ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2295
Views
0
Helpful
9
Replies
Highlighted
Beginner

VPN client with PUBLIC IP

  Hi Could anyone help me? there is a VPN client PC with Public IP address (without NAT router), it can connect to EZVPN server and recive reoutes but traffic is not passing,

Everyone's tags (6)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Participant

VPN client with PUBLIC IP

Yes

set Transport to TCP on the client side, with f.i. tcp port 10000, and make sure the VPN box can talk tcp over 10000 too. 

If a client has a public ip, it will succesfully setup a VPN, but can not acces anything over UDP with NAT T.

if you setup transport over tcp, it will.

View solution in original post

Highlighted
Participant

Re: VPN client with PUBLIC IP

Hi

i work with the ASA and i never worked with ezvpn.

But i looked it up and its something like:

crypto ctcp port 10000

Good luck

View solution in original post

9 REPLIES 9
Highlighted
Cisco Employee

VPN client with PUBLIC IP

pls share the configuration of the VPN server, and advise which group you are connecting with.

Highlighted
Beginner

VPN client with PUBLIC IP

!

!

!

crypto isakmp client configuration group VPN1

key XXXX

pool LAN2

acl SPLIT

save-password

!

!

!

!

!

crypto ipsec transform-set evpnts esp-aes esp-md5-hmac

crypto ipsec transform-set sms esp-3des esp-sha-hmac

crypto ipsec transform-set SPD esp-aes 256 esp-sha-hmac

!

crypto dynamic-map emap 1

set transform-set evpnts

reverse-route

!

!

crypto map dynmap client authentication list userauth

crypto map dynmap isakmp authorization list groupauthor

crypto map dynmap client configuration address respond

crypto map dynmap 20 ipsec-isakmp

set peer XXXXXX

set transform-set sms

match address SMS

crypto map dynmap 30 ipsec-isakmp

set peer XXXXXX

set security-association lifetime seconds 7200

set transform-set SPD

set pfs group5

match address SPD

crypto map dynmap 65535 ipsec-isakmp dynamic emap

!

!

!

!

interface GigabitEthernet0/1.2145

description ::XXXXX::

encapsulation dot1Q 2145

ip address XXXXXX

ip access-group WAN_ACL in

ip access-group PRIVATE out

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

crypto map dynmap

!

Keep in minde that behind NAT client works just fine

Highlighted
Beginner

VPN client with PUBLIC IP

Any Idea?

Highlighted
Participant

VPN client with PUBLIC IP

Yes

set Transport to TCP on the client side, with f.i. tcp port 10000, and make sure the VPN box can talk tcp over 10000 too. 

If a client has a public ip, it will succesfully setup a VPN, but can not acces anything over UDP with NAT T.

if you setup transport over tcp, it will.

View solution in original post

Highlighted
Beginner

Re: VPN client with PUBLIC IP

I have done this but, than VPN client cannot even connect

     Ip access-list extended WAN_ACL

    10 permit udp host X.X.X.X host X.X.X.X (287276145 matches)

    20 permit ip host X.X.X.X host X.X.X.X log (1392 matches)

    25 permit tcp any host X.X.X.X eq 3389 (713 matches)

    30 permit tcp host X.X.X.X eq 3389 host X.X.X.X eq 3389

    35 permit tcp any host X.X.X.X eq 10000 (16 matches)

    40 permit udp host X.X.X.X host X.X.X.X gt 5059 log

    50 permit udp host x.x.x.x host X.X. gt 5059 log

    60 deny udp any host X.X.X.X range 5060 5090 log (404 matches)

    70 permit tcp any eq 9000 host X.X.X.X eq 9000

Highlighted
Participant

VPN client with PUBLIC IP

Hi

did you configure EZVPN for tcp? take a look at:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b3ed2c.shtml

Plus, is there a firewall between the VPN box and the client? Make sure tcp 10000 is allowed between client and VPN box.

Highlighted
Beginner

Re: VPN client with PUBLIC IP

Do you Know how to configure it with CLI?

Highlighted
Participant

Re: VPN client with PUBLIC IP

Hi

i work with the ASA and i never worked with ezvpn.

But i looked it up and its something like:

crypto ctcp port 10000

Good luck

View solution in original post

Highlighted
Participant

Re: VPN client with PUBLIC IP