10-31-2003 12:01 PM - edited 03-02-2019 11:24 AM
Could someone tell me why this config would not work in theory when trying to VPN in from the outside(S1).
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Company
!
no logging console
enable secret 5
enable password 7
!
ip subnet-zero
no ip finger
ip name-server 192.168.11.1
ip name-server 192.168.11.2
!
interface Loopback0
no ip address
no ip directed-broadcast
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0
no ip address
no ip directed-broadcast
shutdown
service-module 56k clock source line
service-module 56k network-type dds
!
interface Serial1
ip address 1.2.3.3 255.255.255.252
ip access-group 110 out
no ip directed-broadcast
ip nat outside
service-module t1 data-coding inverted
service-module t1 timeslots 1-8
!
ip nat inside source list 1 interface Serial1 overload
ip nat inside source static udp 192.168.1.10 500 1.2.3.3 500 extendable
ip nat inside source static tcp 192.168.1.10 1723 1.2.3.3 1723 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.2
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 deny udp any any range netbios-ns netbios-ss
access-list 110 deny tcp any any range 137 139
access-list 110 deny udp any any eq bootpc
access-list 110 deny udp any any eq snmp
access-list 110 permit ip any any
!
line con 0
exec-timeout 30 0
password 7
login
transport input none
line vty 0 4
exec-timeout 30 0
password 7
login
!
end
10-31-2003 01:49 PM
the question is a little vague, so Im not sure this is what you are looking for but here's a few possibilities.
Depending on how you have IPSec configured it will not work thru a NAT. IPSec calculates its hash including the header, so when the header is re-writen buy the nat device, the receiving end discards the packet because the hash isnt correct.
Also you are doing PAT. If you have 1 vpn tunnel that works, but consecutive ones screw everythign up that is why. For that the consecutive devices end up stealing the port from the first connection, which then fails. The work around for this is NAT-T.
Can you supply more information about the topology and configurations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide