[cisco-nas] Cisco 871 ZFW NAT-T issue

Patty Luxton pluxton at antracnetworks.com
Tue Nov 15 10:40:21 EST 2011


Hello,
I'm having some difficulty connecting to a Cisco 871 via a remote access IPSec connection.  I'm using the Shrew VPN client, and when I connect from in front of my home firewall coming from a public IP, all works just fine.  I can connect to the 871, and get access to devices on the local lag behind the 871.  When I try to place my PC behind my home firewall, I "seem" to connect, but cannot pass traffic.  And by "seem" to connect, Shrew says it's connected and tunnel is up, and I have an IP address assigned to the tunnel, and the appropriate route statements have shown up in my routing table, but if I do a show crypto ipsec sa on the 871, there is nothing there.  I can do a show crypto session, and it does show my session, but nothing as the ipsec sa.  
I have allowed udp 4500 in my configuration via acls and the policy/class maps, but I'm wondering if there is a command on the Cisco 871 that I should be using to enable NAT-T.  Everywhere that I've looked is says "make sure NAT-T is supported on both sides of the connection".  I know on the ASA you add the command "isakmp nat-transversal 20", but I can't find an analogous command on the 871 using Zone Based Firewall.  I will gladly post my config, but I was hoping that this might be an easy fix, or a command that I can't seem to locate to enable NAT-T.  When I turn debug on the 871, I see no reference to port 4500, it all talks about connections from port 500 to 500, which makes me think that I'm missing something on the NAT-T front.
Does anyone have any ideas?  As mentioned I can post my config, but wanted to check for the easy answer first.
Thanks!
Patty





More information about the cisco-nas mailing list