mblj
asked on
Cisco 2600 VPN issues with a Firebox
Here is the scenario. I installed a Cisco 2600 router to feed my contracting companies a way to get back to their parent companies without running through our network. I have a very simple config which works with all my users except one group that is running a Firebox VPN back their company. I have many users who use software based VPN clients with no issues. It seems this hardware based VPN solution is causing me some problems. I see the error in the log:
entry number 8 : CRYPTO-4-IKMP_NO_SA
IKE message from 206.XXX.XXX.18 has no SA and is not an initialization offer
This is the IP the Firebox is trying to get back to. I am not really sure where to go with this, my knowledge set is not the strongest in routers. I have been doing a lot of reading but I do not want the 2600 to be the VPN termination point for this company, I would rather get their Firebox to work. I think the NAT might also be causing an issue to get this to work, but that is just speculation. Here is the config, very basic...
Current configuration : 1095 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PBNCTROUTER
!
enable secret 5 $1$HI4b$/ubez4V3G4.mA5iVXs
!
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.5.255
!
ip dhcp pool INSIDE
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 72.XXX.XXX.3 72.XXX.XXX.93
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 72.XXX.XXX.19 255.255.255.248
ip access-group 100 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.5.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 72.XXX.XXX.17
ip http server
ip pim bidir-enable
!
access-list 50 permit any
access-list 100 permit ip any any
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
End
Right now the firbox get's a DHCP address, not sure if I will have to change that to a static, not an issue if I have to. This all did work when we had a Netgear running as the router.
Any direction with this would be good. Once it is up and running I'll post the final config for future reference.
Thanks
entry number 8 : CRYPTO-4-IKMP_NO_SA
IKE message from 206.XXX.XXX.18 has no SA and is not an initialization offer
This is the IP the Firebox is trying to get back to. I am not really sure where to go with this, my knowledge set is not the strongest in routers. I have been doing a lot of reading but I do not want the 2600 to be the VPN termination point for this company, I would rather get their Firebox to work. I think the NAT might also be causing an issue to get this to work, but that is just speculation. Here is the config, very basic...
Current configuration : 1095 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PBNCTROUTER
!
enable secret 5 $1$HI4b$/ubez4V3G4.mA5iVXs
!
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.5.255
!
ip dhcp pool INSIDE
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 72.XXX.XXX.3 72.XXX.XXX.93
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 72.XXX.XXX.19 255.255.255.248
ip access-group 100 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.5.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 72.XXX.XXX.17
ip http server
ip pim bidir-enable
!
access-list 50 permit any
access-list 100 permit ip any any
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
End
Right now the firbox get's a DHCP address, not sure if I will have to change that to a static, not an issue if I have to. This all did work when we had a Netgear running as the router.
Any direction with this would be good. Once it is up and running I'll post the final config for future reference.
Thanks
ASKER
Yes, it is behind the NAT. And I was thinking that could be one of the issues.
Hi,
You need to config static nat for this box
You need to config static nat for this box
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect all is working. I had a feeling it might be with the NAT. BUt didn't want to chase down the wrong avenue, so I appreciate the help very much!! Here is the final config for future people that have a device trying to initiate a VPN tunnel through a NAT behind a router.
Current configuration : 1200 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PBNCTROUTER
!
enable secret 5 $1$HI4b$/ubez4V3G4.mA5iVXs
!
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.5.255
ip dhcp excluded-address 192.168.5.254
!
ip dhcp pool INSIDE
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 72.XXX.XXX.3 72.XXX.XXX.93
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 72.XXX.XXX.19 255.255.255.248
ip access-group 100 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.5.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
ip nat inside source static 192.168.5.254 72.21.227.19 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 72.XXX.XXX.17
ip http server
ip pim bidir-enable
!
access-list 50 permit any
access-list 100 permit ip any any
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Current configuration : 1200 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PBNCTROUTER
!
enable secret 5 $1$HI4b$/ubez4V3G4.mA5iVXs
!
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.5.255
ip dhcp excluded-address 192.168.5.254
!
ip dhcp pool INSIDE
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 72.XXX.XXX.3 72.XXX.XXX.93
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 72.XXX.XXX.19 255.255.255.248
ip access-group 100 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.5.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
ip nat inside source static 192.168.5.254 72.21.227.19 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 72.XXX.XXX.17
ip http server
ip pim bidir-enable
!
access-list 50 permit any
access-list 100 permit ip any any
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
HI, in this case you need to nat telnet port to local router addrss if you want to reach the router from outside
I think you need to make static nat to VPN box... it is working behind NAT?