05-21-2009 01:57 AM - edited 03-04-2019 04:50 AM
Hello All,
I have been trying to forward traffic through my router to my my VPN concentrator. Please look at the config below and let know if I the correct nat confis as well as the correct ACL's. My vpn concentrator's internal ip is 10.100.1.2. All of this is being done through nat. Also I have been geting this error whenever I attempt to connect using my VPN. ( CISCO VPN - Error "Reason 412: The remote peer is no longer responding.") Please be aware that I only have one ip address for the public internet which is 74.99.240.120. Thanks.
hostname
!
boot-start-marker
boot-end-marker
!
no logging console
no logging monitor
enable
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
clock timezone EASTERN -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.100.1.1 10.100.1.10
!
ip dhcp pool PRIMARYPOOL
network 10.100.1.0 255.255.255.0
domain-name
dns-server
default-router 10.100.1.1
lease 3
!
!
no ip domain lookup
ip domain name
ip ips notify SDEE
ip ips name sdm_ips_rule
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1594146880
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1594146880
revocation-check none
rsakeypair TP-self-signed-1594146880
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip access-group 110 in
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
description PRIMARYLAN$ES_LAN$
ip address 10.100.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip http server
ip http secure-server
ip nat pool WANPOOL 74.99.240.120 74.99.240.120 netmask 255.255.255.0
ip nat inside source list 1 pool WANPOOL overload
ip nat inside source static udp 10.100.1.2 500 74.99.240.120 500 extendable
ip nat inside source static udp 10.100.1.2 4500 74.99.240.120 4500 extendable
ip nat inside source static tcp 10.100.1.2 10000 74.99.240.120 10000 extendable
ip nat inside source static udp 10.100.1.2 10000 74.99.240.120 10000 extendable
!
access-list 1 permit 10.100.1.0 0.0.0.255
access-list 101 permit tcp any 10.100.1.0 0.0.0.255 eq www established
access-list 101 permit tcp any 192.168.2.0 0.0.0.255 eq www established
access-list 102 deny tcp any host 74.99.240.120 eq telnet
access-list 102 permit ip any any
access-list 110 permit udp any host 74.99.240.120 eq isakmp
access-list 110 permit udp any host 74.99.240.120 eq non500-isakmp
access-list 110 permit udp any host 74.99.240.120 eq 62515
access-list 110 permit udp any host 74.99.240.120 eq 10000
access-list 110 permit tcp any host 74.99.240.120 eq 10000
access-list 110 permit ip any any
control-plane
05-31-2009 04:51 PM
I noticed that the 16 matches did not increment at all. Yes I am making an attempt to connect each time. Weird HUH!!!
05-31-2009 05:01 PM
Charlie
If you are making attempts to connect but the counter is not incrementing, then it suggests that these hits in the access list are from some previous time (and some previous state of your config). To verify this can you do a clear counter access-list, do show access-list to verify that the counters are zero, make an attempt to connect (or maybe two), and post the output of show access-list from after the attempt to connect?
HTH
Rick
05-31-2009 05:33 PM
Hello Rick,
I cleared the counter. You are right my client does not seem to be calling out for udp port 4500. Any Ideas??
HQ2>en
Password:
HQ2#sh ACCESS-lists
Standard IP access list 1
10 permit 10.100.1.0, wildcard bits 0.0.0.255 (300 matches)
Extended IP access list 101
10 permit tcp any 10.100.1.0 0.0.0.255 eq www established
20 permit tcp any 192.168.2.0 0.0.0.255 eq www established
Extended IP access list 110
10 permit udp any host 74.99.240.120 eq isakmp (4 matches)
20 permit udp any host 74.99.240.120 eq non500-isakmp
30 permit udp any host 74.99.240.120 eq 62515
40 permit udp any host 74.99.240.120 eq 10000
50 permit tcp any host 74.99.240.120 eq 10000
60 permit ip any any (10348 matches)
HQ2#sh ACCESS-lists
Standard IP access list 1
10 permit 10.100.1.0, wildcard bits 0.0.0.255 (301 matches)
Extended IP access list 101
10 permit tcp any 10.100.1.0 0.0.0.255 eq www established
20 permit tcp any 192.168.2.0 0.0.0.255 eq www established
Extended IP access list 110
10 permit udp any host 74.99.240.120 eq isakmp (6 matches)
20 permit udp any host 74.99.240.120 eq non500-isakmp
30 permit udp any host 74.99.240.120 eq 62515
40 permit udp any host 74.99.240.120 eq 10000
50 permit tcp any host 74.99.240.120 eq 10000
60 permit ip any any (10669 matches)
HQ2#sh ACCESS-lists
Standard IP access list 1
10 permit 10.100.1.0, wildcard bits 0.0.0.255 (301 matches)
Extended IP access list 101
10 permit tcp any 10.100.1.0 0.0.0.255 eq www established
20 permit tcp any 192.168.2.0 0.0.0.255 eq www established
Extended IP access list 110
10 permit udp any host 74.99.240.120 eq isakmp (6 matches)
20 permit udp any host 74.99.240.120 eq non500-isakmp
30 permit udp any host 74.99.240.120 eq 62515
40 permit udp any host 74.99.240.120 eq 10000
50 permit tcp any host 74.99.240.120 eq 10000
60 permit ip any any (10777 matches)
HQ2#sh ACCESS-lists
Standard IP access list 1
10 permit 10.100.1.0, wildcard bits 0.0.0.255 (330 matches)
Extended IP access list 101
10 permit tcp any 10.100.1.0 0.0.0.255 eq www established
20 permit tcp any 192.168.2.0 0.0.0.255 eq www established
Extended IP access list 110
10 permit udp any host 74.99.240.120 eq isakmp (8 matches)
20 permit udp any host 74.99.240.120 eq non500-isakmp
30 permit udp any host 74.99.240.120 eq 62515
40 permit udp any host 74.99.240.120 eq 10000
50 permit tcp any host 74.99.240.120 eq 10000
60 permit ip any any (11228 matches)
HQ2#sh ACCESS-lists
Standard IP access list 1
10 permit 10.100.1.0, wildcard bits 0.0.0.255 (405 matches)
Extended IP access list 101
10 permit tcp any 10.100.1.0 0.0.0.255 eq www established
20 permit tcp any 192.168.2.0 0.0.0.255 eq www established
Extended IP access list 110
10 permit udp any host 74.99.240.120 eq isakmp (8 matches)
20 permit udp any host 74.99.240.120 eq non500-isakmp
30 permit udp any host 74.99.240.120 eq 62515
40 permit udp any host 74.99.240.120 eq 10000
50 permit tcp any host 74.99.240.120 eq 10000
60 permit ip any any (11912 matches)
HQ2#sh ACCESS-lists
Standard IP access list 1
10 permit 10.100.1.0, wildcard bits 0.0.0.255 (607 matches)
Extended IP access list 101
10 permit tcp any 10.100.1.0 0.0.0.255 eq www established
20 permit tcp any 192.168.2.0 0.0.0.255 eq www established
Extended IP access list 110
10 permit udp any host 74.99.240.120 eq isakmp (11 matches)
20 permit udp any host 74.99.240.120 eq non500-isakmp
30 permit udp any host 74.99.240.120 eq 62515
40 permit udp any host 74.99.240.120 eq 10000
50 permit tcp any host 74.99.240.120 eq 10000
60 permit ip any any (15091 matches)
05-31-2009 06:49 PM
Charlie
Here is what I believe that we have determined so far:
- the client is attempting to negotiate ISAKMP but does not appear to be receiving any responses from the concentrator.
- the requests from the client are getting to the router and are on UDP 500.
- the router is not seeing any requests on UDP 4500 which is what is needed to get this to work.
I would suggest that the next step is to check the concentrator. Is it seeing requests from the client? Is there any indication of what it is doing with them? (you might need to change the logging level on a couple of categories like ISAKMP to see what is going on)
I worked an issue once that had some symptoms similar to what you are experiencing. It turned out to be a mismatch between the group ID and group password between what was configured on the client and what was configured on the concentrator. It might be worth entering the group and password again on both concentrator and client to be sure that they match.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: