Solved: Re: Router configuration to allow VPN traffic through

brianpembleton · ‎07-29-2005

I would like to ask assistance with a particular configuration to allow VPN traffic through a 1721 router.

The network layout is as follows:

internet --- Cisco 1721 --- Cisco PIX 506E --- LAN

Remote clients connect from the internet using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is at 192.168.0.2. The router's inside interface is at 192.168.0.1.

The pix was originally configured with a public ip and has been tested to work well in authenticating the VPN connections and passing traffic into the LAN. Then, the outside ip was changed to 192.168.0.2 and placed behind the router.

The 1721 is configured with an ADSL connection, with automatic fall-over to an async dial-up connection. This setup is working well, and users in the LAN have normal internet access. I've added access lists for udp, esp, and ahp traffic.

The Cisco VPN clients get an error stating that the remote is not responding.

I've attached the router's configuration for reference, and any help would be greatly apreciated.

Manuel.

Richard Burts · ‎07-31-2005

Brian

For VPN clients to reach the PIX to terminate their VPN the PIX needs an address that is reachable from outside where the clients are. When the PIX had a public address it was obviously easy for the clients to reach the PIX. When you give the PIX a private address then there needs to be a translation. And it is problematic if the translation is dynamic.

You have provided a static translation which is what is needed. But you have restricted it to TCP 3389. I am not sure why you restricted it this way. What is supposed to happen to the ISAKMP, ESP, and AHP traffic? How is it to be translated?

If there is not a static translation for the ISAKMP, ESP, and AHP traffic then the clients do not know how to reach the server. Which brings me to the question of what address is configured in the client for the server?

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎07-31-2005

Brian

For VPN clients to reach the PIX to terminate their VPN the PIX needs an address that is reachable from outside where the clients are. When the PIX had a public address it was obviously easy for the clients to reach the PIX. When you give the PIX a private address then there needs to be a translation. And it is problematic if the translation is dynamic.

You have provided a static translation which is what is needed. But you have restricted it to TCP 3389. I am not sure why you restricted it this way. What is supposed to happen to the ISAKMP, ESP, and AHP traffic? How is it to be translated?

If there is not a static translation for the ISAKMP, ESP, and AHP traffic then the clients do not know how to reach the server. Which brings me to the question of what address is configured in the client for the server?

HTH

Rick

HTH

Rick

brianpembleton · ‎08-01-2005

Hello Rick,

Thank you for your help. I had put in a static route for port 3389 to allow direct traffic using Microsoft's Remote Desktop or Terminal Services, but had forgotten to also route the necessary ports for the VPN traffic, which I've now added as follows:

ip nat inside source static udp 192.168.0.2 10000 interface Dialer0 10000

ip nat inside source static udp 192.168.0.2 500 interface Dialer0 500

ip nat inside source static esp 192.168.0.2 interface Dialer0

It now works correctly and the VPN authentication is almost instantaneous over an ADSL remote.

Thanks again.