Pass VPN traffic through 827

Unanswered Question

I'm trying to setup a remote access vpn to an asa 5505 behind an 827 dsl router. The connections look like:


(local) 192.168.100.0

|

|

192.168.100.4(inside)

(ASA)

10.10.10.3 (outside)

|

|

10.10.10.1 (inside)

(827)

|

|

(internet)


My config looks like this:


version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 827

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret xxx

!

no aaa new-model

ip subnet-zero

!

!

no ip domain lookup

ip name-server 166.102.165.11

ip name-server 166.102.165.13

ip ips po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

ip mtu adjust

!

no ftp-server write-enable

!

!

!

!

no crypto isakmp ccm

!

!

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

!

interface ATM0.1 point-to-point

pvc 0/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address 162.39.xxx.xxx 255.255.255.252

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxx password 7 0205105804141F

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static udp 10.10.10.3 50 162.39.xxx.xxx 500 extendable

ip nat inside source static udp 10.10.10.3 51 162.39.xxx.xxx 50 extendable

ip nat inside source static udp 10.10.10.3 500 162.39.xxx.xxx 51 extendable

ip nat inside source static tcp 10.10.10.3 1723 162.39.xxx.xxx 1723 extendable

!

access-list 1 permit 10.10.10.0 0.0.0.255

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 120 0

password xxx

login

length 0

!

scheduler max-task-time 5000

end


the NAT's seem correct, but I wanted to verify them as I'm fairly confident in the ASA's config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/16/2008 - 06:04
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

the most important two are


ip nat inside source static udp 10.10.10.3 500 162.39.xxx.xxx 500 extendable

the above 500 t0 500 not 50 to 500


and esp

ip nat inside source static esp 10.10.10.3 162.39.xxx.xxx


and if uhave ACL u need to permit those aswel


good luck


please, if helpful rate




Yeah, I was cutting and pasting the NAT's around and the ports are all screwed up. It looks like this:


ip nat inside source static udp 10.10.10.3 50 162.39.22.xx 50 extendable

ip nat inside source static udp 10.10.10.3 51 162.39.22.xx 51 extendable

ip nat inside source static udp 10.10.10.3 500 162.39.22.xx 500 extendable

ip nat inside source static tcp 10.10.10.3 1723 162.39.22.xx 1723 extendable


I couldn't add a Nat for ESP to the public IP so I added it to the dialer interface:


ip nat inside source static esp 10.10.10.3 interface Dialer1


Will try this config shortly, thanks for the help.


Actions

This Discussion