Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
3
Replies

Traffic Forwarding Issue

Charlie Mayes
Level 1
Level 1

‎05-20-2009 09:14 AM - edited ‎03-04-2019 04:49 AM

Hello ALL,

I have a VPN Concentrator behind my Cisco 2621xm router. The public interface ip on my concentrator is 10.100.1.2 I can connect using the cisco VPN client when I issue my computer a 10.100.1.X ip address in the same subnet as the concentrator public interface ip however I cannot connect to my concentrator when I am on the public internet. The outside interface IP for the router is 24.99.x.x the inside interface ip for the router is 10.100.1.1 which this interface is plugged into the same switch as my Concentrator public interface. What ports do I need open to forward the traffic from my outside 24.99.x.x address from the internet to the 10.100.1.2 address for the VPN Concetrator to allow my client software to connect to the concentrator. Do I need to configure some kind of nat address on the router to make this work?

Labels:
0 Helpful
3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

‎05-20-2009 09:23 AM

You can try the following:

ip nat inside source static udp 10.100.1.2 500 24.99.x.x 500 extendable

ip nat inside source static udp 10.100.1.2 4500 24.99.x.x 4500 extendable

ip nat inside source static tcp 10.100.1.2 10000 24.99.x.x 10000 extendable

If you have an acl on the outside interface, you'll need to allow it through:

access-list 110 permit udp any 24.99.x.x eq 500

access-list 110 permit udp any 24.99.x.x eq 4500

access-list 110 permit tcp any 24.99.x.x eq 10000

You may not need 10000, but just in case your UDP doesn't work, you can use ipsec over tcp which uses 10000 by default. It depends on what your concentrator is using too though.

I also found this on Cisco's FAQ, but I couldn't get a direct link:

Q. If I place my VPN 3000 Concentrator behind a firewall or router running access control lists, which ports and protocols do I need to allow through?

A. This chart lists ports and protocols.

Service Protocol Number Source Port Destination Port

PPTP Control Connection 6 (TCP) 1023 1723

PPTP Tunnel Encapsulation 47 (GRE) N/A N/A

ISAKMP/IPSec Key Management 17 (UDP) 500 500

IPSec Tunnel Encapsulation 50 (ESP) N/A N/A

IPSec NAT Transparency 17 (UDP) 10000 (default) 10000 (default)

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml#general

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Charlie Mayes
Level 1
Level 1
In response to John Blakley

‎05-20-2009 10:12 AM

What is extendable for in the nat statement?

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Charlie Mayes

‎05-20-2009 10:18 AM

It translates the port along with the ip address. (At least that's my understanding.) You can take the extendable keyword off and see if it still works.

*Edit*

It also allows for multiple global addresses to map to a single local address.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card