?
Solved

IPSEC PASS-THROUGH Cisco Soho 77 does not work, HELP !!!

Posted on 2003-03-22
6
Medium Priority
?
749 Views
Last Modified: 2007-11-27
Hello

I have got the following problem:

192.168.2.20 <- 192.168.2.1 - x.x.x.x <- INTERNET <- y.y.y.y - 192.168.1.1 <- 192.168.1.2
  W2K-SRV    <-        VPN Router     <-          <- Cisco Soho 77 router  <- W2K Software VPN

I have changed to a new Cisco Soho 77 router instead og the old Cisco 677 router.

But even with the Cisco Soho 77 the VPN does not work.

If I dial out to the internet with a modem the VPN client connects perfectly.

When I look in the log of the VPN client, I can see that Phase I is OK, but it retries PHASE II over and over again.

I have tried to add a static nat entry udp500->192.168.1.2 but it changes nothing...

Below is the configuration of the router

6x116140#show ver
Cisco Internetwork Operating System Software
IOS (tm) SOHO70 Software (SOHO70-Y1-M), Version 12.1(3)XP2, EARLY DEPLOYMENT REL
EASE SOFTWARE (fc1)
TAC:Home:SW:IOS:Specials for info
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Tue 14-Nov-00 09:57 by detang
Image text-base: 0x80013170, data-base: 0x80512664

ROM: System Bootstrap, Version 12.1(3r)XP, RELEASE SOFTWARE (fc1)
ROM: SOHO70 Software (SOHO70-Y1-M), Version 12.1(3)XP2, EARLY DEPLOYMENT RELEASE
 SOFTWARE (fc1)

6x116140 uptime is 19 minutes
System returned to ROM by reload
System image file is "flash:soho70-y1-mz.121-3.XP2.bin"

CISCO SOHO 77 (MPC855T) processor (revision 0x501) with 15360K/1024K bytes of me
mory.
Processor board ID JAD04525IHN (1356313214), with hardware revision 0000
CPU rev number 5
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


--------


6x116140#show running
Building configuration...

Current configuration:
!
version 12.1
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname 6x116140
!
logging buffered 8192 debugging
logging console warnings
enable secret 5 $1$.M2I$R7cJHUzatrkOibRebUqz60
!
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip finger
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool soho77
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 212.54.64.170 212.54.64.171
   lease 0 1
!
!
!
!
interface Loopback0
 no ip address
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no keepalive
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode ansi-dmt
!
interface Dialer0
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username 6x116140 password 7 13302D450F5F320939
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23000
ip nat inside source static udp 192.168.1.2 500 interface Dialer0 500
ip nat inside source static 192.168.1.2 62.79.105.130 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 192.168.1.254
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 deny   icmp any any redirect
access-list 100 deny   udp any any eq 19
access-list 100 deny   tcp any any eq 31 syn
access-list 100 deny   tcp any any eq 41 syn
access-list 100 deny   tcp any any eq 58 syn
access-list 100 deny   tcp any any eq 90 syn
access-list 100 deny   tcp any any eq 121 syn
access-list 100 deny   udp any any eq 135
access-list 100 deny   tcp any any eq 135 syn
access-list 100 deny   udp any any range 136 140
access-list 100 deny   tcp any any range 136 140 syn
access-list 100 deny   tcp any any eq 421 syn
access-list 100 deny   tcp any any eq 456 syn
access-list 100 deny   tcp any any eq 531 syn
access-list 100 deny   tcp any any eq 555 syn
access-list 100 deny   tcp any any eq 911 syn
access-list 100 deny   tcp any any eq 999 syn
access-list 100 deny   udp any any eq 1349
access-list 100 deny   udp any any eq 6838
access-list 100 deny   udp any any eq 8787
access-list 100 deny   udp any any eq 8879
access-list 100 deny   udp any any eq 9325
access-list 100 deny   tcp any any eq 12345 syn
access-list 100 deny   udp any any eq 31335
access-list 100 deny   udp any any eq 31337
access-list 100 deny   udp any any eq 31338
access-list 100 deny   udp any any eq 54320
access-list 100 deny   udp any any eq 54321
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 60 0
 password 7 073A1B1B4A5A2F2605
 login
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 60 0
 password 7 073A1B1B4A5A2F2605
 login
!
scheduler max-task-time 5000
end

6x116140#

Please help...

0
Comment
Question by:PeterFJorgensen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 1

Expert Comment

by:Baddog
ID: 8186524
I may have to say that it is because the router is performing NAT. IPSEC and NAT dont work well together.
See the following article:

http://www.networkcomputing.com/1123/1123ws2.html


Hope it helps.

BDog
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8186679
assuming you are using Cisco IPSEC VPN client, have you set the client to use Enable Transparent tuneling over UDP?
UDP 500 is only for the ISAKMP (phase 1), and since that is the only static PAT you have configured, that is the only part that works. Try adding
ip nat inside source static esp 192.168.1.2  interface Dialer0
and/or
ip nat inside source static udp 192.168.1.2 10000 interface Dialer0 10000

If your VPN endpoint requires AH in the encryption set, then you cannot use it from behind a NAT firewall. Can you provide any details on the endpoint? Is it a router, concentrator, or PIX?


0
 

Author Comment

by:PeterFJorgensen
ID: 8201065
It is not possible to add the line

"ip nat inside source static esp 192.168.1.2  interface Dialer0"

the ESP part of the command is not available.

My software VPN klient is running Main mode and NOT with AH in the encryption set..  I have tried enabling and disabling transparent tunneling with no good result...

Can the command "ip nat inside source static udp 192.168.1.2 10000 interface Dialer0 10000" solve the problem ? When it is not possible to use the "ESP" command ?

Could you recommend another small cisco that ought to work...
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Expert Comment

by:CleanupPing
ID: 9152963
PeterFJorgensen:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 10088553
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

PAQ with points refunded

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 10140743
PAQed, with points refunded (80)

Computer101
E-E Admin
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question