• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 821
  • Last Modified:

IPSEC PASS-THROUGH Cisco Soho 77 does not work, HELP !!!

Hello

I have got the following problem:

192.168.2.20 <- 192.168.2.1 - x.x.x.x <- INTERNET <- y.y.y.y - 192.168.1.1 <- 192.168.1.2
  W2K-SRV    <-        VPN Router     <-          <- Cisco Soho 77 router  <- W2K Software VPN

I have changed to a new Cisco Soho 77 router instead og the old Cisco 677 router.

But even with the Cisco Soho 77 the VPN does not work.

If I dial out to the internet with a modem the VPN client connects perfectly.

When I look in the log of the VPN client, I can see that Phase I is OK, but it retries PHASE II over and over again.

I have tried to add a static nat entry udp500->192.168.1.2 but it changes nothing...

Below is the configuration of the router

6x116140#show ver
Cisco Internetwork Operating System Software
IOS (tm) SOHO70 Software (SOHO70-Y1-M), Version 12.1(3)XP2, EARLY DEPLOYMENT REL
EASE SOFTWARE (fc1)
TAC:Home:SW:IOS:Specials for info
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Tue 14-Nov-00 09:57 by detang
Image text-base: 0x80013170, data-base: 0x80512664

ROM: System Bootstrap, Version 12.1(3r)XP, RELEASE SOFTWARE (fc1)
ROM: SOHO70 Software (SOHO70-Y1-M), Version 12.1(3)XP2, EARLY DEPLOYMENT RELEASE
 SOFTWARE (fc1)

6x116140 uptime is 19 minutes
System returned to ROM by reload
System image file is "flash:soho70-y1-mz.121-3.XP2.bin"

CISCO SOHO 77 (MPC855T) processor (revision 0x501) with 15360K/1024K bytes of me
mory.
Processor board ID JAD04525IHN (1356313214), with hardware revision 0000
CPU rev number 5
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


--------


6x116140#show running
Building configuration...

Current configuration:
!
version 12.1
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname 6x116140
!
logging buffered 8192 debugging
logging console warnings
enable secret 5 $1$.M2I$R7cJHUzatrkOibRebUqz60
!
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip finger
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool soho77
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 212.54.64.170 212.54.64.171
   lease 0 1
!
!
!
!
interface Loopback0
 no ip address
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no keepalive
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode ansi-dmt
!
interface Dialer0
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username 6x116140 password 7 13302D450F5F320939
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23000
ip nat inside source static udp 192.168.1.2 500 interface Dialer0 500
ip nat inside source static 192.168.1.2 62.79.105.130 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 192.168.1.254
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 deny   icmp any any redirect
access-list 100 deny   udp any any eq 19
access-list 100 deny   tcp any any eq 31 syn
access-list 100 deny   tcp any any eq 41 syn
access-list 100 deny   tcp any any eq 58 syn
access-list 100 deny   tcp any any eq 90 syn
access-list 100 deny   tcp any any eq 121 syn
access-list 100 deny   udp any any eq 135
access-list 100 deny   tcp any any eq 135 syn
access-list 100 deny   udp any any range 136 140
access-list 100 deny   tcp any any range 136 140 syn
access-list 100 deny   tcp any any eq 421 syn
access-list 100 deny   tcp any any eq 456 syn
access-list 100 deny   tcp any any eq 531 syn
access-list 100 deny   tcp any any eq 555 syn
access-list 100 deny   tcp any any eq 911 syn
access-list 100 deny   tcp any any eq 999 syn
access-list 100 deny   udp any any eq 1349
access-list 100 deny   udp any any eq 6838
access-list 100 deny   udp any any eq 8787
access-list 100 deny   udp any any eq 8879
access-list 100 deny   udp any any eq 9325
access-list 100 deny   tcp any any eq 12345 syn
access-list 100 deny   udp any any eq 31335
access-list 100 deny   udp any any eq 31337
access-list 100 deny   udp any any eq 31338
access-list 100 deny   udp any any eq 54320
access-list 100 deny   udp any any eq 54321
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 60 0
 password 7 073A1B1B4A5A2F2605
 login
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 60 0
 password 7 073A1B1B4A5A2F2605
 login
!
scheduler max-task-time 5000
end

6x116140#

Please help...

0
PeterFJorgensen
Asked:
PeterFJorgensen
1 Solution
 
BaddogCommented:
I may have to say that it is because the router is performing NAT. IPSEC and NAT dont work well together.
See the following article:

http://www.networkcomputing.com/1123/1123ws2.html


Hope it helps.

BDog
0
 
lrmooreCommented:
assuming you are using Cisco IPSEC VPN client, have you set the client to use Enable Transparent tuneling over UDP?
UDP 500 is only for the ISAKMP (phase 1), and since that is the only static PAT you have configured, that is the only part that works. Try adding
ip nat inside source static esp 192.168.1.2  interface Dialer0
and/or
ip nat inside source static udp 192.168.1.2 10000 interface Dialer0 10000

If your VPN endpoint requires AH in the encryption set, then you cannot use it from behind a NAT firewall. Can you provide any details on the endpoint? Is it a router, concentrator, or PIX?


0
 
PeterFJorgensenAuthor Commented:
It is not possible to add the line

"ip nat inside source static esp 192.168.1.2  interface Dialer0"

the ESP part of the command is not available.

My software VPN klient is running Main mode and NOT with AH in the encryption set..  I have tried enabling and disabling transparent tunneling with no good result...

Can the command "ip nat inside source static udp 192.168.1.2 10000 interface Dialer0 10000" solve the problem ? When it is not possible to use the "ESP" command ?

Could you recommend another small cisco that ought to work...
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
CleanupPingCommented:
PeterFJorgensen:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
juliancrawfordCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

PAQ with points refunded

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0
 
Computer101Commented:
PAQed, with points refunded (80)

Computer101
E-E Admin
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now