Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PPTP been blocked by nonat

Hi All,

Appologies for posting this again but im banging my head against the wall, i just cant (And other people cant) seem to figure out why the below isnt working?

I have Cisco 2600 at Head Office (192.168.0.0 Network) and we have a linksys at our Sat Site 1 (192.168.254.0) network.

I have a problem where at hq we have 2 IP's NAT'ed from the internet.

77.88.44.82 NAT's to 192.168.0.10

77.88.44.83 NAT's to 192.168.0.12

Everything works fine, both networks can ping each other but we have a PPTP VPN going from 77.88.44.82 to 192.168.0.10

With the below config I cant get onto the VPN, it looks like the GRE tunnel is been blocked as it verify username and password but nothing else.

I know its something to do with access-list 121 as when i remove that PPTP works fine and/or something to do with:

ip nat inside source static 192.168.0.10 77.88.44.82 route-map nonat
ip nat inside source static 192.168.0.12 77.88.44.83 route-map nonat

Again if i remove the reoute-map nonat PPTP is fine but then i cant ping 192.168.0.10, or 192.168.0.12 from the 192.168.254.0 network with it been natted by dialer0.

I would be extremly greatfully if anybody could point me in the right direction? i've been trying to figure this out for about 3 weeks now:(

Running Config:

Current configuration : 8527 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NDB-GW1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
no logging console
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
ip tcp synwait-time 10
!
!
ip inspect name ndbfw cuseeme timeout 3600
ip inspect name ndbfw rcmd timeout 3600
ip inspect name ndbfw realaudio timeout 3600
ip inspect name ndbfw udp timeout 15
ip inspect name ndbfw tcp timeout 3600
ip inspect name ndbfw h323 timeout 3600
ip inspect name ndbfw ftp timeout 3600
ip inspect name ndbfw icmp timeout 3600
ip inspect name ndbfw sip timeout 3600
ip inspect name ndbfw rtsp timeout 3600
!
ip audit po max-events 100
no ip bootp server
ip domain name ndb-europe.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ************* address 87.112.122.130
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 87.112.122.130
set transform-set 3DES-SHA
set pfs group2
match address Crypto-list
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 1/50
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Ethernet0/0
description Inside Ethernet LAN
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
load-interval 30
full-duplex
no cdp enable
hold-queue 100 out
!
interface TokenRing0/0
no ip address
shutdown
ring-speed 16
no cdp enable
!
interface Serial1/0
no ip address
shutdown
no cdp enable
!
interface Serial1/1
no ip address
shutdown
no cdp enable
!
interface Serial1/2
no ip address
shutdown
no cdp enable
!
interface Serial1/3
no ip address
shutdown
no cdp enable
!
interface Dialer0
description Outside Connection to Karoo
bandwidth 960
ip address 77.88.44.81 255.255.255.248
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ndbfw out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ***********************
ppp chap password 7 *********************
crypto map VPN-Map-1
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static udp 192.168.0.12 2727 77.88.44.81 2727 extendable
ip nat inside source static udp 192.168.0.12 5082 77.88.44.81 5082 extendable
ip nat inside source static tcp 192.168.0.15 80 77.88.44.81 80 extendable
ip nat inside source static tcp 192.168.0.15 8088 77.88.44.81 8088 extendable
ip nat inside source static tcp 192.168.0.17 8080 77.88.44.81 8080 extendable
ip nat inside source static udp 192.168.0.17 514 77.88.44.81 514 extendable
ip nat inside source static udp 192.168.0.17 162 77.88.44.81 162 extendable
ip nat inside source static 192.168.0.10 77.88.44.82 route-map nonat
ip nat inside source static 192.168.0.12 77.88.44.83 route-map nonat
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
!
ip access-list extended Crypto-list
permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
!
route-map nonat permit 10
match ip address 121
!
logging trap debugging
logging 192.168.0.17
access-list 4 remark NAT-ACL
access-list 4 permit 192.168.0.0 0.0.0.255

access-list 100 remark NAT-ACL
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 permit tcp any any eq domain
access-list 111 permit udp any any eq domain
access-list 111 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 111 permit udp host 87.112.122.130 any eq isakmp
access-list 111 permit esp host 87.112.122.130 any
access-list 111 permit tcp any host 77.88.44.81 eq www
access-list 111 permit tcp any host 77.88.44.81 eq 8088
access-list 111 permit tcp any host 77.88.44.81 eq 443
access-list 111 permit tcp any host 77.88.44.81 eq 8080
access-list 111 permit udp any host 77.88.44.81 eq syslog
access-list 111 permit udp any host 77.88.44.81 eq snmptrap
access-list 111 permit tcp any host 77.88.44.82 eq 1723
access-list 111 permit tcp any host 77.88.44.82 eq 4125
access-list 111 permit tcp any host 77.88.44.82 eq 443
access-list 111 permit tcp any host 77.88.44.82 eq 444
access-list 111 permit tcp any host 77.88.44.82 eq 993
access-list 111 permit tcp any host 77.88.44.82 eq smtp
access-list 111 permit tcp any host 77.88.44.82 eq 8019
access-list 111 permit udp any host 77.88.44.82 eq 8019
access-list 111 permit gre any host 77.88.44.82
access-list 111 permit tcp any host 77.88.44.83 eq 2727
access-list 111 permit tcp any host 77.88.44.83 eq 5082
access-list 111 permit udp any host 77.88.44.83 range 5060 5062
access-list 111 permit udp any host 77.88.44.83 range 10000 20000
access-list 111 permit gre any any
access-list 111 deny   ip any any log
access-list 121 deny ip 192.168.0.10 0.0.0.255 192.168.254.0 0.0.0.255
access-list 121 deny ip 192.168.0.12 0.0.0.255 192.168.254.0 0.0.0.255
access-list 121 permit ip host 192.168.0.10 any
access-list 121 permit ip host 192.168.0.12 any

no cdp run
!
snmp-server community ndbsnmp RO
snmp-server location Comms Rack - Suite 29
snmp-server contact NDB Support
snmp-server chassis-id Cisco 2600 Router
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host 192.168.0.17 version 2c ndbsnmp
!
banner motd ^CC
****************************
*      WARNING BANNER      *
****************************

WARNING - Authorized Access only

The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in legal proceedings.

All access to this system is monitored.
^C
!
line con 0
privilege level 15
transport preferred all
transport output all
line aux 0
transport input telnet ssh
transport output all
line vty 0 4
privilege level 15
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
ntp master
!
end

Sh Version:

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-ADVSECURITYK9-M), Version 12.3(12), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 29-Nov-04 15:40 by kellythw
Image text-base: 0x80008098, data-base: 0x81321610

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-ADVSECURITYK9-M), Version 12.3(12), RELEASE SOFTWARE (fc3)

NDB-GW1 uptime is 1 hours, 6 minutes
System returned to ROM by reload at 07:36:39 UTC Thu Mar 4 1993
System restarted at 00:00:02 UTC Mon Mar 1 1993
System image file is "flash:c2600-advsecurityk9-mz.123-12.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html you require further assistance please contact us by sending email to
export@cisco.com. 2612 (MPC860) processor (revision 0x00) with 61440K/4096K bytes of memory.
Processor board ID JAD06420NHZ (3618697550)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 Token Ring/IEEE 802.5 interface(s)
4 Low-speed serial(sync/async) network interface(s)
1 ATM network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

If

cisco

Configuration register is 0x2102

Cheers

Si

Everyone's tags (5)
575
Views
0
Helpful
0
Replies
CreatePlease to create content