Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco 97 IPSec pass-through configuration for the Nortel VPN client

Posted on 2003-10-21
Medium Priority
Last Modified: 2008-02-26
Hello Colleagues. I got stuck on Cisco 97 IPSec pass-through configuration for the Nortel VPN client. Currently I have few computers behind the Cisco 97 box so I have to use dynamic NAT. Cisco box is currently configured for the 24/7 VPN connection with main office and works excellent. (I have PIX over there)
Problem is that we need to be able to connect to the totally deferent organization by using Nortel VPN client installed on one of the PCs. I tried to configure access list and NAT but no luck. No help from Cisco as well.
Does anyone know how to make it work?
Here is current config:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname cisco
no logging buffered
enable secret 5 XXXXX
username cisco password 7 XXXXXX
username all
username XXXXX password 7 XXXXXX
ip subnet-zero
ip name-server
ip name-server
ip dhcp excluded-address
ip dhcp pool CLIENT
   import all
   domain-name domain.com
   lease 0 2
ip inspect name firewall udp
ip inspect name firewall tcp
ip inspect name firewall ftp
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXX address
crypto isakmp keepalive 30 5
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec df-bit clear
crypto map mymap 1 ipsec-isakmp
 set peer
 set transform-set strong
 match address 100
interface Ethernet0
 ip address
 ip nat inside
 ip tcp adjust-mss 1300
 hold-queue 100 out
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/35
  pppoe-client dial-pool-number 1
 dsl operating-mode auto
 dsl power-cutback 30
interface Dialer1
 ip address negotiated
 ip access-group 150 in
 ip mtu 1492
 ip nat outside
 ip inspect firewall out
 encapsulation ppp
 no ip route-cache
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer remote-name redback
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname XXXXXX
 ppp chap password 7 XXXXXX
 ppp pap sent-username XXXXXX password 7 XXXXXXX
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map mymap
ip nat inside source list 120 interface Dialer1 overload
ip classless
ip route Dialer1
ip http server
access-list 100 permit ip
access-list 100 permit ip
access-list 120 deny   ip
access-list 120 deny   ip
access-list 120 permit ip any
access-list 150 permit udp any any eq bootps
access-list 150 permit udp any any eq bootpc
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any unreachable
access-list 150 permit icmp any any time-exceeded
access-list 150 permit icmp any any time-exceeded
access-list 150 permit esp host any
access-list 150 permit ip
access-list 150 permit ip
access-list 150 permit tcp any any eq telnet
access-list 150 permit ahp host any
access-list 150 permit esp host any
access-list 150 permit udp host any
dialer-list 1 protocol ip permit
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 login local
 length 0
scheduler max-task-time 5000

Question by:ogaltson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 9599423
Cisco Internetwork Operating System Software
IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.2(11.2u)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Wed 30-Oct-02 21:49 by ealyon
Image text-base: 0x800131B0, data-base: 0x8074BDE4
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
cisco uptime is 1 hour, 51 minutes
System returned to ROM by power-on
System image file is "flash:soho97-k9oy1-mz.122-8.YN.bin"
CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K bytes of memory.
Processor board ID AMB072601EP (2533480144), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
LVL 11

Accepted Solution

ewtaylor earned 2000 total points
ID: 9608999
This modem is supposed to allow multiple NAT clients to connect with ipsec software. Here is how to enable this feature, if you need a look at a config http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_guide_chapter09186a0080118cbb.html#45065 if this does not work let me know.

Configuring VPN IPSec Support Through NAT
This feature is available on the following Cisco routers:

Cisco 826 and Cisco 836
Cisco 827, Cisco 827H, Cisco 827-4V, Cisco 831, and Cisco 837
Cisco 828
Cisco SOHO 77, Cisco SOHO 78, Cisco SOHO 96, and Cisco SOHO 97
Cisco IOS Release 12.2(2)XI NAT supports IP Security (IPSec) client software that does not use Transmission Control Protocol (TCP) wrapping or User Datagram Protocol (UDP) wrapping. On Cisco routers, this feature allows the simultaneous use of multiple, PC-based IPSec clients on which IPSec packet wrapping is disabled or is not supported. When PCs connected to the router create an IPSec tunnel, network address translation (NAT) on the router translates the private IP addresses in these packets to public IP addresses. This NAT feature also supports multiple Point-to-Point Tunnel Protocol (PPTP) sessions, which may be initiated by PCs with PPTP client software.

You must enter the following command in global configuration mode for this feature to work:

ip nat inside source list number interface BVI number overload

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question