VPN - HELP PLEASE ;(

Unanswered Question
Sep 30th, 2008

I have a PIX 515E which works VPN wise to a remote site - we are replace the Linksys unit with a Cisco 871W. However I am having problems getting it to route ? I have VPN connected I believe however now connectivity....

ip inspect name Protection tcp

ip inspect name Protection udp

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key werewwerewrwerw address gateway address 197.x.x.54

!

!

crypto ipsec transform-set Support esp-3des esp-md5-hmac

!

crypto map Tunnel-Home 1 ipsec-isakmp

description Remote Support Tunnel

set peer 197.175.175.54

set transform-set Support

match address 100

!

!

bridge irb

!

interface FastEthernet4

ip address 197.175.175.10 255.255.255.0

ip inspect Protection in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map Tunnel-Home

!

interface Vlan1

description iDNA Exhibition

no ip address

ip tcp adjust-mss 1452

bridge-group 1

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.113.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 197.175.175.1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map Outbound interface FastEthernet4 overload

!

access-list 1 permit 192.168.113.0 0.0.0.255

access-list 1 permit 197.175.175.0 0.0.0.255

access-list 100 permit ip 192.168.113.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.113.0 0.0.0.255 any

no cdp run

!

!

route-map Outbound permit 1

match ip address 101

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^C

----------------------------------------------------------------------------

THIS TERMINAL IS ONLY FOR AUTHORISED ACCESS

IF YOU DO NOT HAVE AUTHORITY OR PERMISSION PLEASE DISCONNECT NOW!

----------------------------------------------------------------------------^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

password *****

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

Thanks

Ed

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Marwan ALshawi Tue, 09/30/2008 - 08:39

u have problem with return traffic get nated do the following

change the nat ACL

access-list 102 deny ip 192.168.113.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.113.0 0.0.0.255 any

route-map Outbound2 permit 1

match ip address 102

first remove the old nating do:

no ip nat inside source route-map Outbound interface FastEthernet4 overload

now creat the new one with new ACL and route-map:

ip nat inside source route-map Outbound2 interface FastEthernet4 overload

and make sure on the pix u have the sam eidea but on pix the nat exmption will be thorugh NAT 0 that include the return patch

if ur inside interface on pix named as inside u may have somthing like on PIX:

nat (inside) 0 access-list 103

access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.113.0 255.255.255.0

good luck

if helpful Rate

Actions

This Discussion