837 to 837 VPN with PAT?

I have a working VPN connecting to of Cisco 837.

The client has a requirement for external access to RDP, POP3 and OWA... seemed pretty simple, just add:

IP nat inside source static tcp etc... but as soon as I add these PAT, internal access to these services fails immediately via the VPN to the other end (Site B).

Site to config following (Site B is running 192.168.42.x range with a virtually identical config (No. PAT of good)

version 12.3

no service button

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

hostname FNN0755241374

logging buffered debugging 10000

no console logging

Select the secret xxxxxxxx

xxxxx xxxxxxxx password username

clock timezone IS 10

summer clock-time DEST recurring last Sun Oct 02:00 last Sun Mar 02:00

No aaa new-model

IP subnet zero

no ip domain search

IP cef

audit of IP notify Journal

Max-events of po verification IP 100

No ftp server enable write

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key address 203.x.x.25 xxxxxxxxxxx

Crypto ipsec transform-set esp - esp-md5-hmac tweed_to_mur

tweed_vpn 10 ipsec-isakmp crypto map

defined by peer 203.149.73.25

Set transform-set tweed_to_mur

match address 102

interface Ethernet0

Description FNN0755241374 LAN

IP 192.168.40.254 255.255.255.0

IP nat inside

No keepalive

Hold-queue 100 on

ATM0 interface

no ip address

No atm ilmi-keepalive

DSL-ITU - dmt operation mode

point-to-point interface ATM0.1

Description 0755241374 (L2TP)

PVC 8/35

aal5mux encapsulation ppp Dialer

Dialer pool-member 1

interface FastEthernet1

no ip address

automatic duplex

automatic speed

interface FastEthernet2

no ip address

automatic duplex

automatic speed

interface FastEthernet3

no ip address

automatic duplex

automatic speed

interface FastEthernet4

no ip address

automatic duplex

automatic speed

interface Dialer1

Description 0755241374 (L2TP) PPPoa RRSM512

MTU 1400

the negotiated IP address

NAT outside IP

encapsulation ppp

Dialer pool 1

Dialer-Group 1

No cdp enable

PPP chap hostname xxxx

PPP chap password xxxx

tweed_vpn card crypto

overload of IP nat inside source list 103 interface Dialer1

IP nat inside source static tcp 192.168.40.1 21 203.149.71.130 21 expandable

IP nat inside source static tcp 192.168.40.1 20 203.149.71.130 20 expandable

IP nat inside source static tcp 192.168.40.1 80 203.149.71.130 80 extensible

IP nat inside source static tcp 192.168.40.4 25 203.149.71.130 25 expandable

IP nat inside source static tcp 192.168.40.4 110 203.149.71.130 110 extensible

IP nat inside source static tcp 192.168.40.4 143 203.149.71.130 143 extensible

IP nat inside source static tcp 192.168.40.4 80 203.149.67.193 80 extensible

IP classless

IP route 0.0.0.0 0.0.0.0 Dialer1

no ip address of the http server

no ip http secure server

Note access-list 11 * license end customer address space for NAT

access-list 11 permit 192.168.1.0 0.0.0.255

Journal of access list 99 license 203.149.69.5

Journal of access list 99 license 203.149.64.91

access-list 99 refuse any newspaper

access-list 102 permit ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255

access-list 102 deny ip 192.168.40.0 0.0.0.255 any

access-list 103 deny ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255

access-list 103 allow ip 192.168.40.0 0.0.0.255 any

Dialer-list 1 ip protocol allow

Server SNMP community readstring RO

SNMP-Server RO community readwritestring

Enable SNMP-Server intercepts ATS

Line con 0

exec-timeout 0 0

password xxxx

opening of session

no activation of the modem

StopBits 1

line to 0

line vty 0 4

access-class 99 in

exec-timeout 2 0

password xxxx

local connection

max-task-time 5000 Planner

end

FNN0755241374 #.

Kind regards

This is because have priority the static NAT NAT overload control and therefore access list 103 is no longer deny these packets to be NAT had

This example configuration you get:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

Tags: Cisco Security

Similar Questions

With PAT on Cisco PIX VPN client

Dear all,

I have a PIX 515 to the main site with the IPSec security is enabled. Homepage user using 3.x VPN client connects to the PIX for VPN access. When user Home use real IP, I can ping to the local network of the main site. However, when the Home user using a router with PAT, the VPN can be established.

Is there a setting I should put on PIX, VPN client or router?

Thank you.

Doug

And if you still have problems, upgrade your pix, 6.3 and usage:

ISAKMP nat-traversal

But the first thing would be to check the IPSEC passthrough as Ade suggested. If the device is a linksys check the version of the firmware as well.

Kind regards

How to bind a VPN (TX via VPN) with a sat (RX via DVB - S2) / Windows Vista Home Edition / Multiple dial conections

I use a Windows Vista Home Edition on a laptop. The system connects to the Internet through a cellular router EDGE (via Ethernet) and receives the data by linking receiver DVB - S2 satellite broadband connected via a USB interface. The connection is through a VPN. Windows Vista loses the symbol of the "blue planet", as soon as the VPN connects. Authentication and connectivity is OK. DNS also works OK by the way VPN, with pointing to the VPN IP address 0.0.0.0. The diagnosis indicates an error where Vista says that she finds multiple active dial connections. Y at - it a configuration option that allows me to bind the interface transmission (VPN) with return channel satellite? The same software and configuration under Windows XP SP3 works OK.

Thanks in advance for your advice.

Hello

Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Technet Forum. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en-us/category/w7itpro

You can also check the links below for assistance.

http://TechNet.Microsoft.com/en-us/library/cc728078 (WS.10) .aspx

http://TechNet.Microsoft.com/en-us/library/cc737767 (WS.10) .aspx

Hope that helps.

How to create vpn with vista home premium on basis of vpn xp settings?

I can connect to the vpn with xp machine, but when I try to imitate xp setting with machine to vista Home premium I can't connect to the same vpn. What do you suggest me?

How to create a vpn connection in Vista: http://techrepublic.com.com/2346-1035_11-61437-1.html?tag=content;leftCol. NOTE: I don't know what you mean "based" vpn xp settings, but you will have to do the best you can with the options and settings available in Vista (that I n "' t know how they compare to XP, but I hope that you will be able to do so because).

Here is another article on the procedure: http://www.publicvpn.com/support/Vista.php.

Here is an article on how configure a VPN with an ISP in Vista: http://www.web-articles.info/e/a/title/How-to-create-a-VPN-connection-over-your-ISP-connection/.

Here is an article with a number of different other items all on vpn in Vista (I don't know exactly what type of configuration you "AVIC - as a host, as a customer, on what type of connection,--but this article covers many different aspects and I hope that at least a couple will be a help for you: http://compnetworking.about.com/od/vpnsetup/VPN_Setup_How_to_Set_Up_a_VPN.htm.)

I hope this helps.

Good luck!

Lorien - MCSA/MCSE/network + / has + - if this post solves your problem, please click the 'Mark as answer' or 'Useful' button at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.

access-list with PAT

Hi guys,.

I would like to know if the accesslist with PAT, you can refuse statements. IE reject the order under the access list for the traffic that you do not want to be PATed.

example:

access list acl-pat deny ip 10.0.0.1 0.0.0.0 all

permit access-list acl - pat ip 10.0.0.0 0.0.0.255 any

If I won't 10.0.0.1 PATed.

Hello

It's perfectly legal and quite a common practice.

Hope that help - rate pls post if it does.

Paresh

Cisco IOS IPSec failover | Route based VPN with HSRP

I can find the redundancy of vpn IPSec using policy based VPN with HSRP.

Any document which ensures redundancy of the road-base-vpn with HSRP?

OK, I now understand the question. Sorry, I have no documents for this task.

I can see in the crypto ipsec profile that you will use under the Tunnel interface configuration to enable the protection, you can configure the redundancy:

cisco(config)#crypto ipsec profile VTIcisco(ipsec-profile)#?Crypto Map configuration commands: default Set a command to its defaults description Description of the crypto map statement policy dialer Dialer related commands exit Exit from crypto map configuration mode no Negate a command or set its defaults redundancy Configure HA for this ipsec profile responder-only Do not initiate SAs from this device set Set values for encryption/decryption

cisco(ipsec-profile)#redundancy ? WORD Redundancy group name

cisco(ipsec-profile)#redundancy MRT ? stateful enable stateful failover

I suggest that it is the same as redundancy card crypto. But no documentation or examples found...

question links to site 2 site VPN with authentication cert

Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?

Thank you very much!

Hello

You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".

Please pass a note and mark as he corrected the post helpful!

David Castro,

Kind regards

ASA vpn with a public ip address different addresses

Hello world. I can not find someone who can give me an answer 'for sure' of this thing. I want to connect via vpn ASA5505, called 2A and b. inside one we have net 10.0.0.0/24 and 10.0.1.0/24 net b. now, we can have 2 outside for one ip addresses (e.g. 215.18.18.10 and 222.26.12.12) because we have 2 providers to connect to the internet. the asa can follow 2 VPN - with the same cryptomap for the destination inside) so that if a grave he will switch to the other vpn by itself?

This thing can be done with other cisco devices (for example, a 2800 series router?)

Thank you very much

Who are you looking to

1. If the failure of the connection to B then A will use secondary WAN connection to try to raise the tunnel.

I would use the backup ISP for this function.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

2. If the connection to A failed then B will try to set up the tunnel with secondary address peer.

You can set several counterparts by using cryptographic cards to provide redundancy

http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a0080450b73.html#wp1042941

IPSEC VPN with Dynamics to dynamic IP

Hello

I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.

Is someone can you please tell me if it is possible to do?

If so, please share with me the secret to do work.

Thank you!

Best regards

Rather than the Crypto map, I would use the profile of Crypto. Then, establish you an IPSEC tunnel. The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network. The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute. In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.

So, if you type:

config t

interface tunnel100
destination remote.dyndns.com tunnel

output

See the race int tunnel100

It shows:

interface Tunnel100
tunnel destination 75.67.43.79

That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.

I have seen that two of your routers running DDNS. They will have to do this.

Local router:

crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of remote.dyndns.org
IP 10.254.220.10 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 75.67.43.79
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profile

IP route 192.168.2.0 255.255.255.0 10.254.220.9

Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination remote.dyndns.org tunnel".
!

--------

Remote router:

crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of local.dyndns.org
IP 10.254.220.9 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 93.219.58.191
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profile

IP route 192.168.1.0 255.255.255.0 10.254.220.10

Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination local.dyndns.org tunnel".

Thank you

Bert

Easy VPN with the Tunnel Interface virtual IPSec dynamic

Hi all

I configured easy vpn remote on a cisco 1841 and dynamic server easy vpn with virtual tunnel interface on the server (cisco 7200, 12.4.15T14)

http://www.Cisco.com/en/us/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

It works with easy vpn remote to the client mode and mode network-extesión, but it doesn't seem to work when I configure mode plus network on the client of the cpe, or when I try to have TWO inside the ez crypto interfaces. On the customer's site, I see two associations of security, but on the server PE site only security SA!

Without virtual dynamic tunnel interface, dynamic map configuration is ok... This is a limitation of the virtual tunnnel dynamic interface?

Federica

If one side is DVTI and the other uses a dynamic map, it does support only 1 SA. If the two end uses DVTI or the two end uses dynamic card then it supports several SAs.

Here is the note of documentation for your reference:
```
Note: Multiple inside interfaces are supported only when the Cisco Easy VPN server and the Cisco Easy VPN client have the same type of Easy VPN configuration. In other words, both must use a Legacy Easy VPN configuration, or both must use a DVTI configuration.
```
Here's the URL:

http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1046365

Hope that answers your question.

Problems with P2P VPN with interface DHCP

I have properly configured a P2P VPN with two Cisco 888 using the static IP address. If I put a single interface to DHCP and the unit is power cycling it won't ask an IP address, until I have don't deliver "no card crypto " and bounce the interface.

Any ideas on how I can leave the card encryption in place and have the interface to get an IP address?

Thanks in advance.

With config like this:

access ip-list 100 permit a whole

You are due ALL traffic is encrypted and expect to have to decrypt all traffic. That is traffic that is recived on the interface will be deleted unless they are encrypted.

Remote access VPN with ASA 5510 by using the DHCP server

Hello

Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?

I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:

!

ASA Version 8.2 (5)

!

interface Ethernet0/1

nameif inside

security-level 100

IP 10.6.0.12 255.255.254.0

!

IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)

!

Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1

!

Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic dyn1 1jeu transform-set FirstSet

dynamic mymap 1 dyn1 ipsec-isakmp crypto map

mymap map crypto inside interface

crypto ISAKMP allow inside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 43200

!

VPN-addr-assign aaa

VPN-addr-assign dhcp

!

internal group testgroup strategy

testgroup group policy attributes

DHCP-network-scope 10.6.192.1

enable IPSec-udp

IPSec-udp-port 10000

!

username testlay password * encrypted

!

tunnel-group testgroup type remote access

tunnel-group testgroup General attributes

strategy-group-by default testgroup

DHCP-server 10.6.20.3

testgroup group tunnel ipsec-attributes

pre-shared key *.

!

I got following output when I test connect to the ASA with Cisco VPN client 5.0

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO

4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID

Jan 16 15:39:21 [IKEv1]: Group = testgroup, I

[OK]

KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable

Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes

Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.

Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.

Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!

Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.

Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload

Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload

Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address

Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048) , : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740) , : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80

Kind regards

Lay

For the RADIUS, you need a definition of server-aaa:

Protocol AAA - NPS RADIUS server RADIUS

AAA-server RADIUS NPS (inside) host 10.10.18.12

key *.

authentication port 1812

accounting-port 1813

and tell your tunnel-group for this server:

General-attributes of VPN Tunnel-group

Group-NPS LOCAL RADIUS authentication server

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Is site to site VPN with sufficiently secure router?

Hello

I have a question about the site to site VPN with router.

Internet <> router <> LAN

If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?

Thank you

Hi Amanda,.

Assuming your L2L looks like this:

LAN - router - INTERNET - Router_Remote - LAN

|-------------------------------------------------------------------------------|

L2L

Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.

On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.

If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:

Design of the area Guide of Application and firewall policies

If you consider that this is not enough, check the ASA5500 series.

HTH.

Portu.

Please note all useful posts

VPN with a site on dhcp

I have a very simple deal put in place and wanted to similate a vpn with a site on the dhcp address.

R1 - R2 = R3 - R4.

R2 with static IP and R3 is supposed to be with DHCP. The underlying routing works very well. But when I apply cryptography to routers, it stops working.

When I got a ping from R1 to R4, R2 is decryption, but when I ping from R1 to R4, R2 is not encrypt.

Thank you.

===============

Chantal of R2

!

R2 #sh run
hostname R2
!!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-md5-hmac
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
match address 150
!
!
map statmap 65000-isakmp ipsec crypto dynamic dynmap
!
!
!
!
interface FastEthernet0/0
1.1.12.2 IP address 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet1/0
IP 1.1.23.2 255.255.255.0
automatic duplex
automatic speed
statmap card crypto
!
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 1.1.23.3
!
!
access-list 150 permit icmp 1.1.12.1 host 1.1.34.4
access-list 150 permit ip host 1.1.12.1 1.1.34.4
!
===============

R3 racing

R3 #sh run
!
hostname R3
!
!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto key cisco123 address 1.1.23.2 No.-xauth
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-md5-hmac
!
MYmap 10 ipsec-isakmp crypto map
defined by peer 1.1.23.2
Set transform-set RIGHT
match address 150
!
!
!
!
interface FastEthernet0/0
IP 1.1.23.3 255.255.255.0
automatic duplex
automatic speed
crypto mymap map
!
interface FastEthernet1/0
IP 1.1.34.3 255.255.255.0
automatic duplex
automatic speed
!
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 1.1.23.2
!
!
access-list 150 permit ip host 1.1.34.4 1.1.12.1
access-list 150 permit icmp 1.1.34.4 host 1.1.12.1
!
end

For dynamic to static IPSec site to site VPN, you can only come from the dynamic end VPN tunnel.

In your topology, you can only start the VPN of R4 to R1, and once the VPN tunnel is established, you will be able to pass traffic in both directions, that is to say: R4 R1 and R1 to R4.

The reason why you cannot start the tunnel VPN of R1 to R4 is the static end won't know which IP address to connect to the VPN too since DHCP is.

If however, you want to say that even after the opening of the tunnel VPN of R4 to R1, still cannot you ping from R1 to R4, then it's probably a config problem.

Please kindly share the complete configuration of all 4 routers, as well as the output of "show the isa cry his ' and ' show cry ipsec his" of R2 and R3 after the test.

VPN with NAT Interface

Hello

I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.

I created the VPN with crypto card and the VPN is successfully registered.

The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.

If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.

What should I do differently?

Here is the config:

Feature: 2911 with security package

Local network: 10.10.104.0/24

Remote network: 192.168.1.0/24

Public beach: 65.49.46.68/28

crypto ISAKMP policy 104

BA 3des

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key REDACTED address 75.76.102.50

Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha

OFFICE 104 ipsec-isakmp crypto map

defined by peer 75.76.102.50

Set transform-set strongsha

match address 104

interface GigabitEthernet0/0

IP 65.49.46.68 255.255.255.240

penetration of the IP stream

NAT outside IP

IP virtual-reassembly

full duplex

Speed 100

standby mode 0 ip 65.49.46.70

0 6 2 sleep timers

standby 0 preempt

card crypto OFFICE WAN redundancy

interface GigabitEthernet0/2.104

encapsulation dot1Q 104

IP 10.10.104.254 255.255.255.0

IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28

overload of IP nat inside source list 99 pool wan_access

access-list 99 permit 10.10.104.0 0.0.0.255

access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

ISAKMP crypto #sh her

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE

Hello!

Please, make these changes:

extended Internet-NAT IP access list

deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 10.10.104.0 allow 0.0.0.255 any

IP nat inside source list Internet-NAT pool access-wan overload

* Please do not remove the old NAT instance until you add that above.

Please hold me.

Thank you!

Sent by Cisco Support technique Android app

837 to 837 VPN with PAT?

Similar Questions

Maybe you are looking for