Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
1
Replies

about ipsec over nat

cajun88
Level 1
Level 1

‎11-18-2004 10:55 PM - edited ‎02-21-2020 01:27 PM

my network is below:

vpnclient(4.03)--router(pat)--internet--pix515--router(202.96.199.254)

I can established the ipsec tunnel over PAT,but cannot access the router(202.96.199.254).

I cannot established tunnel between pix and pptp client(Win2K) over PAT.

When dial to internet (no PAT) and established the tunnel,it all ok.

My pix config is below:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname vpnserver

access-list 101 permit ip 202.96.199.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list out2in permit ip 192.168.2.0 255.255.255.0 202.96.199.0 255.255.255.0

access-list out2in permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

ip address outside 218.78.*.* 255.255.255.128

ip address inside 202.96.199.40 255.255.255.0

ip local pool test 192.168.2.1-192.168.2.250

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 218.78.*.1 1

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

sysopt ipsec pl-compatible

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup caosc address-pool test

vpngroup caosc split-tunnel 101

vpngroup caosc idle-time 1800

vpngroup caosc password ********

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local test

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn group 2 accept dialin l2tp

vpdn group 2 ppp authentication pap

vpdn group 2 ppp authentication chap

vpdn group 2 ppp authentication mschap

vpdn group 2 client configuration address local test

vpdn group 2 client authentication local

vpdn group 2 l2tp tunnel hello 60

vpdn username cisco password *********

vpdn enable outside

pls tell me what can I do ?

thanks ,

cajun88

Labels:
0 Helpful
1 Reply 1
Customers Also Viewed These Support Documents