From: ccie (ccie@tisolutions.biz)
Date: Mon Apr 18 2005 - 04:00:12 GMT-3
Hi John
I going to work on it today. I will post the final config today....
Thanks for the help
Mark
-----Original Message-----
From: john matijevic [mailto:john.matijevic@gmail.com]
Sent: 18 April 2005 00:55
To: Tony Schaffran
Cc: ccie; ccielab@groupstudy.com
Subject: Re: VPN problems
Mark,
Just out of curiousity, what config addtion/modification did you
make in order for this to wor? Could you post the working config.
Sincerely,
John
On 4/17/05, Tony Schaffran <groupstudy@cconlinelabs.com> wrote:
Glad to help.
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of ccie
Sent: Sunday, April 17, 2005 9:52 AM
To: groupstudy@cconlinelabs.com; ccielab@groupstudy.com
Subject: RE: VPN problems
Hi Tony
Thanks for that, that is exactly the problem.
Cheers
Mark
-----Original Message-----
From: Tony Schaffran
[mailto:groupstudy@cconlinelabs.com]
Sent: 17 April 2005 17:16
To: ccie; 'Christopher M. Heffner';
ccielab@groupstudy.com
Subject: RE: VPN problems
I believe the problem you are facing has to do with the
fact that NAT
takes
place before the crypto.
Here is a document that I have found to correct this
problem.
Take a look and see if it will help your situation.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
xamp
le09186a0080094634.shtml
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of
ccie
Sent: Sunday, April 17, 2005 9:01 AM
To: Christopher M. Heffner; ccielab@groupstudy.com
Subject: RE: VPN problems
Hi Chris
Yep I have checked the client and it is using NAT - T
I have been investigating the problem further and found
that it is only
the server I cannot get to. Yet when I remove the
static nat for the
server 192,168,0,3 then full duplex traffic is ok.
So It would seem I have a problem with NAT...
Not sure how to resolve this, as I need the static NAT
for smtp and
https to the server.
Any ideas would be appreciated
Mark
-----Original Message-----
From: Christopher M. Heffner
[mailto:cheffner@certified-labs.com ]
Sent: 16 April 2005 00:53
To: ccie
Subject: RE: VPN problems
Check the status of the vpn client once you are
connected to the 837
router to see if NAT-T is properly being negotiated
between the vpn
client and the 837 router. Since you are using NAT with
the overload
option (PAT) you will need NAT-T with UDP port 4500 for
the extended
translations to be properly setup for the traffic to
properly transverse
the router.
HTH.
Christopher M. Heffner, CCIE 8211, CCSI 98760
Strategic Network Solutions, Inc.
VP of Internetworking Technologies
www.certified-labs.com
"Complete CCIE R&S and Security Online Rack Rentals"
-----Original Message-----
From: nobody@groupstudy.com [mailto:
nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On Behalf Of
ccie
Sent: Friday, April 15, 2005 5:08 AM
To: ccielab@groupstudy.com
Subject: OT: VPN problems
Hi Group
Sorry for the off-topic....
I have an 837 running easy VPN server and I'm using
Cisco vpn client to
connect. The tunnel comes up with no problems. But I
cannot get to the
internal address range except for the internal interface
of the router.
Any ideas/help would be appreciated. Below are the
config...
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
no logging buffered
!
username ###### privilege 15 secret 5 #########
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common ip subnet-zero !
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration
group ###########
key 0 ###########
dns 192.168.0.3
domain unicorn.local
pool SDM_POOL_1
acl 102
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des
esp-sha-hmac !
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list
sdm_vpn_xauth_ml_
crypto map SDM_CMAP_1 isakmp authorization list
sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address
respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic
SDM_DYNMAP_1
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address ##############
ip access-group 101 in
ip mtu 1452
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ########
ppp chap password 0 ##########
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.0.200 192.168.0.210
ip nat inside source route-map SDM_RMAP_1 interface
Dialer0 overload
ip nat inside source static network 192.168.0.3
217.37.73.133 /32
ip classless ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http secure-server
!
!
ip access-list extended Internal_LAN
remark SDM_ACL Category=2
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.200
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.201
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.202
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.203
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.204
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.205
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.206
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.207
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.208
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.209
deny ip 192.168.0.0 0.0.0.255 host 192.168.0.210
permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark auto generated by SDM firewall
configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 217.37.73.128 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall
configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp any host 213.121.187.65
access-list 101 permit esp any host 213.121.187.65
access-list 101 permit udp any host 213.121.187.65 eq
isakmp
access-list 101 permit udp any host 213.121.187.65 eq
non500-isakm
access-list 101 permit ip host 192.168.0.200 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.201 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.202 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.203 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.204 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.205 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.206 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.207 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.208 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.209 192.168.0.0
0.0.0.255
access-list 101 permit ip host 192.168.0.210 192.168.0.0
0.0.0.255
access-list 101 permit udp any host 217.37.73.134 eq
non500-isakmp
access-list 101 permit udp any host 217.37.73.134 eq
isakmp
access-list 101 permit esp any host 217.37.73.134
access-list 101 permit ahp any host 217.37.73.134
access-list 101 permit tcp any host 217.37.73.133 eq
smtp
access-list 101 permit tcp any host 217.37.73.133 eq 443
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 217.37.73.134
echo-reply
access-list 101 permit icmp any host 217.37.73.134
time-exceeded
access-list 101 permit icmp any host 217.37.73.134
unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1 match ip address
Internal_LAN
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
!
end
________________________________________________
This email is confidential, may be legally privileged
and is for the
intended recipient only. Access, disclosure, copying,
distribution or
reliance on any information it contains is prohibited
and may be a
criminal offence.
Please delete if received in error and email
confirmation to sender.
Please note that any views expressed in this message are
those of the
individual sender, This email has been swept by
MIMEsweeper for the
presence of computer viruses.
________________________________________________
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:59 GMT-3