11-18-2004 10:55 PM - edited 02-21-2020 01:27 PM
my network is below:
vpnclient(4.03)--router(pat)--internet--pix515--router(202.96.199.254)
I can established the ipsec tunnel over PAT,but cannot access the router(202.96.199.254).
I cannot established tunnel between pix and pptp client(Win2K) over PAT.
When dial to internet (no PAT) and established the tunnel,it all ok.
My pix config is below:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname vpnserver
access-list 101 permit ip 202.96.199.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list out2in permit ip 192.168.2.0 255.255.255.0 202.96.199.0 255.255.255.0
access-list out2in permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
ip address outside 218.78.*.* 255.255.255.128
ip address inside 202.96.199.40 255.255.255.0
ip local pool test 192.168.2.1-192.168.2.250
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 218.78.*.1 1
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup caosc address-pool test
vpngroup caosc split-tunnel 101
vpngroup caosc idle-time 1800
vpngroup caosc password ********
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local test
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn group 2 accept dialin l2tp
vpdn group 2 ppp authentication pap
vpdn group 2 ppp authentication chap
vpdn group 2 ppp authentication mschap
vpdn group 2 client configuration address local test
vpdn group 2 client authentication local
vpdn group 2 l2tp tunnel hello 60
vpdn username cisco password *********
vpdn enable outside
pls tell me what can I do ?
thanks ,
cajun88
11-18-2004 11:42 PM
Hi,
I think you need to configure isakmp nat-traversal.
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312
and
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/ugwin/vc4.htm#wp1025864
Regards,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide