VPN Passthrough

Answered Question
Aug 3rd, 2007

I have a VPN Firewall that is inside of a Cisco 1700 (software version 12.2) router. Remote users connect to the network via VPN, using SafeNET SoftRemote VPN Client.

The VPN connection establishes successfully, however once connected, the remote user is unable to connect or ping any node on the local network.

By viewing a TCPDump on the VPN Firewall, I can see the information when the VPN Connection is being established, but once the connection is made, it stops. Suggesting that the VPN Data is not reaching the VPN Firewall.

How can i view what packets are being blocked per firewall policy on the Cisco?

The Current Configuration is posted below:

---------------------

Building configuration...

Current configuration : 3078 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname INRUMEC.Gurabo

!

boot system flash:c805-y6-mw.121-5.YB4

logging queue-limit 100

enable secret 5 $1$O0ho$u64.AwhsE!4uWV0G9ZDPyX/

!

ip subnet-zero

!

!

!

!

!

voice rtp send-recv

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

description connected to EthernetLAN

ip address 172.16.1.1 255.255.255.252

ip nat inside

load-interval 30

speed auto

!

interface Serial0/0

ip address XXX.XXX.XXX.XXX 255.255.255.252

ip nat outside

service-module t1 timeslots 1-24

!

interface Serial1/0

description Connected to IslaNet Airlink

bandwidth 128

no ip address

encapsulation frame-relay IETF

load-interval 30

shutdown

no keepalive

!

interface Serial1/0.1 point-to-point

bandwidth 128

ip unnumbered Loopback0

frame-relay interface-dlci 532

!

interface Serial1/0.2 point-to-point

bandwidth 128

ip address 192.168.0.10 255.255.255.252

frame-relay interface-dlci 533

!

interface Serial1/0.515 point-to-point

ip address 10.0.10.1 255.255.255.0

frame-relay interface-dlci 515

!

ip nat pool ovrld XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX netmask 255.255.255.252

ip nat inside source list 1 pool ovrld overload

ip nat inside source static tcp 172.16.1.2 3389 interface Serial0/0 3389

ip nat inside source static tcp 172.16.1.2 110 interface Serial0/0 110

ip nat inside source static tcp 172.16.1.2 25 interface Serial0/0 25

ip nat inside source static udp 172.16.1.2 500 interface Serial0/0 500

ip nat inside source static esp 172.16.1.2 interface Serial0/0

ip nat inside source static tcp 172.16.1.2 80 interface Serial0/0 80

ip nat inside source static tcp 172.16.1.2 443 interface Serial0/0 443

ip classless

ip route 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYY

ip route 10.0.0.0 255.255.0.0 172.16.1.2

ip route 192.168.0.0 255.255.0.0 172.16.1.2

no ip http server

!

!

!

access-list 1 permit 172.16.1.0 0.0.0.255

access-list 100 permit esp any host 172.16.1.2

access-list 100 permit ahp any host 172.16.1.2

access-list 100 permit udp any host 172.16.1.2 eq non500-isakmp

access-list 100 permit tcp any host 172.16.1.2 eq smtp

access-list 100 permit tcp any host 172.16.1.2 eq pop3

access-list 100 permit tcp any host 172.16.1.2 eq 3389

!

call rsvp-sync

!

voice-port 2/0

timeouts call-disconnect 5

timeouts wait-release 5

connection plar 1000

!

voice-port 2/1

timeouts call-disconnect 5

timeouts wait-release 5

connection plar 1000

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

dial-peer voice 1000 voip

destination-pattern 1000

session target ipv4:10.0.0.1

!

dial-peer voice 1 pots

preference 10

destination-pattern 2000

port 2/0

!

dial-peer voice 2 pots

preference 9

destination-pattern 2000

port 2/1

!

!

line con 0

password 7 045802150C2E

login

transport preferred none

stopbits 1

line aux 0

line vty 0 4

password 7 014208164E06550C7548435817

login

transport preferred none

!

no scheduler allocate

end

INRUMEC.Gurabo#

I have this problem too.
0 votes
Correct Answer by steve_steele about 9 years 4 months ago

Hi,

I think you may need to add udp 4500 (NAT-T) to your 1700 NAT configuration.

ip nat inside source static udp 172.16.1.2 4500 interface Serial0/0 4500

access-list 100 permit udp any host 172.16.1.2 eq 4500

Steve

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
bortiquai Fri, 08/03/2007 - 12:55

Well, i'm not sure about this since teh VPN is not termininating at the Cisco. The cisco just needs to passthrough to the VPN Firewall.

Also, could you be more specific with which commands to use.

Thank you

Correct Answer
steve_steele Sun, 08/05/2007 - 20:12

Hi,

I think you may need to add udp 4500 (NAT-T) to your 1700 NAT configuration.

ip nat inside source static udp 172.16.1.2 4500 interface Serial0/0 4500

access-list 100 permit udp any host 172.16.1.2 eq 4500

Steve

bortiquai Mon, 08/06/2007 - 06:30

Yes, you were exactly right.

I had the access-list entry with

"access-list 100 permit udp any host 172.16.1.2 eq non500-isakmp"

as non500-isakmp is udp 4500, but i was missing this in the

"ip nat inside source.... " command.

Thank you for your help.

Actions

This Discussion