Solved

PIX 501 Configured With PAT & NAT - 2 IP Addresses - VPN Unsuccessful

Posted on 2004-10-27
757 Views
Last Modified: 2008-02-01
Can someone look at my configuration and tell me what's wrong? I have 2 IP addresses configured as follows: 204.x.x.102 with PAT for browsing and 204.x.x.103 with static-NAT for L2TP. The Windows XP login never gets beyond "connecting". In addition, I get no response when I ping my 103 IP address but I can ping the outside address without problems (from outside dial-up PC). I have been researching using this site and Cisco's examples, but I don't have the time to figure it out. I've already spent several long nights and I really need to get VPN up and running. I wouldn't be surprised if there are several errors found as I have had little rest lately. Thanks.

PIX Version 6.3 (3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit tcp any eq pptp host 204.x.x.103 eq pptp
access-list outside_access_in permit udp any eq pcanywhere-status interface outside eq pcanywhere-status
access-list outside_access_in permit tcp any eq pcanywhere-data interface outside eq pcanywhere-data
access-list outside_access_in permit udp any eq 47 host 204.x.x.103 eq 47
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 204.x.x.102 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.1.50-192.168.1.55
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.21 255.255.255.255 inside
pdm location 204.x.x.103 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 204.x.x.103 netmask 255.255.255.255
nat (inside) 1 0.0.0.0  0.0.0.0  0  0
static (inside,outside) tcp interface pcanywhere-data 192.168.1.21 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 192.168.1.21 pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) 204.x.x.103 192.168.1.5 netmask 255.255.255.255  0  0
access-group outside_access_in in interface outside
route outside 0.0.0.0  0.0.0.0  204.8.65.97  1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no-snmp-server enable traps
floodguard enable
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timout 5
ssh timeout 5
console timeout 0
vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication chap
vpdn group L2TP-VPDN-GROUP client configuration address local VPNPool
vpdn group L2TP-VPDN-GROUP client configuration dns 204.x.x.x 204.x.x.x
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60
vpdn username eheyliger password *********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:*************************
: end
0
Question by:ehcruzan
    29 Comments
     
    LVL 79

    Expert Comment

    by:lrmoore
    Instead of this:
      >access-list outside_access_in permit udp any eq 47 host 204.x.x.103 eq 47

    Add this line to permit GRE protocol #47:
            access-list outside_access_in permit gre any host 204.x.x.103

    0
     

    Author Comment

    by:ehcruzan
    No change unfortunately. As for my IP address 204.x.x.103, which is used for the VPN, why am I unable to ping this address from a computer on the web? Is this part of my problem?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Could be because you have not permitted icmp to that host, only tcp 1723 and GRE..
    Try adding
      access-list outside_in permit icmp any host 204.x.x.103

    Can you post result of "show access-list"
    0
     

    Author Comment

    by:ehcruzan
    I still can't ping that address. Here's the result of show access-list.

    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
                alert-interval 300
    access-list outside_access_in; 5 elements
    access-list outside_access_in line 1 permit tcp any eq pptp host 204.8.65.103 eq pptp (hitcnt=0)
    access-list outside_access_in line 2 permit udp any eq pcanywhere-status interface outside eq pcanywhere-status (hitcnt=0)
    access-list outside_access_in line 3 permit tcp any eq pcanywhere-data interface outside eq pcanywhere-data (hitcnt=0)
    access-list outside_access_in line 4 permit gre any host 204.8.65.103 (hitcnt=0)
    access-list outside_access_in line 5 permit icmp any host 204.8.65.103 (hitcnt=0)
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Try re-applying the access-list to the interface:

        access-group outside_access_in in interface outside

    What is the default gateway setting on the server 192.168.1.5 ? Does it point to the PIX inside IP 192.168.1.1 ?
     
    Does the PcAnywhere work?
    0
     

    Author Comment

    by:ehcruzan
    Pinging now works. The default gateway on the server is indeed 192.168.1.1. As for PCAnywhere, we're have no access, but the remote end is making some changes. I will post an update in about 10 minutes.
    0
     

    Author Comment

    by:ehcruzan
    PC Anywhere is not working either.
    0
     

    Author Comment

    by:ehcruzan
    Should these lines be in my configuration?

    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Yes, these are just default definitions that are there in a default config.
    0
     

    Author Comment

    by:ehcruzan
    Can you see anything wrong with my configuration? I just can't figure out why I can't get access.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Try removing this line because you don't need it and it may be interferring
      >global (outside) 2 204.x.x.103 netmask 255.255.255.255

    Verify that your default route is correct:
      >route outside 0.0.0.0  0.0.0.0  204.8.65.97  1

    Can you browse the internet from an internal client? Can you browse the internet from the system 192.168.1.5 ?
    0
     

    Author Comment

    by:ehcruzan
    No problems browsing from any local clients, including 192.168.1.5 (server). Is this translation correct to allow access to my internal server at 192.168.1.5 from external IP 204.x.x.103?

    static (inside,outside) 204.8.65.103 192.168.1.5 netmask 255.255.255.255 0 0


    Here is my latest configuration:

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********** encrypted
    passwd ********** encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list outside_access_in permit tcp any eq pptp host 204.x.x.103 eq pptp
    access-list outside_access_in permit udp any eq pcanywhere-status interface outside eq pcanywhere-status
    access-list outside_access_in permit tcp any eq pcanywhere-data interface outside eq pcanywhere-data
    access-list outside_access_in permit gre any host 204.x.x.103
    access-list outside_access_in permit icmp any host 204.x.x.103
    access-list outside_cryptomap_dyn_20 permit ip host 204.x.x.103 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 204.x.x.102 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool 192.168.1.50-192.168.1.55
    pdm location 192.168.1.5 255.255.255.255 inside
    pdm location 192.168.1.21 255.255.255.255 inside
    pdm location 204.x.x.103 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data 192.168.1.21 pcanywhere-data netmask 255.255.255.255 0 0
    static (inside,outside) udp interface pcanywhere-status 192.168.1.21 pcanywhere-status netmask 255.255.255.255 0 0
    static (inside,outside) 204.x.x.103 192.168.1.5 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 204.8.65.97 1
    route inside 192.168.1.5 255.255.255.255 204.x.x.103 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
    crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group L2TP-VPDN-GROUP accept dialin l2tp
    vpdn group L2TP-VPDN-GROUP ppp authentication chap
    vpdn group L2TP-VPDN-GROUP client configuration address local VPNPool
    vpdn group L2TP-VPDN-GROUP client authentication local
    vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username eheyliger password *********
    vpdn enable outside
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:5d16c1e1c6f929fea155cc372120c81d
    : end


    0
     

    Author Comment

    by:ehcruzan
    I decided to punch in the 204.x.x.102 address and to my surprise it connected. I am unable to use any resources on my server and I assume this is because I'm connected over a PAT address which prohibits GRE. My question is why am I connecting on this address instead of the 204.x.x.103 static-NAT address I setup for VPN? I will go through my configuration line by line tonight but any help is appreciated.
    0
     

    Author Comment

    by:ehcruzan
    Could it be possible I need to do the following?

        REPLACE

    vpdn enable outside

        WITH

    vpdn enable
    vpdn source-ip 204.x.x.103
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    >vpdn enable outside  <== this, along with your vpdn configuration makes the PIX itself the VPN server.
    You are trying to pass through PPTP and GRE to another inside host.
    If you don't want the PIX to be the endpoint server, they try disabling the VPDN on the PIX:
       no vpdn enable outside
    0
     

    Author Comment

    by:ehcruzan
    What I'm trying to accomplish is remote VPN access to an NT4 server. We planned to use the Cisco VPN Client so we could use one IP address, however I've yet to receive my SMARTnet package from CDW, therefore I have to use the XP client for now. I plan on disabling PPTP this morning as I don't feel it offers enough security. So for now, I would like to use L2TP IPSec. To sum it all up, I do want the PIX as my VPN server using IPSec L2TP. Can you tell me why the scenario in the question above the one you just answered is happening? It seems like I'm not properly telling the PIX to accept my VPN connection on the 204.x.x.103 address.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    If you want the PIX to be the VPN endpoint, then you cannot use a different IP than the interface as the endpoint.
    It appeared that you were trying to use the NT4 server as the VPN endpoint, passing through TCP port 1723 and GRE to that server.

    If you want to setup the PIX to be either the PPTP or IPSEC VPN endpoint, you can quite easily. What you cannot do is setup a separate IP address for that to use.

    Setting up as PPTP endpoint:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

    Setting up for IPSEC Cisco VPN client:
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

    0
     

    Author Comment

    by:ehcruzan
    I'm a bit confused now. I won't be back at the site until tomorrow morning (I'm extremely tired) but I have a few questions that I hope will help me understand my error.

    1) I would like all PCs on the inside to browse the web, allow VPN access to my server, and allow PCAnywhere access to one PC on the inside. My question is can I do all of this with PAT?

    2) Since I want the PIX to be my endpoint, are you saying I should remove the following lines?

    access-list outside_access_in permit tcp any eq pptp host 204.x.x.103 eq pptp
    access-list outside_access_in permit gre any host 204.x.x.103

    static (inside,outside) 204.x.x.103 192.168.1.5 netmask 255.255.255.255 0 0

    3) Will my new static statement direct the ports for PPTP to my server IP or to the outside interface? (likewise for access-list?)

    4) While researching on this site, I read a bit about GRE not working with PAT. Is this only when using a VPN endpoint behind the PIX?

    Sorry for the barage of questions...I had no idea I was so far off.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    I'll try my best to explain..
    1) no problem. Yes, you can do it all with PAT, with the exception of having your NT server be the VPN server too.
    2) Yes, remove those lines. Disable all VPN services on the NT server.
    3) To the outside interface. You don't even need the access list with the sysopt connection permit-pptp
    4) correct. That's why you can't setup both the interface and pass it through to an internal server.


    0
     

    Author Comment

    by:ehcruzan
    Thank you very much for your patience and assistance. I will give this another try tomorrow. I now understand what I was doing wrong. I'll post the results tomorrow which I'm optimisic will be successful.
    0
     

    Author Comment

    by:ehcruzan
    I decided to list what I have, what I want to accomplish, and how I plan to accomplish it. I'm thinking much cleared by going this path and referencing both this site and material I printed from Cisco's website. It seems much cleared putting it on paper. Hopefully I will get to try whatever end result I get sometime tomorrow afternoon.
    0
     

    Author Comment

    by:ehcruzan
    I connect but can't ping my inside network. I notice the client gets a correct ip, but the gateway for some odd reason shows the same address. Any ideas why my traffic isn't flowing between the VPN assigned addresses and the local addresses?

    I've tried both of the following:

    access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
    ip local pool vpnpool 192.168.20.21-192.168.20.30
    isakmp client configuration address-pool local vpnpool outside
    vpdn grou L2TP_VPDN_GROUP client configuration address local vpnpool

    OR

    access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    ip local pool vpnpool 192.168.20.60-192.168.20.70
    isakmp client configuration address-pool local vpnpool outside
    vpdn grou L2TP_VPDN_GROUP client configuration address local vpnpool

    any ideas?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    >but the gateway for some odd reason shows the same address.
    This is expected behavior to strict FRC standards.

    Can you provide output of C:\>route print while connected to the VPN?

    Perhaps something here will help:
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml
    0
     

    Author Comment

    by:ehcruzan
    C:\Documents and Settings\PFC>route print
    =========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x230002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    0x280004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    =========================================================================
    =========================================================================
    Active Routes:
    Network Destination        Netmask              Gateway       Interface  Metric
              0.0.0.0                 0.0.0.0            66.185.44.47       66.185.44.47       2
              0.0.0.0                 0.0.0.0           192.168.20.21     192.168.20.21       1
         66.185.33.44       255.255.255.255     66.185.44.47       66.185.44.47       1
         66.185.44.47       255.255.255.255        127.0.0.1            127.0.0.1         50
       66.255.255.255      255.255.255.255     66.185.44.47       66.185.44.47      50
            127.0.0.0              255.0.0.0              127.0.0.1           127.0.0.1          1
        192.168.20.21       255.255.255.255        127.0.0.1           127.0.0.1         50
       192.168.20.255      255.255.255.255     192.168.20.21    192.168.20.21     50
         204.8.65.102       255.255.255.255       66.185.44.47      66.185.44.47       1
            224.0.0.0             240.0.0.0              66.185.44.47      66.185.44.47       2
            224.0.0.0             240.0.0.0            192.168.20.21     192.168.20.21       1
      255.255.255.255    255.255.255.255       66.185.44.47       66.185.44.47       1
      255.255.255.255    255.255.255.255      192.168.20.21     192.168.20.21       1
    Default Gateway:     192.168.20.21
    =========================================================================
    Persistent Routes:
      None

    C:\Documents and Settings\PFC>
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    >Default Gateway:     192.168.20.21
    Now you can't ping anything on the 192.168.1.x subnet?

    Your client is apparently configured correctly and is working as designed. Now I'll have to see your current PIX config.

    0
     

    Author Comment

    by:ehcruzan
    Configuration below. Part of my problem appears to be the use of access-list. I'm trying to digest the document you sent me but I apparently don't work well under pressure. In any event, I combined my access-lists since I found out only one access-list can be applied to an interface. I think this may be part of my problem. I also get this message on bootup: "WARNING: access-list has port selectors may have performance impact", however if I remove the access-list lines with the port commands, I can't connect, which is what I expected.

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pfcpixfw
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    name 192.168.1.1 gateway
    name 192.168.1.5 server
    name 192.168.1.21 pcawhost
    access-list outside_access_in permit tcp any any eq pcanywhere-data
    access-list outside_access_in permit udp any any eq pcanywhere-status
    access-list outside_access_in permit udp any any eq 1701
    access-list outside_access_in permit udp any any eq isakmp
    access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 204.x.x.102 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.20.21-192.168.20.30
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list outside_access_in
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data 192.168.1.21 pcanywhere-data netmask 255.255.255.255 0 0
    static (inside,outside) udp interface pcanywhere-status 192.168.1.21 pcanywhere-status netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 204.8.65.97 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-l2tp
    crypto ipsec transform-set trans_msvpn esp-3des esp-md5-hmac
    crypto ipsec transform-set trans_msvpn mode transport
    crypto dynamic-map vpn_dyn_map 10 match address outside_access_in
    crypto dynamic-map vpn_dyn_map 10 set transform-set trans_msvpn
    crypto map vpn_static_map 30 ipsec-isakmp dynamic vpn_dyn_map
    crypto map vpn_static_map client configuration address initiate
    crypto map vpn_static_map client configuration address respond
    crypto map vpn_static_map interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp client configuration address-pool local vpnpool outside
    isakmp nat-traversal 20
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption 3des
    isakmp policy 30 hash md5
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 43200
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group L2TP_VPDN_GROUP accept dialin l2tp
    vpdn group L2TP_VPDN_GROUP ppp authentication mschap
    vpdn group L2TP_VPDN_GROUP client configuration address local vpnpool
    vpdn group L2TP_VPDN_GROUP client configuration wins 192.168.1.5
    vpdn group L2TP_VPDN_GROUP client authentication local
    vpdn group L2TP_VPDN_GROUP l2tp tunnel hello 60
    vpdn username eheyliger password *********
    vpdn username FIS_ADMIN password *********
    vpdn username grant password *********
    vpdn enable outside
    dhcpd address 192.168.1.41-192.168.1.50 inside
    dhcpd wins 192.168.1.5
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum: ******
    : end
    0
     
    LVL 79

    Accepted Solution

    by:
    Looks simple enough to fix. You need a new acl for the nat zero..
    You have the same acl applied to two different processes and that's not good.

    Add this:
       no access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

       access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
       nat (inside) 0 access-list nonat
       access-group outside_access_in in interface outside

    0
     

    Author Comment

    by:ehcruzan
    AMEN!!!! You are the best! THANK YOU VERY MUCH!!! I also removed the following command and it works! I'm going to read up some more to understand the access-list/nat issue. If I could give you 10000 points I would. Thanks for all your help!!!

    crypto dynamic-map vpn_dyn_map 10 match address outside_access_in.



    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Yippee!

    Glad you're working!

    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now