problem with ip Nat transparency on cisco 827

raydakis · ‎05-11-2003

hi,

i try to configure a cisco 827(configure with nat) for ip nat traversal . a vpn client behind this router can establish a vpn connection to remote pix.

but i can't ping any device behind the pix (doing also nat).

here my configuration on the cisco router (ios 12.2.T13) :

version 12.2

no parser cache

no service pad

service timestamps debug uptime

service timestamps log datetime

service password-encryption

!

hostname "sas827"

!

logging buffered 10000 warnings

logging monitor informational

enable secret 5 $1$dOFa$/wJ7UXsfgEfHzz6IHyMZb1

enable password 7 02140542

!

sas password 7 045F0A0D06321D

clock timezone CET 1

clock summer-time CET recurring

aaa new-model

!

aaa authentication banner * WELCOME TO RAY NETWORK *

aaa authentication login userauthen local group tacacs+

aaa authentication login no_tacacs enable

aaa authentication ppp local group tacacs+

aaa authorization network groupautho local group tacacs+

aaa session-id common

ip subnet-zero

ip name-server x.x.x.x

ip dhcp excluded-address 192.168.20.1 192.168.20.49

ip dhcp excluded-address 192.168.20.101 192.168.20.254

!

ip dhcp pool netclient

network 192.168.20.0 255.255.255.0

dns-server 193.252.19.3 193.252.19.4

domain-name xxxxxx

default-router 192.168.20.1

lease 1 12

!

ip inspect audit-trail

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 300

crypto isakmp key raycyr address x.x.x.x

crypto isakmp keepalive 10 10

crypto isakmp nat keepalive 25

!

crypto ipsec transform-set desmd5 esp-des esp-md5-hmac

!

crypto map mode client authentication list userauthen

crypto map mode isakmp authorization list groupautho

crypto map mode client configuration address initiate

crypto map mode 1 ipsec-isakmp

description Tunnel IPSEC vers cyr

set peer x.x.x.x

set transform-set desmd5

match address 130

reverse-route

!

interface Loopback0

ip address 172.16.1.1 255.255.0.0

!

interface Ethernet0

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

no ip mroute-cache

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5snap

pppoe-client dial-pool-number 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password 7 0878594A0B085C1C

ppp pap sent-username xxxxxx password 7 10171C1D07064B00

crypto map mode

!

ip nat inside source route-map nonat 110 interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 110 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 110 permit ip 192.168.20.0 0.0.0.255 any

access-list 130 permit ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

dialer-list 110 protocol ip permit

no cdp run

!

route-map nonat permit 10

match ip address 110

!

radius-server authorization permit missing Service-Type

!

line con 0

login authentication no_tacacs

stopbits 1

line vty 0 4

exec-timeout 4 4

length 0

!

scheduler max-task-time 5000

end

help,

thanks .

tepatel · ‎05-16-2003

Can't see anything wrong in the config. So need to know what you are trying to ping. To troubleshoot that You can use "traceroute x.x.x.x" command for the ip address to be pinged and see how far the packets go towards that ip address. You will see a point of block/failure there.

Make sure the pix is configured accordingly.