Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
1
Replies

VPN and NAT trouble

sross35
Level 1
Level 1

‎10-31-2003 12:01 PM - edited ‎03-02-2019 11:24 AM

Could someone tell me why this config would not work in theory when trying to VPN in from the outside(S1).

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Company

!

no logging console

enable secret 5

enable password 7

!

ip subnet-zero

no ip finger

ip name-server 192.168.11.1

ip name-server 192.168.11.2

!

interface Loopback0

no ip address

no ip directed-broadcast

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Serial0

no ip address

no ip directed-broadcast

shutdown

service-module 56k clock source line

service-module 56k network-type dds

!

interface Serial1

ip address 1.2.3.3 255.255.255.252

ip access-group 110 out

no ip directed-broadcast

ip nat outside

service-module t1 data-coding inverted

service-module t1 timeslots 1-8

!

ip nat inside source list 1 interface Serial1 overload

ip nat inside source static udp 192.168.1.10 500 1.2.3.3 500 extendable

ip nat inside source static tcp 192.168.1.10 1723 1.2.3.3 1723 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 1.2.3.2

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 110 deny udp any any range netbios-ns netbios-ss

access-list 110 deny tcp any any range 137 139

access-list 110 deny udp any any eq bootpc

access-list 110 deny udp any any eq snmp

access-list 110 permit ip any any

!

line con 0

exec-timeout 30 0

password 7

login

transport input none

line vty 0 4

exec-timeout 30 0

password 7

login

!

end

Labels:
0 Helpful
1 Reply 1

forlorare
Level 1
Level 1

‎10-31-2003 01:49 PM

the question is a little vague, so Im not sure this is what you are looking for but here's a few possibilities.

Depending on how you have IPSec configured it will not work thru a NAT. IPSec calculates its hash including the header, so when the header is re-writen buy the nat device, the receiving end discards the packet because the hash isnt correct.

Also you are doing PAT. If you have 1 vpn tunnel that works, but consecutive ones screw everythign up that is why. For that the consecutive devices end up stealing the port from the first connection, which then fails. The work around for this is NAT-T.

Can you supply more information about the topology and configurations.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents