Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

problem with ip Nat transparency on cisco 827


i try to configure a cisco 827(configure with nat) for ip nat traversal . a vpn client behind this router can establish a vpn connection to remote pix.

but i can't ping any device behind the pix (doing also nat).

here my configuration on the cisco router (ios 12.2.T13) :

version 12.2

no parser cache

no service pad

service timestamps debug uptime

service timestamps log datetime

service password-encryption


hostname "sas827"


logging buffered 10000 warnings

logging monitor informational

enable secret 5 $1$dOFa$/wJ7UXsfgEfHzz6IHyMZb1

enable password 7 02140542


sas password 7 045F0A0D06321D

clock timezone CET 1

clock summer-time CET recurring

aaa new-model



aaa authentication banner * WELCOME TO RAY NETWORK *

aaa authentication login userauthen local group tacacs+

aaa authentication login no_tacacs enable

aaa authentication ppp local group tacacs+

aaa authorization network groupautho local group tacacs+

aaa session-id common

ip subnet-zero

ip name-server x.x.x.x

ip dhcp excluded-address

ip dhcp excluded-address


ip dhcp pool netclient



domain-name xxxxxx


lease 1 12


ip inspect audit-trail

vpdn enable


vpdn-group pppoe


protocol pppoe



crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 300

crypto isakmp key raycyr address x.x.x.x

crypto isakmp keepalive 10 10

crypto isakmp nat keepalive 25



crypto ipsec transform-set desmd5 esp-des esp-md5-hmac


crypto map mode client authentication list userauthen

crypto map mode isakmp authorization list groupautho

crypto map mode client configuration address initiate

crypto map mode 1 ipsec-isakmp

description Tunnel IPSEC vers cyr

set peer x.x.x.x

set transform-set desmd5

match address 130






interface Loopback0

ip address


interface Ethernet0

ip address

ip nat inside

ip tcp adjust-mss 1452

no ip mroute-cache

no cdp enable

hold-queue 32 in

hold-queue 100 out


interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5snap

pppoe-client dial-pool-number 1



dsl operating-mode auto


interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password 7 0878594A0B085C1C

ppp pap sent-username xxxxxx password 7 10171C1D07064B00

crypto map mode


ip nat inside source route-map nonat 110 interface Dialer0 overload

ip classless

ip route Dialer0

no ip http server



access-list 101 permit ip any

access-list 110 deny ip

access-list 110 permit ip any

access-list 130 permit ip

dialer-list 110 protocol ip permit

no cdp run


route-map nonat permit 10

match ip address 110


radius-server authorization permit missing Service-Type


line con 0

login authentication no_tacacs

stopbits 1

line vty 0 4

exec-timeout 4 4

length 0


scheduler max-task-time 5000



thanks .

Cisco Employee

Re: problem with ip Nat transparency on cisco 827

Can't see anything wrong in the config. So need to know what you are trying to ping. To troubleshoot that You can use "traceroute x.x.x.x" command for the ip address to be pinged and see how far the packets go towards that ip address. You will see a point of block/failure there.

Make sure the pix is configured accordingly.

CreatePlease to create content