Pass VPN traffic through 827

Unanswered Question
Aug 15th, 2008

I'm trying to setup a remote access vpn to an asa 5505 behind an 827 dsl router. The connections look like:

(local) 192.168.100.0

|

|

192.168.100.4(inside)

(ASA)

10.10.10.3 (outside)

|

|

10.10.10.1 (inside)

(827)

|

|

(internet)

My config looks like this:

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 827

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret xxx

!

no aaa new-model

ip subnet-zero

!

!

no ip domain lookup

ip name-server 166.102.165.11

ip name-server 166.102.165.13

ip ips po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

ip mtu adjust

!

no ftp-server write-enable

!

!

!

!

no crypto isakmp ccm

!

!

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

!

interface ATM0.1 point-to-point

pvc 0/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address 162.39.xxx.xxx 255.255.255.252

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxx password 7 0205105804141F

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static udp 10.10.10.3 50 162.39.xxx.xxx 500 extendable

ip nat inside source static udp 10.10.10.3 51 162.39.xxx.xxx 50 extendable

ip nat inside source static udp 10.10.10.3 500 162.39.xxx.xxx 51 extendable

ip nat inside source static tcp 10.10.10.3 1723 162.39.xxx.xxx 1723 extendable

!

access-list 1 permit 10.10.10.0 0.0.0.255

dialer-list 1 protocol ip permit

!

control-plane

!

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 120 0

password xxx

login

length 0

!

scheduler max-task-time 5000

end

the NAT's seem correct, but I wanted to verify them as I'm fairly confident in the ASA's config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/16/2008 - 06:04

the most important two are

ip nat inside source static udp 10.10.10.3 500 162.39.xxx.xxx 500 extendable

the above 500 t0 500 not 50 to 500

and esp

ip nat inside source static esp 10.10.10.3 162.39.xxx.xxx

and if uhave ACL u need to permit those aswel

good luck

please, if helpful rate

bpelino@clincht... Mon, 08/18/2008 - 06:04

Yeah, I was cutting and pasting the NAT's around and the ports are all screwed up. It looks like this:

ip nat inside source static udp 10.10.10.3 50 162.39.22.xx 50 extendable

ip nat inside source static udp 10.10.10.3 51 162.39.22.xx 51 extendable

ip nat inside source static udp 10.10.10.3 500 162.39.22.xx 500 extendable

ip nat inside source static tcp 10.10.10.3 1723 162.39.22.xx 1723 extendable

I couldn't add a Nat for ESP to the public IP so I added it to the dialer interface:

ip nat inside source static esp 10.10.10.3 interface Dialer1

Will try this config shortly, thanks for the help.

Actions

This Discussion