pluxton at antracnetworks
Nov 15, 2011, 7:40 AM
Cisco 871 ZFW NAT-T issue
I'm having some difficulty connecting to a Cisco 871 via a remote access IPSec connection. I'm using the Shrew VPN client, and when I connect from in front of my home firewall coming from a public IP, all works just fine. I can connect to the 871, and get access to devices on the local lag behind the 871. When I try to place my PC behind my home firewall, I "seem" to connect, but cannot pass traffic. And by "seem" to connect, Shrew says it's connected and tunnel is up, and I have an IP address assigned to the tunnel, and the appropriate route statements have shown up in my routing table, but if I do a show crypto ipsec sa on the 871, there is nothing there. I can do a show crypto session, and it does show my session, but nothing as the ipsec sa.
I have allowed udp 4500 in my configuration via acls and the policy/class maps, but I'm wondering if there is a command on the Cisco 871 that I should be using to enable NAT-T. Everywhere that I've looked is says "make sure NAT-T is supported on both sides of the connection". I know on the ASA you add the command "isakmp nat-transversal 20", but I can't find an analogous command on the 871 using Zone Based Firewall. I will gladly post my config, but I was hoping that this might be an easy fix, or a command that I can't seem to locate to enable NAT-T. When I turn debug on the 871, I see no reference to port 4500, it all talks about connections from port 500 to 500, which makes me think that I'm missing something on the NAT-T front.
Does anyone have any ideas? As mentioned I can post my config, but wanted to check for the easy answer first.
cisco-nas mailing list
cisco-nas [at] puck