passing vpn through 801

[trismegistus]

Hi

Am I correct in assuming that if you pass a vpn tunnel from a non-cisco client, through an 801 to a server, terminating on the server, there is no aditional config required for the 801?

The router is only passing the traffic, not getting involved. If there is additional configuration required, does the 801 require vpn software?

 

[nbratley]

Hi
Did you manage to get the vpn pass through working because i'm having a problem with a cisco 801 passing info to a pix 501 it connects ok but i cant see anythink behind the 501 i know its not the 501 because if i go throught a isdn ta it works fine
Hope you can help
Neil

 

[Frenchie2069]

If you are using access-lists on the router then you need to be aware that you need to specifically allow the VPN protocols (there is an implicit deny). Depending on what VPN you are running, you might need to look at:

access-list 100 perm ahp/esp/gre

HTH,
Michael.

 

[nbratley]

Hi

right i'm probley being stuped but i dont think i'm running access-list here is the config if anyone can help that would be great
Current configuration:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname host
!
enable password ******
!
!
!
!
!
ip subnet-zero
!
no ip domain-lookup
isdn switch-type basic-net3
!
!
process-max-time 200
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface BRI0
description connected to Internet
no ip address
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer rotary-group 1
isdn switch-type basic-net3
!
interface Dialer1
description connected to Internet
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
no ip split-horizon
dialer in-band
dialer string ******
dialer hold-queue 10
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ******
ppp chap password ******
ppp pap sent-username ****** password ******
!
ip nat inside source list 1 interface Dialer1 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit

 

[Frenchie2069]

hmmm, there are a couple potential problems with this.

I assume that you are connecting from the internet (it is the only option that makes sense). What IP address are you specifying for the VPN client to connect to? You cannot use 10.0.0.x as this address is not routable on the internet. The address of the router is negotiated so could be different each time you connect (unless your provider has agreed to supply the same address each time). If you are using the Router IP Address then you will need to add a static NAT translation for the server, something like:

ip nat source inside static 10.0.0.x w.x.y.z

This will only work if w.x.y.z (ie, the negotiated IP) is a static address as you cannot specify an interface here.

HTH,
Michael.

 

[nbratley]

Hi

yes i'm connecting via the internet using the cisco vpn client to connect to the ext ip of a pix 501 firewall. the cisco 801 connects to the internet and gets a diffrent ip each time but i have tested this using a isdn ta and it work fine from that. what is does is it connects to the vpn with no problem but when you try and see the remote network (192.168.0.x) it dont work

Thanks for your help
Neil