Tag Archives: VPN

Cisco VPN with NAT

Sample Config Cisco IOS VPN with NAT
1720#sh run
Building configuration…
Current configuration : 3044 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1720
!
enable password cisco
!
username cisco password 0 cisco
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
no ip domain-lookup
!
ip inspect name fw http
ip inspect name fw ftp
ip inspect name fw tcp
ip inspect name fw udp
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key cisco123
pool ippool
acl 108
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
Those two lines are missing in an older sample on Cisco’s site: VPN clients won’t connect without those
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
ip address 196.0.0.1 255.255.255.0
ip nat inside
speed auto
!
interface Serial0
ip address 193.0.0.1 255.255.255.0
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
no fair-queue
clockrate 64000
crypto map clientmap
!
ip local pool ippool 197.0.0.3 197.0.0.5
ip nat pool outsidepool 193.0.0.5 193.0.0.10 netmask 255.255.255.0
! Doesn’t work: ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source list 1 interface Serial0 overload
ip route 0.0.0.0 0.0.0.0 Serial0
!
access-list 1 permit 196.0.0.0 0.0.0.255
access-list 101 permit tcp 196.0.0.0 0.0.0.255 any
access-list 101 permit icmp 196.0.0.0 0.0.0.255 any
access-list 101 permit udp 196.0.0.0 0.0.0.255 any
access-list 102 permit udp host 193.0.0.1 eq isakmp host 193.0.0.1
access-list 102 permit ahp host 193.0.0.1 host 193.0.0.1
access-list 102 permit esp host 193.0.0.1 host 193.0.0.1
access-list 102 permit udp any host 193.0.0.1 eq 62514
access-list 102 permit udp any host 193.0.0.1 eq isakmp
access-list 102 permit tcp any any
access-list 102 permit icmp any any echo-reply
access-list 108 permit ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 deny ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 permit ip 196.0.0.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 199
!
line con 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end