Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
0
Helpful
18
Replies

Forward Traffic for VPN Concentrator 3000 (NAT PROBLEM)

Charlie Mayes
Level 1
Level 1

‎05-21-2009 01:57 AM - edited ‎03-04-2019 04:50 AM

Hello All,

I have been trying to forward traffic through my router to my my VPN concentrator. Please look at the config below and let know if I the correct nat confis as well as the correct ACL's. My vpn concentrator's internal ip is 10.100.1.2. All of this is being done through nat. Also I have been geting this error whenever I attempt to connect using my VPN. ( CISCO VPN - Error "Reason 412: The remote peer is no longer responding.") Please be aware that I only have one ip address for the public internet which is 74.99.240.120. Thanks.

hostname

!

boot-start-marker

boot-end-marker

!

no logging console

no logging monitor

enable

!

aaa new-model

!

!

aaa authentication login default local

!

aaa session-id common

clock timezone EASTERN -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.100.1.1 10.100.1.10

!

ip dhcp pool PRIMARYPOOL

network 10.100.1.0 255.255.255.0

domain-name

dns-server

default-router 10.100.1.1

lease 3

!

!

no ip domain lookup

ip domain name

ip ips notify SDEE

ip ips name sdm_ips_rule

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-1594146880

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1594146880

revocation-check none

rsakeypair TP-self-signed-1594146880

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description WAN

ip address dhcp

ip access-group 110 in

ip nat outside

ip ips sdm_ips_rule in

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface FastEthernet0/1

description PRIMARYLAN$ES_LAN$

ip address 10.100.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ip http server

ip http secure-server

ip nat pool WANPOOL 74.99.240.120 74.99.240.120 netmask 255.255.255.0

ip nat inside source list 1 pool WANPOOL overload

ip nat inside source static udp 10.100.1.2 500 74.99.240.120 500 extendable

ip nat inside source static udp 10.100.1.2 4500 74.99.240.120 4500 extendable

ip nat inside source static tcp 10.100.1.2 10000 74.99.240.120 10000 extendable

ip nat inside source static udp 10.100.1.2 10000 74.99.240.120 10000 extendable

!

access-list 1 permit 10.100.1.0 0.0.0.255

access-list 101 permit tcp any 10.100.1.0 0.0.0.255 eq www established

access-list 101 permit tcp any 192.168.2.0 0.0.0.255 eq www established

access-list 102 deny tcp any host 74.99.240.120 eq telnet

access-list 102 permit ip any any

access-list 110 permit udp any host 74.99.240.120 eq isakmp

access-list 110 permit udp any host 74.99.240.120 eq non500-isakmp

access-list 110 permit udp any host 74.99.240.120 eq 62515

access-list 110 permit udp any host 74.99.240.120 eq 10000

access-list 110 permit tcp any host 74.99.240.120 eq 10000

access-list 110 permit ip any any

control-plane

Labels:
0 Helpful
18 Replies 18

Charlie Mayes
Level 1
Level 1
In response to Richard Burts

‎05-31-2009 04:51 PM

I noticed that the 16 matches did not increment at all. Yes I am making an attempt to connect each time. Weird HUH!!!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Charlie Mayes

‎05-31-2009 05:01 PM

Charlie

If you are making attempts to connect but the counter is not incrementing, then it suggests that these hits in the access list are from some previous time (and some previous state of your config). To verify this can you do a clear counter access-list, do show access-list to verify that the counters are zero, make an attempt to connect (or maybe two), and post the output of show access-list from after the attempt to connect?

HTH

Rick

HTH

Rick
0 Helpful

Charlie Mayes
Level 1
Level 1
In response to Richard Burts

‎05-31-2009 05:33 PM

Hello Rick,

I cleared the counter. You are right my client does not seem to be calling out for udp port 4500. Any Ideas??

HQ2>en

Password:

HQ2#sh ACCESS-lists

Standard IP access list 1

10 permit 10.100.1.0, wildcard bits 0.0.0.255 (300 matches)

Extended IP access list 101

10 permit tcp any 10.100.1.0 0.0.0.255 eq www established

20 permit tcp any 192.168.2.0 0.0.0.255 eq www established

Extended IP access list 110

10 permit udp any host 74.99.240.120 eq isakmp (4 matches)

20 permit udp any host 74.99.240.120 eq non500-isakmp

30 permit udp any host 74.99.240.120 eq 62515

40 permit udp any host 74.99.240.120 eq 10000

50 permit tcp any host 74.99.240.120 eq 10000

60 permit ip any any (10348 matches)

HQ2#sh ACCESS-lists

Standard IP access list 1

10 permit 10.100.1.0, wildcard bits 0.0.0.255 (301 matches)

Extended IP access list 101

10 permit tcp any 10.100.1.0 0.0.0.255 eq www established

20 permit tcp any 192.168.2.0 0.0.0.255 eq www established

Extended IP access list 110

10 permit udp any host 74.99.240.120 eq isakmp (6 matches)

20 permit udp any host 74.99.240.120 eq non500-isakmp

30 permit udp any host 74.99.240.120 eq 62515

40 permit udp any host 74.99.240.120 eq 10000

50 permit tcp any host 74.99.240.120 eq 10000

60 permit ip any any (10669 matches)

HQ2#sh ACCESS-lists

Standard IP access list 1

10 permit 10.100.1.0, wildcard bits 0.0.0.255 (301 matches)

Extended IP access list 101

10 permit tcp any 10.100.1.0 0.0.0.255 eq www established

20 permit tcp any 192.168.2.0 0.0.0.255 eq www established

Extended IP access list 110

10 permit udp any host 74.99.240.120 eq isakmp (6 matches)

20 permit udp any host 74.99.240.120 eq non500-isakmp

30 permit udp any host 74.99.240.120 eq 62515

40 permit udp any host 74.99.240.120 eq 10000

50 permit tcp any host 74.99.240.120 eq 10000

60 permit ip any any (10777 matches)

HQ2#sh ACCESS-lists

Standard IP access list 1

10 permit 10.100.1.0, wildcard bits 0.0.0.255 (330 matches)

Extended IP access list 101

10 permit tcp any 10.100.1.0 0.0.0.255 eq www established

20 permit tcp any 192.168.2.0 0.0.0.255 eq www established

Extended IP access list 110

10 permit udp any host 74.99.240.120 eq isakmp (8 matches)

20 permit udp any host 74.99.240.120 eq non500-isakmp

30 permit udp any host 74.99.240.120 eq 62515

40 permit udp any host 74.99.240.120 eq 10000

50 permit tcp any host 74.99.240.120 eq 10000

60 permit ip any any (11228 matches)

HQ2#sh ACCESS-lists

Standard IP access list 1

10 permit 10.100.1.0, wildcard bits 0.0.0.255 (405 matches)

Extended IP access list 101

10 permit tcp any 10.100.1.0 0.0.0.255 eq www established

20 permit tcp any 192.168.2.0 0.0.0.255 eq www established

Extended IP access list 110

10 permit udp any host 74.99.240.120 eq isakmp (8 matches)

20 permit udp any host 74.99.240.120 eq non500-isakmp

30 permit udp any host 74.99.240.120 eq 62515

40 permit udp any host 74.99.240.120 eq 10000

50 permit tcp any host 74.99.240.120 eq 10000

60 permit ip any any (11912 matches)

HQ2#sh ACCESS-lists

Standard IP access list 1

10 permit 10.100.1.0, wildcard bits 0.0.0.255 (607 matches)

Extended IP access list 101

10 permit tcp any 10.100.1.0 0.0.0.255 eq www established

20 permit tcp any 192.168.2.0 0.0.0.255 eq www established

Extended IP access list 110

10 permit udp any host 74.99.240.120 eq isakmp (11 matches)

20 permit udp any host 74.99.240.120 eq non500-isakmp

30 permit udp any host 74.99.240.120 eq 62515

40 permit udp any host 74.99.240.120 eq 10000

50 permit tcp any host 74.99.240.120 eq 10000

60 permit ip any any (15091 matches)

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Charlie Mayes

‎05-31-2009 06:49 PM

Charlie

Here is what I believe that we have determined so far:

- the client is attempting to negotiate ISAKMP but does not appear to be receiving any responses from the concentrator.

- the requests from the client are getting to the router and are on UDP 500.

- the router is not seeing any requests on UDP 4500 which is what is needed to get this to work.

I would suggest that the next step is to check the concentrator. Is it seeing requests from the client? Is there any indication of what it is doing with them? (you might need to change the logging level on a couple of categories like ISAKMP to see what is going on)

I worked an issue once that had some symptoms similar to what you are experiencing. It turned out to be a mismatch between the group ID and group password between what was configured on the client and what was configured on the concentrator. It might be worth entering the group and password again on both concentrator and client to be sure that they match.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card