Tag Archives: VPN

Cisco VPN with NAT

Sample Config Cisco IOS VPN with NAT
1720#sh run
Building configuration…
Current configuration : 3044 bytes
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname 1720
enable password cisco
username cisco password 0 cisco
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip inspect name fw http
ip inspect name fw ftp
ip inspect name fw tcp
ip inspect name fw udp
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group 3000client
key cisco123
pool ippool
acl 108
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
Those two lines are missing in an older sample on Cisco’s site: VPN clients won’t connect without those
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0
ip address
ip nat inside
speed auto
interface Serial0
ip address
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
no fair-queue
clockrate 64000
crypto map clientmap
ip local pool ippool
ip nat pool outsidepool netmask
! Doesn’t work: ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source list 1 interface Serial0 overload
ip route Serial0
access-list 1 permit
access-list 101 permit tcp any
access-list 101 permit icmp any
access-list 101 permit udp any
access-list 102 permit udp host eq isakmp host
access-list 102 permit ahp host host
access-list 102 permit esp host host
access-list 102 permit udp any host eq 62514
access-list 102 permit udp any host eq isakmp
access-list 102 permit tcp any any
access-list 102 permit icmp any any echo-reply
access-list 108 permit ip
access-list 199 deny ip
access-list 199 permit ip any
route-map nonat permit 10
match ip address 199
line con 0
line aux 0
line vty 0 4
no scheduler allocate