Hi,
THe only thing I can think of is that the original packet is being NAT'ed
before IPSec encapsulation. This breaks NetBT, as some of the NetBT
includes IP addresses within the NetBT packet. I have seen logons not work
over NAT.
You could try the following to exclude VPN traffic from being NAT'ed:
access-list EXCLUDE ip x.x.x.x m.m.m.m y.y.y.y m.m.m.m
nat (inside) 0 access-list EXCLUDE
Here x.x.x.x m.m.m.m is the local PIX internal network (e.g. 192.168.10.0
255.255.255.0) and y.y.y.y m.m.m.m is the remote NT server network.
-----Original Message-----
From: Jim Bond [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 11, 2000 12:18 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: last try: tough VPN question
Hello,
Let me re-describe the situation:
Central office 7100 router, site office PIX (NAT
overload 1 public ip address), IPSec tunnel is
establised, clients at site office can't logon NT
domain but can do everthing else.
Today, I replaced the PIX with a 3620 router (same
IPSec setup), everything works fine. Clients can logon
NT domain.
I think that proves 1)I don't have naming issue 2) PAT
works with IPSec. I don't understand why PIX wouldn't
work. Please see my PIX config.
Thanks in advance.
Jim
PIX Version 5.2(3)
access-list 100 permit ip host 24.176.210.204
167.191.0.0 255.255.0.0
ip address outside 24.176.210.204 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 24.176.210.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 100
crypto map newmap 10 set peer 169.193.13.2
crypto map newmap 10 set transform-set IPSEC
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 169.193.13.2 netmask
255.255.255.255
isakmp identity hostname
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
dhcpd address 10.1.1.101-10.1.1.110 inside
dhcpd dns 24.1.64.33 24.1.64.34
dhcpd wins 169.193.28.60 169.193.148.25
dhcpd lease 3600
dhcpd domain dhcp.lamrc.com
dhcpd enable inside
__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
_______________________________________________________
To unsubscribe from the CCIELAB list, send a message to
[EMAIL PROTECTED] with the body containing:
unsubscribe ccielab
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
