VPN client doesn't work behind NAT device?

Discussion in 'Cisco' started by Oliver, Nov 11, 2003.

  1. Oliver

    Oliver Guest

    Hi, I've got a Cisco837 dsl router, that after month's of confustion
    have managed to configure so vpn clients can terminate to it (thanks
    to this group). My problem now is that when the client is behind a
    NAT device the vpn doesn't initiate? When the client is directly
    connected to the 'net the vpn works fine. Any ideas? Config below.
    Thanks
    Oliver



    router1>enable
    Password:
    router1#sh conf
    Using 5330 out of 131072 bytes
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname router1
    !
    no logging buffered
    no logging console
    enable secret 5 $1$PTY9$DDakXrtxZzzMb8sw6EYp11
    !
    username user1 password 7 1301181C091E057F2874
    username user2 password 7 15011B05002F3929293D
    aaa new-model
    !
    !
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    aaa session-id common
    ip subnet-zero
    ip name-server 212.23.6.35
    ip name-server 212.23.3.11
    ip dhcp excluded-address 192.168.0.20
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip audit notify log
    ip audit po max-events 100
    ip ssh break-string
    no ftp-server write-enable
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group clientvpn
    key password
    dns 192.168.0.20
    domain c60capital.com
    pool ippool
    acl 108
    !
    !
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set myset
    !
    !
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete
    this:192.168.0.1-255.255.255.0
    ip address 192.168.0.1 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.255.0
    ip nat inside
    ip route-cache policy
    ip policy route-map nonat
    no ip mroute-cache
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    dsl power-cutback 0
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname user@dsl
    ppp chap password 7 1333321C0C060F070D
    ppp pap sent-username zen22603@zen password 7 10782C17021D19262A
    crypto map clientmap
    hold-queue 224 in
    !
    ip local pool ippool 192.168.3.1 192.168.3.100
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static udp 192.168.0.99 3389 interface Dialer1
    3389
    ip nat inside source static tcp 192.168.0.99 3389 interface Dialer1
    3389
    ip nat inside source static tcp 192.168.0.20 25 interface Dialer1 25
    ip nat inside source static tcp 192.168.0.20 80 interface Dialer1 80
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 192.168.3.0 255.255.255.0 Dialer1
    ip route 205.183.246.0 255.255.255.0 192.168.0.2
    ip route 208.134.161.0 255.255.255.0 192.168.0.2
    ip http server
    no ip http secure-server
    !
    access-list 23 permit 0.0.0.0
    access-list 23 permit 192.168.0.0 0.0.0.255
    access-list 23 permit 10.10.10.0 0.0.0.255
    access-list 23 permit any
    access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 108 permit ip 192.0.0.0 0.255.255.255 192.0.0.0
    0.255.255.255
    access-list 111 permit tcp any any eq smtp
    access-list 111 permit tcp any any eq www
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 1724
    access-list 111 permit tcp any any eq 1725
    access-list 111 permit tcp any any eq 1726
    access-list 111 permit tcp any any eq 1727
    access-list 111 permit tcp any any eq telnet
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 permit tcp any any range 1723 1727
    access-list 111 permit udp any any range 1723 1727
    access-list 111 permit ip 192.168.3.0 0.0.0.255 any
    access-list 111 permit tcp any any eq 3389
    access-list 111 permit udp any any eq 3389
    access-list 111 deny ip any any
    access-list 123 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
    dialer-list 1 protocol ip permit
    route-map nonat permit 10
    match ip address 123
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    transport preferred all
    transport output all
    stopbits 1
    line aux 0
    transport preferred all
    transport output all
    stopbits 1
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end
     
    Oliver, Nov 11, 2003
    #1
    1. Advertising

  2. Oliver

    Tim Thorne Guest

    (Oliver) wrote:

    >Hi, I've got a Cisco837 dsl router, that after month's of confustion
    >have managed to configure so vpn clients can terminate to it (thanks
    >to this group). My problem now is that when the client is behind a
    >NAT device the vpn doesn't initiate? When the client is directly
    >connected to the 'net the vpn works fine. Any ideas?


    You need to NAT the VPN through the router with statics. If IPSEC
    something like below to get it working. If PPTP I believe you need to
    let tcp 1723 & udp 500 through.

    >ip nat inside source static esp <internal IP> interface Dialer1
    >ip nat inside source static udp <internal IP> 500 <external IP> 500 extendable


    Tim
     
    Tim Thorne, Nov 11, 2003
    #2
    1. Advertising

  3. Oliver

    Joe Drago Guest

    Quick note: The "password 7" lines are decryptable (read: not secure), so
    be careful in the future to not post those strings along with the rest of
    your configuration as you'll expose your usernames, passwords, and IPs with
    the device.

    Joe Drago
    StreamLine Communications

    (Oliver) wrote in news:aa66e05d.0311110628.1d769e46
    @posting.google.com:

    > Hi, I've got a Cisco837 dsl router, that after month's of confustion
    > have managed to configure so vpn clients can terminate to it (thanks
    > to this group). My problem now is that when the client is behind a
    > NAT device the vpn doesn't initiate? When the client is directly
    > connected to the 'net the vpn works fine. Any ideas? Config below.
    > Thanks
    > Oliver
    >
    > username user1 password 7 1301181C091E057F2874
    > username user2 password 7 15011B05002F3929293D
     
    Joe Drago, Nov 11, 2003
    #3
  4. Oliver

    Oliver Guest

    Thanks for the help guys, I'll try the static's & bear in mind the
    security issues with password 7's in future - have changes all
    passwords etc just in case.

    Joe Drago <> wrote in message news:<Xns943068F4378D6joedragosl@129.250.35.204>...
    > Quick note: The "password 7" lines are decryptable (read: not secure), so
    > be careful in the future to not post those strings along with the rest of
    > your configuration as you'll expose your usernames, passwords, and IPs with
    > the device.
    >
    > Joe Drago
    > StreamLine Communications
    >
    > (Oliver) wrote in news:aa66e05d.0311110628.1d769e46
    > @posting.google.com:
    >
    > > Hi, I've got a Cisco837 dsl router, that after month's of confustion
    > > have managed to configure so vpn clients can terminate to it (thanks
    > > to this group). My problem now is that when the client is behind a
    > > NAT device the vpn doesn't initiate? When the client is directly
    > > connected to the 'net the vpn works fine. Any ideas? Config below.
    > > Thanks
    > > Oliver
    > >
    > > username user1 password 7 1301181C091E057F2874
    > > username user2 password 7 15011B05002F3929293D
     
    Oliver, Nov 13, 2003
    #4
  5. Oliver

    username Guest

    You need to open up IP protocol 50,51 and UDP 500.

    Hope that helps.

    Oliver wrote:

    > Hi, I've got a Cisco837 dsl router, that after month's of confustion
    > have managed to configure so vpn clients can terminate to it (thanks
    > to this group). My problem now is that when the client is behind a
    > NAT device the vpn doesn't initiate? When the client is directly
    > connected to the 'net the vpn works fine. Any ideas? Config below.
    > Thanks
    > Oliver
    >
    > router1>enable
    > Password:
    > router1#sh conf
    > Using 5330 out of 131072 bytes
    > !
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname router1
    > !
    > no logging buffered
    > no logging console
    > enable secret 5 $1$PTY9$DDakXrtxZzzMb8sw6EYp11
    > !
    > username user1 password 7 1301181C091E057F2874
    > username user2 password 7 15011B05002F3929293D
    > aaa new-model
    > !
    > !
    > aaa authentication login userauthen local
    > aaa authorization network groupauthor local
    > aaa session-id common
    > ip subnet-zero
    > ip name-server 212.23.6.35
    > ip name-server 212.23.3.11
    > ip dhcp excluded-address 192.168.0.20
    > !
    > ip inspect name myfw cuseeme timeout 3600
    > ip inspect name myfw ftp timeout 3600
    > ip inspect name myfw rcmd timeout 3600
    > ip inspect name myfw realaudio timeout 3600
    > ip inspect name myfw smtp timeout 3600
    > ip inspect name myfw tftp timeout 30
    > ip inspect name myfw udp timeout 15
    > ip inspect name myfw tcp timeout 3600
    > ip inspect name myfw h323 timeout 3600
    > ip audit notify log
    > ip audit po max-events 100
    > ip ssh break-string
    > no ftp-server write-enable
    > !
    > !
    > !
    > crypto isakmp policy 3
    > encr 3des
    > authentication pre-share
    > group 2
    > !
    > crypto isakmp client configuration group clientvpn
    > key password
    > dns 192.168.0.20
    > domain c60capital.com
    > pool ippool
    > acl 108
    > !
    > !
    > crypto ipsec transform-set myset esp-3des esp-sha-hmac
    > !
    > crypto dynamic-map dynmap 10
    > set transform-set myset
    > !
    > !
    > crypto map clientmap client authentication list userauthen
    > crypto map clientmap isakmp authorization list groupauthor
    > crypto map clientmap client configuration address respond
    > crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > description CRWS Generated text. Please do not delete
    > this:192.168.0.1-255.255.255.0
    > ip address 192.168.0.1 255.255.255.0 secondary
    > ip address 10.10.10.1 255.255.255.0
    > ip nat inside
    > ip route-cache policy
    > ip policy route-map nonat
    > no ip mroute-cache
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > no ip mroute-cache
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode auto
    > dsl power-cutback 0
    > !
    > interface Dialer1
    > ip address negotiated
    > ip access-group 111 in
    > ip nat outside
    > ip inspect myfw out
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication chap pap callin
    > ppp chap hostname user@dsl
    > ppp chap password 7 1333321C0C060F070D
    > ppp pap sent-username zen22603@zen password 7 10782C17021D19262A
    > crypto map clientmap
    > hold-queue 224 in
    > !
    > ip local pool ippool 192.168.3.1 192.168.3.100
    > ip nat inside source list 102 interface Dialer1 overload
    > ip nat inside source static udp 192.168.0.99 3389 interface Dialer1
    > 3389
    > ip nat inside source static tcp 192.168.0.99 3389 interface Dialer1
    > 3389
    > ip nat inside source static tcp 192.168.0.20 25 interface Dialer1 25
    > ip nat inside source static tcp 192.168.0.20 80 interface Dialer1 80
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > ip route 192.168.3.0 255.255.255.0 Dialer1
    > ip route 205.183.246.0 255.255.255.0 192.168.0.2
    > ip route 208.134.161.0 255.255.255.0 192.168.0.2
    > ip http server
    > no ip http secure-server
    > !
    > access-list 23 permit 0.0.0.0
    > access-list 23 permit 192.168.0.0 0.0.0.255
    > access-list 23 permit 10.10.10.0 0.0.0.255
    > access-list 23 permit any
    > access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
    > access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    > access-list 108 permit ip 192.0.0.0 0.255.255.255 192.0.0.0
    > 0.255.255.255
    > access-list 111 permit tcp any any eq smtp
    > access-list 111 permit tcp any any eq www
    > access-list 111 permit tcp any any eq 1723
    > access-list 111 permit tcp any any eq 1724
    > access-list 111 permit tcp any any eq 1725
    > access-list 111 permit tcp any any eq 1726
    > access-list 111 permit tcp any any eq 1727
    > access-list 111 permit tcp any any eq telnet
    > access-list 111 permit icmp any any administratively-prohibited
    > access-list 111 permit icmp any any echo
    > access-list 111 permit icmp any any echo-reply
    > access-list 111 permit icmp any any packet-too-big
    > access-list 111 permit icmp any any time-exceeded
    > access-list 111 permit icmp any any traceroute
    > access-list 111 permit icmp any any unreachable
    > access-list 111 permit udp any eq bootps any eq bootpc
    > access-list 111 permit udp any eq bootps any eq bootps
    > access-list 111 permit udp any eq domain any
    > access-list 111 permit esp any any
    > access-list 111 permit udp any any eq isakmp
    > access-list 111 permit udp any any eq 10000
    > access-list 111 permit tcp any any eq 139
    > access-list 111 permit udp any any eq netbios-ns
    > access-list 111 permit udp any any eq netbios-dgm
    > access-list 111 permit gre any any
    > access-list 111 permit tcp any any range 1723 1727
    > access-list 111 permit udp any any range 1723 1727
    > access-list 111 permit ip 192.168.3.0 0.0.0.255 any
    > access-list 111 permit tcp any any eq 3389
    > access-list 111 permit udp any any eq 3389
    > access-list 111 deny ip any any
    > access-list 123 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
    > dialer-list 1 protocol ip permit
    > route-map nonat permit 10
    > match ip address 123
    > !
    > !
    > line con 0
    > exec-timeout 120 0
    > no modem enable
    > transport preferred all
    > transport output all
    > stopbits 1
    > line aux 0
    > transport preferred all
    > transport output all
    > stopbits 1
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > length 0
    > transport preferred all
    > transport input all
    > transport output all
    > !
    > scheduler max-task-time 5000
    > !
    > end
     
    username, Nov 16, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nick Brandson
    Replies:
    1
    Views:
    943
    Alan Strassberg
    Jul 26, 2004
  2. Tomi
    Replies:
    3
    Views:
    1,952
  3. Replies:
    1
    Views:
    3,415
    Walter Roberson
    Jun 21, 2005
  4. Sur
    Replies:
    1
    Views:
    586
    Richard Deal
    Oct 25, 2005
  5. D K
    Replies:
    4
    Views:
    473
Loading...

Share This Page