Solved

Cisco 97 IPSec pass-through configuration for the Nortel VPN client

Posted on 2003-10-21
8
384 Views
Last Modified: 2012-05-04
Hello Colleagues. I got stuck on Cisco 97 IPSec pass-through configuration for the Nortel VPN client. Currently I have few computers behind the Cisco 97 box so I have to use dynamic NAT. Cisco box is currently configured for the 24/7 VPN connection with main office and works excellent. (I have PIX over there)
Problem is that we need to be able to connect to the totally deferent organization by using Nortel VPN client installed on one of the PCs. I tried to configure access list and NAT but no luck. No help from Cisco as well.
Does anyone know how to make it work?
Here is current config:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco
!
no logging buffered
enable secret 5 XXXXX
!
username cisco password 7 XXXXXX
username all
username XXXXX password 7 XXXXXX
ip subnet-zero
ip name-server 204.60.203.179
ip name-server 66.73.20.40
ip dhcp excluded-address 192.168.253.1
!
ip dhcp pool CLIENT
   import all
   network 192.168.253.0 255.255.255.0
   default-router 192.168.253.1
   domain-name domain.com
   netbios-name-server 172.20.1.5 172.20.3.6
   dns-server 172.20.1.5 172.20.3.6 204.60.203.179 66.73.20.40
   lease 0 2
!
ip inspect name firewall udp
ip inspect name firewall tcp
ip inspect name firewall ftp
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXX address 208.169.48.218
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map mymap 1 ipsec-isakmp
 set peer 208.169.48.218
 set transform-set strong
 match address 100
!
!
!
!
interface Ethernet0
 ip address 192.168.253.1 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1300
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 shutdown
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
 dsl power-cutback 30
!
interface Dialer1
 ip address negotiated
 ip access-group 150 in
 ip mtu 1492
 ip nat outside
 ip inspect firewall out
 encapsulation ppp
 no ip route-cache
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer remote-name redback
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname XXXXXX
 ppp chap password 7 XXXXXX
 ppp pap sent-username XXXXXX password 7 XXXXXXX
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map mymap
!
ip nat inside source list 120 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 120 deny   ip 192.168.253.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 deny   ip 192.168.253.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 120 permit ip 192.168.253.0 0.0.0.255 any
access-list 150 permit udp any any eq bootps
access-list 150 permit udp any any eq bootpc
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any unreachable
access-list 150 permit icmp any any time-exceeded
access-list 150 permit icmp any any time-exceeded
access-list 150 permit esp host 208.169.48.218 any
access-list 150 permit ip 192.168.0.0 0.0.255.255 192.168.253.0 0.0.0.255
access-list 150 permit ip 172.20.0.0 0.0.255.255 192.168.253.0 0.0.0.255
access-list 150 permit tcp any any eq telnet
access-list 150 permit ahp host 170.77.9.3 any
access-list 150 permit esp host 170.77.9.3 any
access-list 150 permit udp host 170.77.9.3 any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
end

0
Comment
Question by:ogaltson
  • 3
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9597987
What version IOS do you have? Can you post output of show version? You'll need the "T" train of IOS
What you're looking for is "nat transparency"
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html
0
 

Author Comment

by:ogaltson
ID: 9599406
Cisco Internetwork Operating System Software
IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.2(11.2u)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Wed 30-Oct-02 21:49 by ealyon
Image text-base: 0x800131B0, data-base: 0x8074BDE4
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: SOHO97 Software (SOHO97-K9OY1-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
cisco uptime is 1 hour, 51 minutes
System returned to ROM by power-on
System image file is "flash:soho97-k9oy1-mz.122-8.YN.bin"
CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K bytes of memory.
Processor board ID AMB072601EP (2533480144), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
0
 

Author Comment

by:ogaltson
ID: 9599970
Hello Irmoore,
I looked at the link and it seems to me like LAN to LAN connection. Problem that I experiencing is to allow protocols 17, 50, and 51 in. I have dynamic  NAT inside and Nortel VPN Client installed on one of the workstation. When I trying to connect to the Nortel network, I getting connection and authorization but seconds later I getting disconnected because of those protocols do not reaching workstation.
Thank you for you help.
Do you know how to make it work?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 79

Expert Comment

by:lrmoore
ID: 9600097
Yes, you need 12.2(13)T IOS version and you only have 12.2(8)
NAT Transparency for IPSEC is not supported in your version.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9600109
By the way:
>username all

Looks like you were in dbug mode, and from a config prompt, typed "u all"


0
 

Author Comment

by:ogaltson
ID: 9600859
Thank you, I will try that.
But what about Nortel client?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now