08-03-2007 12:20 PM - edited 03-05-2019 05:42 PM
I have a VPN Firewall that is inside of a Cisco 1700 (software version 12.2) router. Remote users connect to the network via VPN, using SafeNET SoftRemote VPN Client.
The VPN connection establishes successfully, however once connected, the remote user is unable to connect or ping any node on the local network.
By viewing a TCPDump on the VPN Firewall, I can see the information when the VPN Connection is being established, but once the connection is made, it stops. Suggesting that the VPN Data is not reaching the VPN Firewall.
How can i view what packets are being blocked per firewall policy on the Cisco?
The Current Configuration is posted below:
---------------------
Building configuration...
Current configuration : 3078 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname INRUMEC.Gurabo
!
boot system flash:c805-y6-mw.121-5.YB4
logging queue-limit 100
enable secret 5 $1$O0ho$u64.AwhsE!4uWV0G9ZDPyX/
!
ip subnet-zero
!
!
!
!
!
voice rtp send-recv
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 172.16.1.1 255.255.255.252
ip nat inside
load-interval 30
speed auto
!
interface Serial0/0
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip nat outside
service-module t1 timeslots 1-24
!
interface Serial1/0
description Connected to IslaNet Airlink
bandwidth 128
no ip address
encapsulation frame-relay IETF
load-interval 30
shutdown
no keepalive
!
interface Serial1/0.1 point-to-point
bandwidth 128
ip unnumbered Loopback0
frame-relay interface-dlci 532
!
interface Serial1/0.2 point-to-point
bandwidth 128
ip address 192.168.0.10 255.255.255.252
frame-relay interface-dlci 533
!
interface Serial1/0.515 point-to-point
ip address 10.0.10.1 255.255.255.0
frame-relay interface-dlci 515
!
ip nat pool ovrld XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX netmask 255.255.255.252
ip nat inside source list 1 pool ovrld overload
ip nat inside source static tcp 172.16.1.2 3389 interface Serial0/0 3389
ip nat inside source static tcp 172.16.1.2 110 interface Serial0/0 110
ip nat inside source static tcp 172.16.1.2 25 interface Serial0/0 25
ip nat inside source static udp 172.16.1.2 500 interface Serial0/0 500
ip nat inside source static esp 172.16.1.2 interface Serial0/0
ip nat inside source static tcp 172.16.1.2 80 interface Serial0/0 80
ip nat inside source static tcp 172.16.1.2 443 interface Serial0/0 443
ip classless
ip route 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYY
ip route 10.0.0.0 255.255.0.0 172.16.1.2
ip route 192.168.0.0 255.255.0.0 172.16.1.2
no ip http server
!
!
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit esp any host 172.16.1.2
access-list 100 permit ahp any host 172.16.1.2
access-list 100 permit udp any host 172.16.1.2 eq non500-isakmp
access-list 100 permit tcp any host 172.16.1.2 eq smtp
access-list 100 permit tcp any host 172.16.1.2 eq pop3
access-list 100 permit tcp any host 172.16.1.2 eq 3389
!
call rsvp-sync
!
voice-port 2/0
timeouts call-disconnect 5
timeouts wait-release 5
connection plar 1000
!
voice-port 2/1
timeouts call-disconnect 5
timeouts wait-release 5
connection plar 1000
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
dial-peer voice 1000 voip
destination-pattern 1000
session target ipv4:10.0.0.1
!
dial-peer voice 1 pots
preference 10
destination-pattern 2000
port 2/0
!
dial-peer voice 2 pots
preference 9
destination-pattern 2000
port 2/1
!
!
line con 0
password 7 045802150C2E
login
transport preferred none
stopbits 1
line aux 0
line vty 0 4
password 7 014208164E06550C7548435817
login
transport preferred none
!
no scheduler allocate
end
INRUMEC.Gurabo#
Solved! Go to Solution.
08-05-2007 08:12 PM
Hi,
I think you may need to add udp 4500 (NAT-T) to your 1700 NAT configuration.
ip nat inside source static udp 172.16.1.2 4500 interface Serial0/0 4500
access-list 100 permit udp any host 172.16.1.2 eq 4500
Steve
08-03-2007 12:40 PM
You can probably debug isakmp.
08-03-2007 12:55 PM
Well, i'm not sure about this since teh VPN is not termininating at the Cisco. The cisco just needs to passthrough to the VPN Firewall.
Also, could you be more specific with which commands to use.
Thank you
08-05-2007 08:12 PM
Hi,
I think you may need to add udp 4500 (NAT-T) to your 1700 NAT configuration.
ip nat inside source static udp 172.16.1.2 4500 interface Serial0/0 4500
access-list 100 permit udp any host 172.16.1.2 eq 4500
Steve
08-06-2007 06:30 AM
Yes, you were exactly right.
I had the access-list entry with
"access-list 100 permit udp any host 172.16.1.2 eq non500-isakmp"
as non500-isakmp is udp 4500, but i was missing this in the
"ip nat inside source.... " command.
Thank you for your help.
08-05-2007 08:32 PM
hi,
you need to forward udp ports 500 & 4500.
rgrds,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: