Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VPN and NAT trouble

Could someone tell me why this config would not work in theory when trying to VPN in from the outside(S1).

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Company

!

no logging console

enable secret 5

enable password 7

!

ip subnet-zero

no ip finger

ip name-server 192.168.11.1

ip name-server 192.168.11.2

!

interface Loopback0

no ip address

no ip directed-broadcast

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Serial0

no ip address

no ip directed-broadcast

shutdown

service-module 56k clock source line

service-module 56k network-type dds

!

interface Serial1

ip address 1.2.3.3 255.255.255.252

ip access-group 110 out

no ip directed-broadcast

ip nat outside

service-module t1 data-coding inverted

service-module t1 timeslots 1-8

!

ip nat inside source list 1 interface Serial1 overload

ip nat inside source static udp 192.168.1.10 500 1.2.3.3 500 extendable

ip nat inside source static tcp 192.168.1.10 1723 1.2.3.3 1723 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 1.2.3.2

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 110 deny udp any any range netbios-ns netbios-ss

access-list 110 deny tcp any any range 137 139

access-list 110 deny udp any any eq bootpc

access-list 110 deny udp any any eq snmp

access-list 110 permit ip any any

!

line con 0

exec-timeout 30 0

password 7

login

transport input none

line vty 0 4

exec-timeout 30 0

password 7

login

!

end

1 REPLY
New Member

Re: VPN and NAT trouble

the question is a little vague, so Im not sure this is what you are looking for but here's a few possibilities.

Depending on how you have IPSec configured it will not work thru a NAT. IPSec calculates its hash including the header, so when the header is re-writen buy the nat device, the receiving end discards the packet because the hash isnt correct.

Also you are doing PAT. If you have 1 vpn tunnel that works, but consecutive ones screw everythign up that is why. For that the consecutive devices end up stealing the port from the first connection, which then fails. The work around for this is NAT-T.

Can you supply more information about the topology and configurations.

107
Views
0
Helpful
1
Replies
CreatePlease to create content