04-02-2001 01:43 PM - edited 02-21-2020 11:19 AM
Hello,
I have a client that needs to establish an IPSec tunnel from behind PAT on an 804 ISDN router. The router will be configured to get a dynamic address on the BRI from the ISP. The node that is running the vpn client is directly connected to the ethernet port of the router. Is there any way to get this to work? If so how? Thanks...
04-03-2001 11:24 PM
I'm on a similar problem. I haven't tested yet, but I believe that you have to configure your VPN client using manual keys and with the same manual configuration on the other peer. You have to disable ISAKMP based on UDP port 500. You can refer to a configuration on "IPSEC user guide for the cisco secure PIX Firewall ver 5.3" is a pix 2 pix configuration but could be a good reference.
What about a Proxy instead of a cisco 8xx ?
04-10-2001 03:08 AM
I have had this problem also in a similar (NAT) setup. ISAKMP would not work but Manual Keys were fine. I thinks it because the HASH on ISAKMP cant be turned off (you can only choose between MD5 or SHA) this and because of the NAT the packet will fail the HASH check.
05-07-2001 04:11 AM
This took me a while to figure out! Rather than show the config. Just use Cisco's configmaker to do it.
The main thing to remember is to allow the interface throught the tunnel......
05-21-2001 05:40 AM
Hope your configuration would be working by now. I have implemented a VPN covering 130 retail sites. Each site with a PC, one Cisco 803 and one ISDN BRI. The problem you have mentioned bugged me a lot. I struggled with Cisco Secure client and Check Point's Securemote. The problem is that, you need true NAT for this to function properly. In case of and 803 router dialing an ISP, what we get is a variable IP address each time. So, a true inbound NAT cannot be established. I used ETrust VPN from Computer Associates. It has no issues working through PAT.
Other way is to have an IPSec tunnel between 803 BRI to the head office PIX. With PIX you can have Dynamic crypto maps which can handle the variable IP addresses from originating routers.
I spent quite sometime on this and I am happy the setup is working superb. If you still have problems or need more information, feel free to contact me.
05-21-2001 01:57 PM
can't be done and be secure in this set up
reccommend the cvpn3002
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/get_strt/gs4cli.htm#xtocid183939
if connecting to a concentrator, you are ok. if you are connecting to a Pix, I would upgrade up to v6.0(1) on the Pix SW.
you will not be able to ping devices on the remote site from the main site. This is the only short coming of this.
If you do IPsec pass through, (if connecting to a pix on the main site, please take caution. Secondary connections do not re-authenticate with the SA and you are vulnerable to be hacked)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide