«

All,

I have been pulling my hair out for two weeks now.

I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
837, but i'm having no success.

I can't get the Soho 97 to initiate the tunnel, no matter what i do.
I have tried almost every single example on the Cisco website.
Running a debug on both the Cisco boxes shows absolutely no
IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
sending any IPSEC/ISAKMP packets out.

Does anyone know if this should work? i.e. can the Soho 97 initiate an
IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?

Thanks,

Anthony

Post the relevant cfg's.


"Anthony" <> schrieb im Newsbeitrag
news: om...
> All,
>
> I have been pulling my hair out for two weeks now.
>
> I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
> IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
> 837, but i'm having no success.
>
> I can't get the Soho 97 to initiate the tunnel, no matter what i do.
> I have tried almost every single example on the Cisco website.
> Running a debug on both the Cisco boxes shows absolutely no
> IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
> sending any IPSEC/ISAKMP packets out.
>
> Does anyone know if this should work? i.e. can the Soho 97 initiate an
> IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?
>
> Thanks,
>
> Anthony

jt,

Here are the last configs I tried. I have also included a 'show
version' from each box:

Thanks - Anthony


'''''''''''''''''''''''''''''''''''''''''''''''''' '''''''
Cisco 837 Config:
'''''''''''''''''''''''''''''''''''''''''''''''''' '''''''

cisco837#show runn
Building configuration...

Current configuration : 2436 bytes
!
! No configuration change since last restart
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco837
!
enable secret 5 xxx
enable password 7 xxx
!
username xxxx password 7 xxxx
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
!
crypto dynamic-map rtpmap 10
set transform-set rtpset
match address 115
!
!
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address negotiated <--- picks up static IP (call it 1.1.1.1)
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password 7 xxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map rtptrans
!
ip nat inside source list 101 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.100.0
0.0.0.255
access-list 115 deny ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end





'''''''''''''''''''''''''''''''''''''''''''''''''' '''''
Cisco 837 show version
'''''''''''''''''''''''''''''''''''''''''''''''''' '''''

cisco837>show ver
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
DEPLOYMENT RELE
ASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 10:33 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B928E0

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
DEPLOYMENT RELEASE
SOFTWARE (fc1)

cisco837 uptime is 1 week, 5 days, 15 hours, 21 minutes
System returned to ROM by reload at 23:00:00 UTC Mon May 3 2004
System image file is "flash:c837-k9o3y6-mz.123-2.XC.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are
unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email
to
.

CISCO C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K
bytes of memory.
Processor board ID AMB080403CZ (3726239585), with hardware revision
0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102







'''''''''''''''''''''''''''''''''''''''''''''''''' '''''''
Cisco soho 97 Config:
'''''''''''''''''''''''''''''''''''''''''''''''''' '''''''
show runn
Building configuration...

Current configuration : 1967 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco-soho97
!
enable secret 5 xxx
!
username xxx password 7 xxx
ip subnet-zero
no ip domain lookup
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool CLIENT
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
lease 0 2
!
!
no aaa new-model
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 0 cisco123 address 1.1.1.1 <--- 1.1.1.1 = Static
IP of Cisco 837
!
!
crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 1.1.1.1 <--- 1.1.1.1 = Static
IP of Cisco 837
set transform-set rtpset
match address 115
!
!
!
!
interface Ethernet0
ip address 192.168.100.1 255.255.255.0
hold-queue 100 out
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address negotiated previous
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp dns request
ppp ipcp wins request
crypto map rtp
!
ip nat inside source list 101 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.0.0
0.0.0.255
access-list 115 deny ip 192.168.100.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
!
scheduler max-task-time 5000
!
end

cisco-soho97#




''''''''''''''''''''''''''''''''''''''''''''''''
Cisco soho 97 'show version'
''''''''''''''''''''''''''''''''''''''''''''''''

show ver
Cisco Internetwork Operating System Software
IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 11:28 by ealyon
Image text-base: 0x800131C0, data-base: 0x80965578

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)

router2 uptime is 3 days, 14 hours, 39 minutes
System returned to ROM by reload
System image file is "flash:soho97-k9oy1-mz.123-2.XC.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are
unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email
to
.

CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
bytes of memory.
Processor board ID AMB08080K53 (3051406853), with hardware revision
0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102


'''''''''''''''''''''''''''''''''''''''''''''''''' '''''''''''''''''''''''



"jt" <> wrote in message news:<40a631ef$0$1861$>...
> Post the relevant cfg's.
>
>
> "Anthony" <> schrieb im Newsbeitrag
> news: om...
> > All,
> >
> > I have been pulling my hair out for two weeks now.
> >
> > I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
> > IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
> > 837, but i'm having no success.
> >
> > I can't get the Soho 97 to initiate the tunnel, no matter what i do.
> > I have tried almost every single example on the Cisco website.
> > Running a debug on both the Cisco boxes shows absolutely no
> > IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
> > sending any IPSEC/ISAKMP packets out.
> >
> > Does anyone know if this should work? i.e. can the Soho 97 initiate an
> > IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?
> >
> > Thanks,
> >
> > Anthony

will respond tonight, I need to dig through this.


"Anthony" <> schrieb im Newsbeitrag
news: om...
> jt,
>
> Here are the last configs I tried. I have also included a 'show
> version' from each box:
>
> Thanks - Anthony
>
>
> '''''''''''''''''''''''''''''''''''''''''''''''''' '''''''
> Cisco 837 Config:
> '''''''''''''''''''''''''''''''''''''''''''''''''' '''''''
>
> cisco837#show runn
> Building configuration...
>
> Current configuration : 2436 bytes
> !
> ! No configuration change since last restart
> !
> version 12.3
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname cisco837
> !
> enable secret 5 xxx
> enable password 7 xxx
> !
> username xxxx password 7 xxxx
> no aaa new-model
> ip subnet-zero
> !
> !
> ip audit notify log
> ip audit po max-events 100
> no ftp-server write-enable
> !
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
> !
> crypto dynamic-map rtpmap 10
> set transform-set rtpset
> match address 115
> !
> !
> !
> crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
> !
> !
> !
> !
> interface Ethernet0
> ip address 192.168.0.1 255.255.255.0
> ip nat inside
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> no atm ilmi-keepalive
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode auto
> !
> interface FastEthernet1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet2
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet3
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet4
> no ip address
> duplex auto
> speed auto
> !
> interface Dialer0
> ip address negotiated <--- picks up static IP (call it 1.1.1.1)
> ip nat outside
> encapsulation ppp
> dialer pool 1
> ppp authentication chap callin
> ppp chap hostname xxxx
> ppp chap password 7 xxxx
> ppp ipcp dns request
> ppp ipcp wins request
> crypto map rtptrans
> !
> ip nat inside source list 101 interface Dialer0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> ip http server
> no ip http secure-server
> !
> access-list 101 permit ip 192.168.0.0 0.0.0.255 any
> access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.100.0
> 0.0.0.255
> access-list 115 deny ip 192.168.0.0 0.0.0.255 any
> dialer-list 1 protocol ip permit
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> stopbits 1
> line aux 0
> line vty 0 4
> access-class 23 in
> exec-timeout 120 0
> login local
> length 0
> !
> scheduler max-task-time 5000
> !
> end
>
>
>
>
>
> '''''''''''''''''''''''''''''''''''''''''''''''''' '''''
> Cisco 837 show version
> '''''''''''''''''''''''''''''''''''''''''''''''''' '''''
>
> cisco837>show ver
> Cisco Internetwork Operating System Software
> IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
> DEPLOYMENT RELE
> ASE SOFTWARE (fc1)
> Synched to technology version 12.3(1.6)T
> TAC Support: http://www.cisco.com/tac
> Copyright (c) 1986-2003 by cisco Systems, Inc.
> Compiled Thu 25-Sep-03 10:33 by ealyon
> Image text-base: 0x800131E8, data-base: 0x80B928E0
>
> ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
> ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
> DEPLOYMENT RELEASE
> SOFTWARE (fc1)
>
> cisco837 uptime is 1 week, 5 days, 15 hours, 21 minutes
> System returned to ROM by reload at 23:00:00 UTC Mon May 3 2004
> System image file is "flash:c837-k9o3y6-mz.123-2.XC.bin"
>
>
> This product contains cryptographic features and is subject to United
> States and local country laws governing import, export, transfer and
> use. Delivery of Cisco cryptographic products does not imply
> third-party authority to import, export, distribute or use encryption.
> Importers, exporters, distributors and users are responsible for
> compliance with U.S. and local country laws. By using this product you
> agree to comply with applicable laws and regulations. If you are
> unable
> to comply with U.S. and local laws, return this product immediately.
>
> A summary of U.S. laws governing Cisco cryptographic products may be
> found at:
> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>
> If you require further assistance please contact us by sending email
> to
> .
>
> CISCO C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K
> bytes of memory.
> Processor board ID AMB080403CZ (3726239585), with hardware revision
> 0000
> CPU rev number 7
> Bridging software.
> 1 Ethernet/IEEE 802.3 interface(s)
> 4 FastEthernet/IEEE 802.3 interface(s)
> 1 ATM network interface(s)
> 128K bytes of non-volatile configuration memory.
> 12288K bytes of processor board System flash (Read/Write)
> 2048K bytes of processor board Web flash (Read/Write)
>
> Configuration register is 0x2102
>
>
>
>
>
>
>
> '''''''''''''''''''''''''''''''''''''''''''''''''' '''''''
> Cisco soho 97 Config:
> '''''''''''''''''''''''''''''''''''''''''''''''''' '''''''
> show runn
> Building configuration...
>
> Current configuration : 1967 bytes
> !
> version 12.3
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname cisco-soho97
> !
> enable secret 5 xxx
> !
> username xxx password 7 xxx
> ip subnet-zero
> no ip domain lookup
> ip dhcp excluded-address 192.168.100.1
> !
> ip dhcp pool CLIENT
> import all
> network 192.168.100.0 255.255.255.0
> default-router 192.168.100.1
> lease 0 2
> !
> !
> no aaa new-model
> !
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> crypto isakmp key 0 cisco123 address 1.1.1.1 <--- 1.1.1.1 = Static
> IP of Cisco 837
> !
> !
> crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
> !
> crypto map rtp 1 ipsec-isakmp
> set peer 1.1.1.1 <--- 1.1.1.1 = Static
> IP of Cisco 837
> set transform-set rtpset
> match address 115
> !
> !
> !
> !
> interface Ethernet0
> ip address 192.168.100.1 255.255.255.0
> hold-queue 100 out
> !
> !
> interface ATM0
> no ip address
> no atm ilmi-keepalive
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode auto
> !
> interface Dialer0
> ip address negotiated previous
> ip nat outside
> encapsulation ppp
> dialer pool 1
> ppp authentication chap callin
> ppp chap hostname xxx
> ppp chap password 7 xxx
> ppp ipcp dns request
> ppp ipcp wins request
> crypto map rtp
> !
> ip nat inside source list 101 interface Dialer0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> ip http server
> no ip http secure-server
> !
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.0.0
> 0.0.0.255
> access-list 115 deny ip 192.168.100.0 0.0.0.255 any
> dialer-list 1 protocol ip permit
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> stopbits 1
> line aux 0
> line vty 0 4
> access-class 23 in
> exec-timeout 120 0
> login local
> !
> scheduler max-task-time 5000
> !
> end
>
> cisco-soho97#
>
>
>
>
> ''''''''''''''''''''''''''''''''''''''''''''''''
> Cisco soho 97 'show version'
> ''''''''''''''''''''''''''''''''''''''''''''''''
>
> show ver
> Cisco Internetwork Operating System Software
> IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
> DEPLOYMENT RELEASE SOFTWARE (fc1)
> Synched to technology version 12.3(1.6)T
> TAC Support: http://www.cisco.com/tac
> Copyright (c) 1986-2003 by cisco Systems, Inc.
> Compiled Thu 25-Sep-03 11:28 by ealyon
> Image text-base: 0x800131C0, data-base: 0x80965578
>
> ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
> ROM: SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
> DEPLOYMENT RELEASE SOFTWARE (fc1)
>
> router2 uptime is 3 days, 14 hours, 39 minutes
> System returned to ROM by reload
> System image file is "flash:soho97-k9oy1-mz.123-2.XC.bin"
>
>
> This product contains cryptographic features and is subject to United
> States and local country laws governing import, export, transfer and
> use. Delivery of Cisco cryptographic products does not imply
> third-party authority to import, export, distribute or use encryption.
> Importers, exporters, distributors and users are responsible for
> compliance with U.S. and local country laws. By using this product you
> agree to comply with applicable laws and regulations. If you are
> unable
> to comply with U.S. and local laws, return this product immediately.
>
> A summary of U.S. laws governing Cisco cryptographic products may be
> found at:
> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>
> If you require further assistance please contact us by sending email
> to
> .
>
> CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
> bytes of memory.
> Processor board ID AMB08080K53 (3051406853), with hardware revision
> 0000
> CPU rev number 7
> Bridging software.
> 1 Ethernet/IEEE 802.3 interface(s)
> 1 ATM network interface(s)
> 128K bytes of non-volatile configuration memory.
> 8192K bytes of processor board System flash (Read/Write)
> 2048K bytes of processor board Web flash (Read/Write)
>
> Configuration register is 0x2102
>
>
> '''''''''''''''''''''''''''''''''''''''''''''''''' '''''''''''''''''''''''
>
>
>
> "jt" <> wrote in message
news:<40a631ef$0$1861$>...
> > Post the relevant cfg's.
> >
> >
> > "Anthony" <> schrieb im Newsbeitrag
> > news: om...
> > > All,
> > >
> > > I have been pulling my hair out for two weeks now.
> > >
> > > I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
> > > IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
> > > 837, but i'm having no success.
> > >
> > > I can't get the Soho 97 to initiate the tunnel, no matter what i do.
> > > I have tried almost every single example on the Cisco website.
> > > Running a debug on both the Cisco boxes shows absolutely no
> > > IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
> > > sending any IPSEC/ISAKMP packets out.
> > >
> > > Does anyone know if this should work? i.e. can the Soho 97 initiate an
> > > IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?
> > >
> > > Thanks,
> > >
> > > Anthony

Good evening Anthony,
-----------------------------------------------

I guess we can shrink it down to a phase 1 problem when you say that NO
debug output is displayed.
I could shrink it down to an ACL problem, I think

General rule is to :

First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
Second PERMIT local traffic to ANY remote.

I saw you have CBAC in place on the receiving side - I cannot gurarantee
that this is true, but CBAC ( ip audit... )
drops incoming traffic from outside if not triggered from inside. PIX has
the "sysopt permit-ipsec" - command
while IOS hasn't, you should disable CBAC in this case.

OK, so here we go. To avoid confusion, I have supplied the modified parts
in a commented form,
please insert only the blocks below, the rest of your config was entirely
OK.

Hope this helps to get you started. Please give me some feedback
and debug isakmp.


Daniel


############## Soho 97 on .100 /24
#############################################

This box is to initiate the connection to 837.

!
crypto map rtp 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set rtpset
match address 115
!
! See the commented ACLs below !
!
!
interface Dialer0
ip address negotiated previous
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp dns request
ppp ipcp wins request
crypto map rtp
!
ip nat inside source list 101 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
!
access-list 115 permit ip 192.168.100.0 0.0.0.255 any
!
! Modified ACLs !!!
! List 101 shovels everything via NAT on the WAN link.
! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
with NAT exclusion statement on 837.
! These packets are referred to in ACL 115 for later ipSEC use.
! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
that is also used as dialer bait.
!



################ 837 ############################

Cisco 837 Configuration Script.
This box should accept incoming ipSEC
connections from any box configured to connnect to it.


CBAC ( "ip Audit..." ) is removed as this may cause
potential inteference with ipSEC. CBAC permits
inbound connections of any kind only if these were
triggered from inside. Because the 837 is triggered from
outside CBAC will most probably drop the traffic.

crypto isakmp enable ( added to have IKE explicitly turned on )

access-list 101 permit ip any any
! Added / modified bait for the WAN dialer. If matched, dialout occurs.

access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 115 permit ip 192.168.0.0 0.0.0.255 any

! Bait for ipSEC. First row for protection, second for exclusion.

Thanks Daniel,

Your suggestions look promising.

I will be testing the updated configs within the next couple of days.

I'll post my results as soon as I have completed the testing.

Thanks again,

Anthony




"jt" <> wrote in message news:<40a7b9b1$0$26349$>...
> Good evening Anthony,
> -----------------------------------------------
>
> I guess we can shrink it down to a phase 1 problem when you say that NO
> debug output is displayed.
> I could shrink it down to an ACL problem, I think
>
> General rule is to :
>
> First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
> Second PERMIT local traffic to ANY remote.
>
> I saw you have CBAC in place on the receiving side - I cannot gurarantee
> that this is true, but CBAC ( ip audit... )
> drops incoming traffic from outside if not triggered from inside. PIX has
> the "sysopt permit-ipsec" - command
> while IOS hasn't, you should disable CBAC in this case.
>
> OK, so here we go. To avoid confusion, I have supplied the modified parts
> in a commented form,
> please insert only the blocks below, the rest of your config was entirely
> OK.
>
> Hope this helps to get you started. Please give me some feedback
> and debug isakmp.
>
>
> Daniel
>
>
> ############## Soho 97 on .100 /24
> #############################################
>
> This box is to initiate the connection to 837.
>
> !
> crypto map rtp 1 ipsec-isakmp
> set peer 1.1.1.1
> set transform-set rtpset
> match address 115
> !
> ! See the commented ACLs below !
> !
> !
> interface Dialer0
> ip address negotiated previous
> ip nat outside
> encapsulation ppp
> dialer pool 1
> ppp authentication chap callin
> ppp chap hostname xxx
> ppp chap password 7 xxx
> ppp ipcp dns request
> ppp ipcp wins request
> crypto map rtp
> !
> ip nat inside source list 101 interface Dialer0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> ip http server
> no ip http secure-server
> !
> access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> !
> access-list 115 permit ip 192.168.100.0 0.0.0.255 any
> !
> ! Modified ACLs !!!
> ! List 101 shovels everything via NAT on the WAN link.
> ! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
> with NAT exclusion statement on 837.
> ! These packets are referred to in ACL 115 for later ipSEC use.
> ! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
> that is also used as dialer bait.
> !
>
>
>
> ################ 837 ############################
>
> Cisco 837 Configuration Script.
> This box should accept incoming ipSEC
> connections from any box configured to connnect to it.
>
>
> CBAC ( "ip Audit..." ) is removed as this may cause
> potential inteference with ipSEC. CBAC permits
> inbound connections of any kind only if these were
> triggered from inside. Because the 837 is triggered from
> outside CBAC will most probably drop the traffic.
>
> crypto isakmp enable ( added to have IKE explicitly turned on )
>
> access-list 101 permit ip any any
> ! Added / modified bait for the WAN dialer. If matched, dialout occurs.
>
> access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
> access-list 115 permit ip 192.168.0.0 0.0.0.255 any
>
> ! Bait for ipSEC. First row for protection, second for exclusion.

Thanks Daniel,

Your suggestions look promising.

I will be testing the updated configs within the next couple of days.

I'll post my results as soon as I have completed the testing.

Thanks again,

Anthony




"jt" <> wrote in message news:<40a7b9b1$0$26349$>...
> Good evening Anthony,
> -----------------------------------------------
>
> I guess we can shrink it down to a phase 1 problem when you say that NO
> debug output is displayed.
> I could shrink it down to an ACL problem, I think
>
> General rule is to :
>
> First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
> Second PERMIT local traffic to ANY remote.
>
> I saw you have CBAC in place on the receiving side - I cannot gurarantee
> that this is true, but CBAC ( ip audit... )
> drops incoming traffic from outside if not triggered from inside. PIX has
> the "sysopt permit-ipsec" - command
> while IOS hasn't, you should disable CBAC in this case.
>
> OK, so here we go. To avoid confusion, I have supplied the modified parts
> in a commented form,
> please insert only the blocks below, the rest of your config was entirely
> OK.
>
> Hope this helps to get you started. Please give me some feedback
> and debug isakmp.
>
>
> Daniel
>
>
> ############## Soho 97 on .100 /24
> #############################################
>
> This box is to initiate the connection to 837.
>
> !
> crypto map rtp 1 ipsec-isakmp
> set peer 1.1.1.1
> set transform-set rtpset
> match address 115
> !
> ! See the commented ACLs below !
> !
> !
> interface Dialer0
> ip address negotiated previous
> ip nat outside
> encapsulation ppp
> dialer pool 1
> ppp authentication chap callin
> ppp chap hostname xxx
> ppp chap password 7 xxx
> ppp ipcp dns request
> ppp ipcp wins request
> crypto map rtp
> !
> ip nat inside source list 101 interface Dialer0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> ip http server
> no ip http secure-server
> !
> access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> !
> access-list 115 permit ip 192.168.100.0 0.0.0.255 any
> !
> ! Modified ACLs !!!
> ! List 101 shovels everything via NAT on the WAN link.
> ! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
> with NAT exclusion statement on 837.
> ! These packets are referred to in ACL 115 for later ipSEC use.
> ! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
> that is also used as dialer bait.
> !
>
>
>
> ################ 837 ############################
>
> Cisco 837 Configuration Script.
> This box should accept incoming ipSEC
> connections from any box configured to connnect to it.
>
>
> CBAC ( "ip Audit..." ) is removed as this may cause
> potential inteference with ipSEC. CBAC permits
> inbound connections of any kind only if these were
> triggered from inside. Because the 837 is triggered from
> outside CBAC will most probably drop the traffic.
>
> crypto isakmp enable ( added to have IKE explicitly turned on )
>
> access-list 101 permit ip any any
> ! Added / modified bait for the WAN dialer. If matched, dialout occurs.
>
> access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
> access-list 115 permit ip 192.168.0.0 0.0.0.255 any
>
> ! Bait for ipSEC. First row for protection, second for exclusion.

Have a hairbrush handy whilst testing ))


"Anthony" <> schrieb im Newsbeitrag
news: om...
> Thanks Daniel,
>
> Your suggestions look promising.
>
> I will be testing the updated configs within the next couple of days.
>
> I'll post my results as soon as I have completed the testing.
>
> Thanks again,
>
> Anthony
>
>
>
>
> "jt" <> wrote in message
news:<40a7b9b1$0$26349$>...
> > Good evening Anthony,
> > -----------------------------------------------
> >
> > I guess we can shrink it down to a phase 1 problem when you say that NO
> > debug output is displayed.
> > I could shrink it down to an ACL problem, I think
> >
> > General rule is to :
> >
> > First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
> > Second PERMIT local traffic to ANY remote.
> >
> > I saw you have CBAC in place on the receiving side - I cannot gurarantee
> > that this is true, but CBAC ( ip audit... )
> > drops incoming traffic from outside if not triggered from inside. PIX
has
> > the "sysopt permit-ipsec" - command
> > while IOS hasn't, you should disable CBAC in this case.
> >
> > OK, so here we go. To avoid confusion, I have supplied the modified
parts
> > in a commented form,
> > please insert only the blocks below, the rest of your config was
entirely
> > OK.
> >
> > Hope this helps to get you started. Please give me some feedback
> > and debug isakmp.
> >
> >
> > Daniel
> >
> >
> > ############## Soho 97 on .100 /24
> > #############################################
> >
> > This box is to initiate the connection to 837.
> >
> > !
> > crypto map rtp 1 ipsec-isakmp
> > set peer 1.1.1.1
> > set transform-set rtpset
> > match address 115
> > !
> > ! See the commented ACLs below !
> > !
> > !
> > interface Dialer0
> > ip address negotiated previous
> > ip nat outside
> > encapsulation ppp
> > dialer pool 1
> > ppp authentication chap callin
> > ppp chap hostname xxx
> > ppp chap password 7 xxx
> > ppp ipcp dns request
> > ppp ipcp wins request
> > crypto map rtp
> > !
> > ip nat inside source list 101 interface Dialer0 overload
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Dialer0
> > ip http server
> > no ip http secure-server
> > !
> > access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
> > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> > !
> > access-list 115 permit ip 192.168.100.0 0.0.0.255 any
> > !
> > ! Modified ACLs !!!
> > ! List 101 shovels everything via NAT on the WAN link.
> > ! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
> > with NAT exclusion statement on 837.
> > ! These packets are referred to in ACL 115 for later ipSEC use.
> > ! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
> > that is also used as dialer bait.
> > !
> >
> >
> >
> > ################ 837 ############################
> >
> > Cisco 837 Configuration Script.
> > This box should accept incoming ipSEC
> > connections from any box configured to connnect to it.
> >
> >
> > CBAC ( "ip Audit..." ) is removed as this may cause
> > potential inteference with ipSEC. CBAC permits
> > inbound connections of any kind only if these were
> > triggered from inside. Because the 837 is triggered from
> > outside CBAC will most probably drop the traffic.
> >
> > crypto isakmp enable ( added to have IKE explicitly turned on )
> >
> > access-list 101 permit ip any any
> > ! Added / modified bait for the WAN dialer. If matched, dialout occurs.
> >
> > access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
> > access-list 115 permit ip 192.168.0.0 0.0.0.255 any
> >
> > ! Bait for ipSEC. First row for protection, second for exclusion.