feed Under 
Tags: 
What would be the command to allow NAT Traversal for a VPN connection on a Cisco router 2801 running IOS 12.4?
I have a Nortel Contivity 600 (sitting on the internet) that I’m trying to get connected to my other Contivity box (Sitting behind my Cisco 2801). They establish the connection to each other (over port 5000), but no other traffic will pass through, and no packets accumulate in the stats. So I’m thinking I’m missing something in the router config. Any suggestions would be great.
Part 1
! NVRAM config last updated at 09:42:40 PCTime Mon Sep 24 2007
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router121221
!
boot-start-marker
boot-end-marker
!
logging buffered 10240 informational
no logging console
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
network-clock-participate wic 1
network-clock-select 1 T1 0/1/0
network-clock-select 2 T1 0/1/1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
Part 2
ip inspect name FW icmp
ip inspect name FW h323 timeout 3600
ip inspect name FW https
ip inspect name FW cuseeme timeout 3600
ip inspect name FW ftp timeout 3600
ip inspect name FW rcmd timeout 3600
ip inspect name FW realaudio timeout 3600
ip inspect name FW smtp timeout 3600
ip inspect name FW sqlnet timeout 3600
ip inspect name FW streamworks timeout 3600
ip inspect name FW tftp timeout 30
ip inspect name FW vdolive timeout 3600
ip inspect name FW isakmp
ip inspect name FW h323callsigalt timeout 3600
ip inspect name FW tcp timeout 3600
ip inspect name FW udp timeout 15
ip inspect name FW sip-tls
ip inspect name FW sip
!
!
no ip domain lookup
ip domain name domain.com
!
controller T1 0/1/0
framing esf
linecode b8zs
channel-group 1 timeslots 1-24
!
controller T1 0/1/1
framing esf
linecode b8zs
channel-group 1 timeslots 1-24
!
class-map match-all T1
match ip rtp 49152 1240
class-map match-all T2
match access-group 120
class-map match-all V1
match ip dscp ef
!
!
policy-map LAN
class T1
set ip dscp ef
class T2
set ip dscp ef
policy-map WAN
class V1
priority 768
class class-default
fair-queue
!
!
interface Multilink1
no ip address
ppp multilink
ppp multilink group 1
!
interface MFR1
no ip address
encapsulation frame-relay IETF
ip route-cache flow
frame-relay lmi-type ansi
service-policy output WAN
!
interface MFR1.1 point-to-point
bandwidth 3072
ip address 10.50.1.2 255.255.255.252
frame-relay interface-dlci 50
!
interface MFR1.2 point-to-point
bandwidth 3072
ip address 63.30.129.34 255.255.255.252
ip access-group inbound_acl in
ip access-group 100 out
ip inspect FW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
no arp frame-relay
frame-relay interface-dlci 100
!
interface FastEthernet0/0
ip address 86.198.137.167 255.255.255.240 secondary
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
service-policy input LAN
!
interface FastEthernet0/1
description $ETH-WAN$
ip address 10.1.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1/0:1
no ip address
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/1/1:1
no ip address
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/2/0
ip address 192.168.168.1 255.255.255.252
ip nat inside
ip virtual-reassembly
load-interval 30
fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.40.129.33
ip route 10.0.0.0 255.0.0.0 10.50.1.1
ip route 10.40.2.0 255.255.255.0 192.168.168.2
ip route 10.60.2.0 255.255.255.0 10.1.2.51
ip route 10.100.3.0 255.255.255.0 10.1.2.51
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 102 interface MFR1.2 overload
ip nat inside source static tcp 55.90.229.34 23 55.90.229.34 23 extendable
ip nat inside source static 10.1.2.16 55.66.77.177
ip nat inside source static 10.1.2.10 55.66.77.178
ip nat inside source static 10.1.2.58 55.66.77.179
ip nat inside source static 10.1.2.11 55.66.77.180
ip nat inside source static 10.1.2.31 55.66.77.181
ip nat inside source static 10.1.2.4 55.66.77.182
ip nat inside source static 10.1.10.2 55.66.77.183
ip nat inside source static 10.1.2.85 55.66.77.184
ip nat inside source static 10.40.2.10 55.66.77.185
ip nat inside source static 10.1.2.125 55.66.77.186
ip nat inside source static 10.1.10.3 55.66.77.187
ip nat inside source static 10.1.2.162 55.66.77.188
ip access-list extended inbound_acl
permit icmp any any
permit tcp any host 55.40.29.44 eq telnet
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any administratively-prohibited
permit icmp any any echo
permit esp any any
permit gre any any
permit ospf any any
permit udp any any eq ntp
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 3804
permit udp any any eq 5000
permit tcp any any eq 123
permit tcp any any eq 1723
permit tcp any any eq 3101
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit tcp 64.18.0.0 0.0.15.255 host 55.66.77.178 eq smtp
permit tcp any host 55.66.77.178 eq www
permit tcp any host 55.66.77.178 eq 443
permit tcp any host 55.66.77.178 eq 143
permit udp any host 55.66.77.178 eq 143
Deny ip any any log
logging trap notifications
logging 10.1.2.18
access-list 100 permit icmp any any
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit esp any any
access-list 100 permit gre any any
access-list 100 permit ospf any any
access-list 101 permit ip 10.40.2.0 0.0.0.255 any
access-list 102 permit ip any any
access-list 120 permit ip host 10.1.2.4 host 10.10.2.20
access-list 120 permit ip host 10.1.2.4 host 10.20.2.20
access-list 120 permit ip host 10.1.2.4 host 10.30.2.20
snmp-server community default RO
disable-eadi
!
!
control-plane
!
!
line con 0
exec-timeout 90 0
password br0adwing
login
transport preferred none
line aux 0
modem InOut
transport input all
line vty 0 4
exec-timeout 90 0
password br0adwing
login
transport preferred none
!
ntp clock-period 17178185
ntp update-calendar
ntp server 192.5.41.40
end
post your run config.
If I understand, you’re saying you need two devices, one inside the 2801 and one outside the 2801 to connect to each other using port 5000.
Your access-list extended inbound_acl
shows a permit for UDP 5000 but not TCP 5000.
Could it be that the connection is TCP?
The problem is with your Overload NAT by default devices will do NAT first so you must use a route list to permit your overload NAT nets and deny the ones to the VPN otherwise it will always NAT the traffic and thus never match the VPN
ip nat inside source route-map RMAP_1 interface FastEthernet0/0 overload
!
route-map RMAP_1 permit 1
match ip address 106
!
access-list 106 deny ip 10.100.1.0 0.0.0.255 any (VPN net)
access-list 106 permit ip 172.16.1.0 0.0.0.255 any (your net)
ACL order is important
Note Addresses are not yours so just fit the appropriate in