08-15-2008 06:36 AM - edited 02-21-2020 03:53 PM
I'm trying to setup a remote access vpn to an asa 5505 behind an 827 dsl router. The connections look like:
(local) 192.168.100.0
|
|
192.168.100.4(inside)
(ASA)
10.10.10.3 (outside)
|
|
10.10.10.1 (inside)
(827)
|
|
(internet)
My config looks like this:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 827
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret xxx
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
ip name-server 166.102.165.11
ip name-server 166.102.165.13
ip ips po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
ip mtu adjust
!
no ftp-server write-enable
!
!
!
!
no crypto isakmp ccm
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address 162.39.xxx.xxx 255.255.255.252
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxx password 7 0205105804141F
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 10.10.10.3 50 162.39.xxx.xxx 500 extendable
ip nat inside source static udp 10.10.10.3 51 162.39.xxx.xxx 50 extendable
ip nat inside source static udp 10.10.10.3 500 162.39.xxx.xxx 51 extendable
ip nat inside source static tcp 10.10.10.3 1723 162.39.xxx.xxx 1723 extendable
!
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
password xxx
login
length 0
!
scheduler max-task-time 5000
end
the NAT's seem correct, but I wanted to verify them as I'm fairly confident in the ASA's config.
08-16-2008 06:04 AM
the most important two are
ip nat inside source static udp 10.10.10.3 500 162.39.xxx.xxx 500 extendable
the above 500 t0 500 not 50 to 500
and esp
ip nat inside source static esp 10.10.10.3 162.39.xxx.xxx
and if uhave ACL u need to permit those aswel
good luck
please, if helpful rate
08-18-2008 06:04 AM
Yeah, I was cutting and pasting the NAT's around and the ports are all screwed up. It looks like this:
ip nat inside source static udp 10.10.10.3 50 162.39.22.xx 50 extendable
ip nat inside source static udp 10.10.10.3 51 162.39.22.xx 51 extendable
ip nat inside source static udp 10.10.10.3 500 162.39.22.xx 500 extendable
ip nat inside source static tcp 10.10.10.3 1723 162.39.22.xx 1723 extendable
I couldn't add a Nat for ESP to the public IP so I added it to the dialer interface:
ip nat inside source static esp 10.10.10.3 interface Dialer1
Will try this config shortly, thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide