Cisco 2600 VPN issues with a Firebox

Here is the scenario.  I installed a Cisco 2600 router to feed my contracting companies a way to get back to their parent companies without running through our network.  I have a very simple config which works with all my users except one group that is running a Firebox VPN back their company.  I have many users who use software based VPN clients with no issues.  It seems this hardware based VPN solution is causing me some problems.  I see the error in the log:

   entry number 8 : CRYPTO-4-IKMP_NO_SA
    IKE message from 206.XXX.XXX.18  has no SA and is not an initialization offer

This is the IP the Firebox is trying to get back to.  I am not really sure where to go with this, my knowledge set is not the strongest in routers.  I have been doing a lot of reading but I do not want the 2600 to be the VPN termination point for this company, I would rather get their Firebox to work.  I think the NAT might also be causing an issue to get this to work, but that is just speculation.  Here is the config, very basic...

Current configuration : 1095 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PBNCTROUTER
!
enable secret 5 $1$HI4b$/ubez4V3G4.mA5iVXsy6W0
!
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.5.255
!
ip dhcp pool INSIDE
   network 192.168.5.0 255.255.255.0
   default-router 192.168.5.1
   dns-server 72.XXX.XXX.3 72.XXX.XXX.93
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 72.XXX.XXX.19 255.255.255.248
 ip access-group 100 in
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 72.XXX.XXX.17
ip http server
ip pim bidir-enable
!
access-list 50 permit any
access-list 100 permit ip any any
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
End


Right now the firbox get's a DHCP address, not sure if I will have to change that to a static, not an issue if I have to.  This all did work when we had a Netgear running as the router.  

Any direction with this would be good.  Once it is up and running I'll post the final config for future reference.

Thanks
LVL 1
mbljAsked:
Who is Participating?
 
Istvan KalmarHead of IT Security Division Commented:
ip nat inside source static tcp x.x.x.x  500 72.XXX.XXX.19 500 extendable

0
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

I think you need to make static nat to VPN box... it is working behind NAT?
0
 
mbljAuthor Commented:
Yes, it is behind the NAT.  And I was thinking that could be one of the issues.  
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Istvan KalmarHead of IT Security Division Commented:
Hi,

You need to config static nat for this box
0
 
mbljAuthor Commented:
Perfect all is working.  I had a feeling it might be with the NAT.  BUt didn't want to chase down the wrong avenue, so I appreciate the help very much!!  Here is the final config for future people that have a device trying to initiate a VPN tunnel through a NAT behind a router.


Current configuration : 1200 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PBNCTROUTER
!
enable secret 5 $1$HI4b$/ubez4V3G4.mA5iVXsy6W0
!
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.5.255
ip dhcp excluded-address 192.168.5.254
!
ip dhcp pool INSIDE
   network 192.168.5.0 255.255.255.0
   default-router 192.168.5.1
   dns-server 72.XXX.XXX.3 72.XXX.XXX.93
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 72.XXX.XXX.19 255.255.255.248
 ip access-group 100 in
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
ip nat inside source static 192.168.5.254 72.21.227.19 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 72.XXX.XXX.17
ip http server
ip pim bidir-enable
!
access-list 50 permit any
access-list 100 permit ip any any
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
end
0
 
Istvan KalmarHead of IT Security Division Commented:
HI, in this case you need to nat telnet port to local router addrss if you want to reach the router from outside
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.