From: Curtis Phillips (phillipscurtis@xxxxxxxxxxxx)
Date: Mon Dec 18 2000 - 20:29:57 GMT-3
Are you using overload and port address translation with the working config? I
undertsnad the issue to be with the VPNs ability to utilize layer-4
translations. I think the VPN will succeed with a singular address-based
translation.
Curtis
Jim Bond <trycisco@yahoo.com> wrote:
Hello,
Let me re-describe the situation:
Central office 7100 router, site office PIX (NAT
overload 1 public ip address), IPSec tunnel is
establised, clients at site office can't logon NT
domain but can do everthing else.
Today, I replaced the PIX with a 3620 router (same
IPSec setup), everything works fine. Clients can logon
NT domain.
I think that proves 1)I don't have naming issue 2) PAT
works with IPSec. I don't understand why PIX wouldn't
work. Please see my PIX config.
Thanks in advance.
Jim
PIX Version 5.2(3)
access-list 100 permit ip host 24.176.210.204
167.191.0.0 255.255.0.0
ip address outside 24.176.210.204 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 24.176.210.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 100
crypto map newmap 10 set peer 169.193.13.2
crypto map newmap 10 set transform-set IPSEC
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 169.193.13.2 netmask
255.255.255.255
isakmp identity hostname
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
dhcpd address 10.1.1.101-10.1.1.110 inside
dhcpd dns 24.1.64.33 24.1.64.34
dhcpd wins 169.193.28.60 169.193.148.25
dhcpd lease 3600
dhcpd domain dhcp.lamrc.com
dhcpd enable inside
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:05 GMT-3