General discussion

Locked

Cisco VPN Concentrator 3005 Problems

By jfowler ·
I am having problems getting the VPN 3005 up and running. We have an ISDN connection to the internet through our Ascend Pipeline 50 ISDN router. The Pipeline 50 router uses NAT and all machines on our LAN use private IP addresses. The only real address we have is assigned to the WAN interface on the pipeline 50. The LAN interface on the pipeline 50 has the address of 192.168.100.1, which we use as the default gateway. I have given the VPN 3005 private and public interfaces IP addresses 192.168.100.250 and 192.168.100.251 respectively. I have enabled IPSec through NAT in Configuration | User Management | Base Group and assigned it UDP port 10101. I have then configured static mappings of UDP ports 500 and 10101 to 192.168.100.251 (public interface on the 3005) in the NAT configuration on the Pipeline 50. I have the client installed on a notebook PC that dials into a Internet account. I setup the VPN dialer to connect to the WAN IP address of the Pipeline 50 ISDN router. It gets to Negotiating security profiles, pauses, and then it comes back with "Unable to negotiate IPSec or host did not respond". This is my first experience with VPN and I feel I'm in a little over my head. Any help is appreciated

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Cisco VPN Concentrator 3005 Problems

by -Q-240248 In reply to Cisco VPN Concentrator 30 ...

The VPN Cisco router must have a valid, public IP address. You listed two private addresses. Then test without using IPSec first, then add IPSec last, after VPN works correctly.

Collapse -

Cisco VPN Concentrator 3005 Problems

by jfowler In reply to Cisco VPN Concentrator 30 ...

Well, your answer helped somewhat. Yes you were correct in the fact that the public and private interfaces need to be on separate networks and this ended up being my main problem. However, the public interface does NOT have to have a valid, public IP address. I kept the private IP address 192.168.100.250 on the private interface and changed the public interface to 192.168.200.250. I then added a second IP address of 192.168.200.1 to the Pipeline's LAN interface and configured that as the default gateway on the VPN 3005. I then changed the NAT static mappings of UDP ports 500 and 10101 (The port I assigned to "IPSec through NAT" on the 3005) to the public interface on 192.168.200.250. I also ended up upgrading the software on the pipeline to 6.1.44 from 6.1.7 which may have helped as well. I did try upgrading to the latest version, 8.0-101.0, but the routing table got all jacked and I ended reverting back to 6.1.44. I am still waiting for Lucent (who now owns Ascend) to reply with a fix to my routing problems with the latest version.

Collapse -

Cisco VPN Concentrator 3005 Problems

by edkeogh In reply to Cisco VPN Concentrator 30 ...

I am not familiar with the specific NAT features on the Pipeline 50, but some NAT implementations do not support the ports used by IPSec to establish communications from Client to Server.
One workaround is to setup a STATIC NAT mapping between the outside address on the VPN Concentrator and a free Public address available to the PiPeline.
If you cannot do this, then try the following:
NOTE DO NOT ATTEMPT THIS ON YOUR LIVE NETWORK
Ask your ISP for a range of addresses, 2 minimum, 4 or 8 would be better.
Turn off NAT and set the Pipeline 50 to use an unnumbered ISDN link, or have it negotiate the address on dial in to the ISP.
Configure one of the registered addresses on the Pipeline 50 Ethernet port and another on the VPN Concentratoroutside port.
VPN Clients then connect to the address on the VPN Concentrator outside port as these addresses are registered and routed to you by the ISP.
You should have a Firewall between your network and the internet, unless your security policy encrypts ALL traffic through the VPN Concentrator.

Collapse -

Cisco VPN Concentrator 3005 Problems

by jfowler In reply to Cisco VPN Concentrator 30 ...
Collapse -

Cisco VPN Concentrator 3005 Problems

by jfowler In reply to Cisco VPN Concentrator 30 ...

This question was closed by the author

Collapse -

VPN 3005

by niemczyn In reply to Cisco VPN Concentrator 30 ...

Browser will not come up remotely - GUI. Page Cannot Be Displayed.
How do I fix it ?

Back to Networks Forum
6 total posts (Page 1 of 1)  

Hardware Forums