Equipment Support > Hardware By Brand > Cisco > [Config] NVI and VPN

[Config] NVI and VPN

The other day I went to my mechanic and told him my car broke down on the side of the road.

I didn't tell him what troubleshooting I tried, gave him no other information about it, and I wont let him see the car so he can try to fix it.

Hint hint.

Well Before it worked but ever since I changed to using NVI instead of nat inside/outside it doesn't

I tried doing
ip inspect name general-purpose isakmp
ip inspect name general-purpose ipsec-msft

ip inspect general-purpose in
ip inspect general-purpose out

because I saw a DSLR post that seemed related but this didn't work

other than that I tried removing the ACL from my was int but that also had no effect

and idea for other thigs to try?
--
»www.change.org/petitions/create-···imcity-4

And well, as I needed to vpn in I connected directly to the comcast SMC router and assigned myself the 5th static IP which I normally leave out of use so its available for testing
--
»www.change.org/petitions/create-···imcity-4

So any ideas?

reply to DarkLogix
well you still haven't given us much information, the common misconception i see growing here in the cisco forums is that this is tech support. Alot of us do this as our daily job and we come here to aid in teaching rather than spoon feeding answers.

What TomS was saying nicely was that you need to do some troubleshooting on your side, research your issue, and then come here.

For starters, research what is actually broken; can you no longer authenticate to the VPN or is it that it connects but does not pass traffic? You know that your config issues are relating to NVI so research the differences between using the 'ip nat enable' and 'ip nat inside/outside' statements.

Its far better to advance towards your answer with light prodding from people in this forum than to have them do the heavy lifting. In the end it will make you a better tech, provide a better understanding of your devices and their capabilities, and prove to yourself that you can solve the problem.

Do not let my ramblings deter you from coming back to this thread with more detail but its best to understand where you are in terms of getting "support".

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

It fails to connect just like some consumer router with ipsec passthrough disabled

I figure theres something I'm missing but searching "cisco ipsec passthrough" hasn't yealded any useful results yet.

BTW I am looking but haven't yet found anything useful.
--
»www.change.org/petitions/create-···imcity-4

I've done "terminal monitor" then debug ip nat ipsec
then tried connecting the vpn, and got nothing

the vpn just holds on "verifying username and password" then goes on to trying anotehr type of vpn and eventualy fails

Just some invalid spi from an ip thats nether mine nor the ip of the vpn server I'm trying to connect to.
--
»www.change.org/petitions/create-···imcity-4

I've tried

ip nat service list 2 ike preserve-port
ip nat service list 2 esp spi-match
crypto ipsec nat-transparency spi-matching

and still no go.

I'm just not finding anything useful in my searches.
--
»www.change.org/petitions/create-···imcity-4

here's the nat sections of my config

interface GigabitEthernet1/0
description Link to NME-16ES-1G-p
ip address 10.254.254.1 255.255.255.252
ip nat enable
ip virtual-reassembly
ip ospf 1 area 0
ipv6 address --------:200::1/64
ipv6 ospf 1 area 0

interface GigabitEthernet3/0
description Link to NME-16ES-1G-p (number 2)
ip address 10.254.254.5 255.255.255.252
ip nat enable
ip virtual-reassembly
ip ospf 1 area 0
ipv6 address --------:201::1/64
ipv6 ospf 1 area 0

interface GigabitEthernet2/0
description Link to Comcast
bandwidth 76000
ip address 75.x.x.35 255.255.255.248 secondary
ip address 75.x.x.36 255.255.255.248 secondary
ip address 75.x.x.37 255.255.255.248 secondary
ip address 75.x.x.33 255.255.255.248
ip access-group 110 in
ip nat enable
ip virtual-reassembly
ip ospf 1 area 0
negotiation auto

ip route 0.0.0.0 0.0.0.0 75.x.x.38

ip nat pool RLH1 75.x.x.35 75.x.x.35 netmask 255.255.255.248 add-route
ip nat pool RLH2 75.x.x.36 75.x.x.36 netmask 255.255.255.248 add-route
ip nat pool RLH3 75.x.x.37 75.x.x.37 netmask 255.255.255.248 add-route
ip nat source list 1 pool RLH1 overload
ip nat source list 2 pool RLH2 overload
ip nat source list 3 pool RLH3 overload

access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 deny any
access-list 2 permit 10.0.3.0 0.0.0.255
access-list 2 deny any
access-list 3 permit 10.0.4.0 0.0.0.255
access-list 3 deny any

the 2 etherswitches handle the intervlan routing, they both have interfaces in each vlan and then the dhcp server passes out 2 default routers

I still keep finding info that says it just works, but it doesn't
--
»www.change.org/petitions/create-···imcity-4

hunting for a solution is runing into deadends

I just tried reverting to pre-nvi and I must have missed something because I ended up killing nat completely.

for now I'm having to go to using my 5th static IP directly on my computer in order to vpn.

also it seems my microcell is effected by this.

can you point me in the right direction?
--
»www.change.org/petitions/create-···imcity-4

for some reason -- i'm reminded of 'yertle the turtle'.
just because the tower of turtles falls because you added one more turtle, doesn't mean that the last turtle is to blame. something much earlier down the line could be an issue. more to the point -- hyperspastic and unclear posts (up until your last post sounded like the vpn server on your router was broken) don't get you anywhere.

remove the tower of turtles -- solve your problem -- then rebuild the tower.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

I'm not connecting to a vpn server on a router.

the VPN server is an ISA server at work.
the VPN client is the default vpn client on windows.

can you suggest where I need to look?
--
»www.change.org/petitions/create-···imcity-4

Microsoft TechNet? Sounds like you need to start debugging on your ISA server to find out why its breaking.

Are you missing port forwards or similar?

Did you take a backup of your config before you started messing around with it so you could roll back to a known working version if something went wrong?

If I bypass my home router then the vpn works

If I connect my home computer directly to my comcast gateway and use my 5th static IP (which I keep unassigned so that I can use it like this) then the vpn works

also my att microcell which AFAIK uses a vpn to att has been unable to make a link to att for some time now (I didn't notice when it went down)

So its not the ISA server (and if it were then there'd be calls form our users.

I guess no one has any idea even for additional troubleshooting steps.

Well I put my computer directly on the internet.
result is this works, but I'm not going to leave my computer directly on the internet.

next I removed my ACL from the wan port, no effect, still not working.

I set the IP on my computer to static with only one default gateway, same result still not working (to rule out the dual default gateway's being the issue)

I tried reverting to a pre-NVI setup, but must have missed a few lines because that didn't even get to the internet.

What would you suggest next?

And all the cisco pages I see say "for the client side no configuration is needed"

Do you see anything wrong in the nat config I posted?
At this point its more for the sake of the microcell, as I got the work done I needed to with vpn via putting my computer directly on the internet.
--
»www.change.org/petitions/create-···imcity-4

So what else is there to get rid of to test next?

reply to DarkLogix
when you reverted to no NVI, did you change the ip nat source list to ip nat inside source list ?

Also, please post a full config minus any sensitive information if you do not mind.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams