working only recently

Heres ACL 101 and 110

access-list 101 permit ip host 10.0.3.11 any

access-list 101 deny ip any any

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq discard

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq daytime

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq chargen

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq telnet

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq finger

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 135

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 136

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 137

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 138

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 139

access-list 110 deny udp any 75.x.x.32 0.0.0.7 eq snmp

access-list 110 deny udp any 75.x.x.32 0.0.0.7 eq snmptrap

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 445

access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 593

access-list 110 deny ip host 12.203.209.1 any

access-list 110 permit ip any any

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to 1_1

‎03-22-2013 10:40 PM

Ricky,

Thank you. I do not see any problem in the ACL 110. Where is the ACL 101 used? Also, can you perform the test with Wireshark on the client? I am interested in knowing how are the IPsec packets being encapsulated.

Best regards,

Peter

0 Helpful

1_1
Level 1
Level 1
In response to Peter Paluch

‎03-23-2013 10:34 AM

I'll do some wireshark capturing a bit later

heres where 101 is used

class-map match-all game

match access-group 101

class-map match-any Xbox360

match ip dscp ef

!

!

policy-map game

class game

set ip dscp ef

policy-map Xbox360

class Xbox360

bandwidth 1024

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card