Cisco 1700 series router VPN passthrough to PIX

Unanswered Question

I have a 1700 series router and for some reason cannot get IPSec VPN information to forward onto a PIX 501.  I am not quite sure where the config is going wrong. The router has a ADSL connection and a single IP address.  I have a 4-port switch installed in this router so that I can use VLANs.  Everything works fine with the DSL (i.e. browsing websites, email, etc...).  Does anyone know what might be the issue?


Router Config


!
! Last configuration change at 19:58:13 UTC Mon Aug 2 2010
! NVRAM config last updated at 19:47:45 UTC Mon Aug 2 2010
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DDI-DSL-ROUTER
!
boot-start-marker
boot-end-marker
!
no logging console
no logging monitor
enable secret 5 ****************************************
!
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip dhcp pool ddidsl
   network 192.168.19.0 255.255.255.248
   default-router 192.168.19.1
   dns-server 66.73.20.40
   lease 7
!
!
ip cef
no ip domain lookup
vpdn enable
!
vpdn-group 1
request-dialin
  protocol pppoe
!
!
!
!
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
ip address 192.168.18.5 255.255.255.252
ip nat inside
ip virtual-reassembly
speed auto
no cdp enable
!
interface FastEthernet1/1
switchport access vlan 19
no cdp enable
spanning-tree portfast
!
interface FastEthernet1/2
switchport access vlan 19
no cdp enable
spanning-tree portfast
!
interface FastEthernet1/3
switchport access vlan 19
no cdp enable
spanning-tree portfast
!
interface FastEthernet1/4
switchport access vlan 19
no cdp enable
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan19
ip address 192.168.19.1 255.255.255.248
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username [email protected] password 7 ******************
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
ip nat translation timeout 3600
ip nat inside source list NAT-INET interface Dialer1 overload
ip nat inside source static esp 192.168.19.4 interface Dialer1
ip nat inside source static udp 192.168.19.4 500 interface Dialer1 500
!
!
!
ip access-list extended NAT-INET
permit ip any any
access-list 1 permit 192.168.18.6 log
access-list 101 permit ip any any
snmp-server community ********* RO 1
no cdp run
!
!
control-plane
!
!
line con 0
password 7 **********
login
line aux 0
password 7 **********
login
line vty 0 4
access-class 1 in
password 7 **********
login
!
sntp server 129.6.15.28
end


PIX Config


: Saved
: Written by enable_15 at 16:16:06.138 UTC Mon Aug 2 2010
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *********************** encrypted
passwd ***********************  encrypted
hostname TESTPIX
domain-name test.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list pixTOsw permit ip 172.29.1.0 255.255.255.0 10.200.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.19.4 255.255.255.248
ip address inside 172.29.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pixTOsw
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.29.1.2 \pixbackup
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set colofw esp-aes-256 esp-sha-hmac
crypto map mapTOsw 67 ipsec-isakmp
crypto map mapTOsw 67 match address pixTOsw
crypto map mapTOsw 67 set peer 207.250.131.95
crypto map mapTOsw 67 set transform-set colofw
crypto map mapTOsw interface outside
crypto map maptosw 67 ipsec-isakmp
crypto map maptosw 67 match address pixTOsw
! Incomplete
isakmp enable outside
isakmp key ********************* address 207.250.131.95 netmask 255.255.255.255
isakmp identity address
isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:6471751204a6ac49f240c54af7e16cfb
: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jean.moncada Mon, 08/02/2010 - 14:30

looks like you need to enable nat-traversal on your pix.


just enter


isakmp nat-traversal  20

on your pix

hopefully that should resolve your problem

please let me know if it does or doesn't


Thanks,

Actions

This Discussion