Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSEC, isakmp through Cisco 3620 w/Firewall Feature Set

Status
Not open for further replies.
CyberJMC66

CyberJMC66

Technical User
Oct 26, 2000
22
US
I have the following configuration;

Cisco 3620 running IOS 12.0 with IPSEC/FW
Two ethernet interfaces -
One to public Internet address (NAT outside)
One to internal RFC1918 address (NAT inside, 10.x.x.x)
No access lists (for now while I am troubleshooting this problem).

Most features of the Firewall configuration work. However, I would like to be able to get my Nortel VPN client (port 500, isakmp) to passthru firewall properly. It seems to attempt a connection, establishes it, but its uni-directional.

Most of the examples on Cisco's website are instances where you own both ends and want to make the routers IPSEC endpoints. I have seen the following on Cisco's website to enable this

crypto commands for configuration of IPSEC (not sure if passthru or endpoint)

ip nat command for esp (IOS 12.2+)

My question is; What configuration commands are needed, based on the confuration above, to get IPSEC Passthru (ISAKMP, Port 500) to work properly on my 3620 router/firewall?



 
Sort by date Sort by votes
What does debug crypto ipsec give you when you are trying to make the connection?

MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
I am not sure which crypto commands to use, if any. That's what I am asking...
 
Upvote 0 Downvote
Cyber, I'm not sure how you have your firewall set up but you shouldn't have to use any crypto commands. Just put a static nat command in to forward all esp packets to your pc.

ie. ip nat inside source static esp 10.x.x.x interface ethernet 1

The interface you would use is the outside interface. If this command doesn't work, make sure that you are not filtering out that service/port, the ip address of the vpn server, and check your firewall configuration.


Hope this helps.

Doc
 
Upvote 0 Downvote
I had used that before - but I was filtering - which was the problem. Thanks!

I would like to re-enable my filter, I suspect I need to allow IP from my VPN service provider huh? Ports 500?
 
Upvote 0 Downvote
I have used the following command successfully;

ip nat inside source static esp 10.x.x.x interface ethernet 1

Now, what if I want more than one VPN client running from inside? (Do not want to specify 10.x.x.x?). Do I use 0.0.0.0 notation?
 
Upvote 0 Downvote
Cyber, I think that's all that you should need even with extra clients. Even though you have the nat command directed at your pc, other clients should be able to connect as well. Being that you are overloading the interface(ie pat instead of nat), the router should be smart enough to determine which esp packets to route to which client based on the port/ports the router assigns to them. Test it and let me know what happens.

Doc
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
230
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
213
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
209
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
214
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
270
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top