VPN client doesn't work behind NAT device?

Discussion in 'Cisco' started by Oliver, Nov 11, 2003.

  1. Oliver

    Oliver Guest

    Hi, I've got a Cisco837 dsl router, that after month's of confustion
    have managed to configure so vpn clients can terminate to it (thanks
    to this group). My problem now is that when the client is behind a
    NAT device the vpn doesn't initiate? When the client is directly
    connected to the 'net the vpn works fine. Any ideas? Config below.
    Thanks
    Oliver



    router1>enable
    Password:
    router1#sh conf
    Using 5330 out of 131072 bytes
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname router1
    !
    no logging buffered
    no logging console
    enable secret 5 $1$PTY9$DDakXrtxZzzMb8sw6EYp11
    !
    username user1 password 7 1301181C091E057F2874
    username user2 password 7 15011B05002F3929293D
    aaa new-model
    !
    !
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    aaa session-id common
    ip subnet-zero
    ip name-server 212.23.6.35
    ip name-server 212.23.3.11
    ip dhcp excluded-address 192.168.0.20
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip audit notify log
    ip audit po max-events 100
    ip ssh break-string
    no ftp-server write-enable
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group clientvpn
    key password
    dns 192.168.0.20
    domain c60capital.com
    pool ippool
    acl 108
    !
    !
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set myset
    !
    !
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete
    this:192.168.0.1-255.255.255.0
    ip address 192.168.0.1 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.255.0
    ip nat inside
    ip route-cache policy
    ip policy route-map nonat
    no ip mroute-cache
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    dsl power-cutback 0
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname [email protected]
    ppp chap password 7 1333321C0C060F070D
    ppp pap sent-username [email protected] password 7 10782C17021D19262A
    crypto map clientmap
    hold-queue 224 in
    !
    ip local pool ippool 192.168.3.1 192.168.3.100
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static udp 192.168.0.99 3389 interface Dialer1
    3389
    ip nat inside source static tcp 192.168.0.99 3389 interface Dialer1
    3389
    ip nat inside source static tcp 192.168.0.20 25 interface Dialer1 25
    ip nat inside source static tcp 192.168.0.20 80 interface Dialer1 80
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 192.168.3.0 255.255.255.0 Dialer1
    ip route 205.183.246.0 255.255.255.0 192.168.0.2
    ip route 208.134.161.0 255.255.255.0 192.168.0.2
    ip http server
    no ip http secure-server
    !
    access-list 23 permit 0.0.0.0
    access-list 23 permit 192.168.0.0 0.0.0.255
    access-list 23 permit 10.10.10.0 0.0.0.255
    access-list 23 permit any
    access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 108 permit ip 192.0.0.0 0.255.255.255 192.0.0.0
    0.255.255.255
    access-list 111 permit tcp any any eq smtp
    access-list 111 permit tcp any any eq www
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 1724
    access-list 111 permit tcp any any eq 1725
    access-list 111 permit tcp any any eq 1726
    access-list 111 permit tcp any any eq 1727
    access-list 111 permit tcp any any eq telnet
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 permit tcp any any range 1723 1727
    access-list 111 permit udp any any range 1723 1727
    access-list 111 permit ip 192.168.3.0 0.0.0.255 any
    access-list 111 permit tcp any any eq 3389
    access-list 111 permit udp any any eq 3389
    access-list 111 deny ip any any
    access-list 123 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
    dialer-list 1 protocol ip permit
    route-map nonat permit 10
    match ip address 123
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    transport preferred all
    transport output all
    stopbits 1
    line aux 0
    transport preferred all
    transport output all
    stopbits 1
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end
     
    Oliver, Nov 11, 2003
    #1
    1. Advertisements

  2. Oliver

    Tim Thorne Guest

    You need to NAT the VPN through the router with statics. If IPSEC
    something like below to get it working. If PPTP I believe you need to
    let tcp 1723 & udp 500 through.
    Tim
     
    Tim Thorne, Nov 11, 2003
    #2
    1. Advertisements

  3. Oliver

    Joe Drago Guest

    Quick note: The "password 7" lines are decryptable (read: not secure), so
    be careful in the future to not post those strings along with the rest of
    your configuration as you'll expose your usernames, passwords, and IPs with
    the device.

    Joe Drago
    StreamLine Communications

    (Oliver) wrote in @posting.google.com:
     
    Joe Drago, Nov 11, 2003
    #3
  4. Oliver

    Oliver Guest

    Thanks for the help guys, I'll try the static's & bear in mind the
    security issues with password 7's in future - have changes all
    passwords etc just in case.
     
    Oliver, Nov 13, 2003
    #4
  5. Oliver

    username Guest

    You need to open up IP protocol 50,51 and UDP 500.

    Hope that helps.
     
    username, Nov 16, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.