[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] SecuRemote VPN issue with Cisco 802 ISDN router
Scenario: I have 28 remote branch offices most using Netgear RT328 or Cisco 802 ISDN routers and I have a few offices with T1 connection using Farallon Netopia. I need to move all these users from NTmail to our Exchange servers. What I have done so far: * SecuRemote using Hybrid-Mode IKE with UDP encapsulation to our Firewall-1 encryption domain * Branch offices connect through various ISP's so SecuRemote Clients are NAT'd * Exchange server at corporate is on the Internal side of Firewall-1 and NAT'd * Using RADIUS authentication to one of two NT servers running IAS (users are treated as generic* in the configuration on the Firewall-1) I have gotten SecuRemote to work successfully from offices with the Netgear and Netopia routers with no additional configuration on these routers. I went to setup our 2 users in Indianapolis (behind a Cisco 802) and have hit a wall. The Indianapolis users authenticate correctly - checking the Firewall-1 log shows Phase 1 & 2 completion below: IKE Log: Phase 1 completion. 3DES/SHA1/RADIUS Negotiation ID: XXXXXXXXXXXXXXXXXXX scheme: IKE methods: Combined ESP: 3DES + SHA1 (phase 2 completion) for host: 192.168.33.3 and for subnet: 0.0.0.0(mask= 0.0.0.0) Then when I try to connect to Exchange or ping any of the servers in the encyption domain I get nothing - Outlook2000 says network problems connecting to Exchange server. Nothing shows up in the Firewall-1 log either. I know from branches I have working that encrypt/decrypt requests are being logged properly when others access Exchange. I believe nothing is being logged from Indianapolis because the Cisco 802 is blocking the traffic. In researching what the issue is with the Cisco I've read some postings about manual IPSEC between a Cisco and Firewall-1. I only want to use SecuRemote to Firewall-1 but these posts mentioned creating access-lists because NAT is processed before crypto on the Cisco. Do I need to modify/create additional access-lists on the Cisco 802 to allow the SecuRemote encryption packets to be routed properly? The Cisco 802 has the most basic config for ISDN with Dynamic NAT translation for the internal private network. IOS config: service timestamps debug uptime service timestamps log uptime no service password-encryption no service tcp-small-servers no service udp-small-servers ! hostname XXXXXXXXXXXX ! enable password XXXXXXXXXXXX ! ip name-server XXXXXXXXXXXX ! isdn switch-type basic-ni1 ! ip subnet-zero ip domain-lookup ip routing ! interface Dialer 1 description connected to Internet ip address negotiated ip nat outside no ip split-horizon encapsulation ppp dialer in-band dialer idle-timeout 86400 dialer string 5760308 dialer hold-queue 10 dialer load-threshold 10 dialer-group 1 ppp authentication chap pap callin ppp chap hostname XXXXXXXXXXXX ppp chap password XXXXXXXXXXXX ppp pap sent-username XXXXXXXXXXXX ppp multilink no cdp enable ! interface Ethernet 0 no shutdown description connected to 192.168.33.0 ip address 192.168.33.1 255.255.255.0 ip nat inside keepalive 10 ! interface BRI 0 no shutdown description connected to Internet no ip address ip nat outside dialer rotary-group 1 isdn spid1 XXXXXXXXXXXX isdn spid2 XXXXXXXXXXXX ! ! Access Control List 1 ! no access-list 1 access-list 1 permit 192.168.33.0 0.0.0.255 ! ! Dialer Control List 1 ! no dialer-list 1 dialer-list 1 protocol ip permit ! ! Dynamic NAT ! ip nat translation timeout 86400 ip nat translation tcp-timeout 86400 ip nat translation udp-timeout 300 ip nat translation dns-timeout 60 ip nat translation finrst-timeout 60 ip nat inside source list 1 interface Dialer 1 overload ! router rip version 2 network 192.168.33.0 passive-interface Dialer 1 no auto-summary ! ! ip classless ! ! IP Static Routes ip route 0.0.0.0 0.0.0.0 Dialer 1 This has been the longest research project of my life - I've feel like I've been looking for VPN/SecuRemote secret decoder rings! I thought I had worked all the bugs out until I hit this one. I have eight Cisco 802's that I have to live with. It has been a few years since I've done the Cisco IOS access-list mambo (defecting to Cabletron and 3COM for the most part) but that is where I think the problem must lie since I don't seem to be getting the SecuRemote packets past the Cisco. Any and all suggestions welcomed. This mailing list and phoneboy FAQ have been the best sources of info to solve all the problems I've run into so far thanks to all the great postings. Leigh A. Jones Network Engineer Davel Communications, Inc. 10120 Windhorst Road Tampa, FL 33619Fax ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|