VPN + NAT + ISDN = Stumped

Hello,
	I checked the archives, unless I missed something, the list discussion 
fizzled a similar question by Ray Davis at Carpnet.

	The SA session establishes, and that's about it. Private Hosts on 
either end are unable to see each other. I must be missing something?

	The config that I used on the ISDN side works on a router that uses a 
DSL circuit. The only differance I can see is Dialer 0 on the ISDN 
router vs. fa0 on the DSL router.

Private Network 10.100.200.0/24 Remote Side Router
WAN IP 111.111.111.51/32 Remote Side Router

WAN IP 222.222.222.100 VPN-Gateway HQ Side Router
Private Network 10.10.0.0/16

Layout:

Local LAN
Host1 | Host2 | Host 3
1.100.200.1 | 10.100.200.2 | 10.100.200.3
        ||
        ||
        (Fastether)
        ||
        ||
-------------------------
|10.100.200.254/24 fa0  |
|                       |
|Router 1751            |
|                       |
|111.111.111.51 dialer0 |
-------------------------
        ||
        ||
        (ISDN)
        ||
        ||
------------------------
|                       |
|ISP/Internet Cloud     |
|                       |
-------------------------
        ||
        ||
        (T1)
        ||
        ||
------------------------
|222.222.222.100 se0    |
|                       |
|VPN Gateway            |
|                       |
|10.10.0.254/16 fa0     |
-------------------------
        ||
        ||
        ||
        (Fastether)
        ||
        ||
Host1
10.10.0.82/16

-----------------------------
Remote Router Config (1721):
Note: It's a nasty config :(

crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key bla1 address 222.222.222.100
!
crypto ipsec transform-set bla2 esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
 set peer 222.222.222.100
 set transform-set bla2
 match address 101

interface BRI0
 no ip address
 ip nat outside
 encapsulation ppp
 dialer rotary-group 0
 dialer-group 1
 isdn switch-type basic-ni
 isdn spid1 41412345670101 1234567
 isdn spid2 41412345680101 1234568
 crypto map Test

interface FastEthernet0
 ip address 10.100.200.254 255.255.255.0
 ip nat inside
 speed auto
!
interface Dialer0
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 2000000
 dialer string 2336981
 dialer load-threshold 1 outbound
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username blablaa@xxxxxxx password bla
 ppp multilink
 crypto map Test

ip nat inside source list 103 interface dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0


access-list 101 permit ip 10.100.200.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 103 deny   ip 10.100.200.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit ip host 10.100.200.1 any
access-list 103 permit ip host 10.100.200.2 any
access-list 103 permit ip host 10.100.200.3 any

dialer-list 1 protocol ip permit


---------------------
VPN Gateway Config:

crypto isakmp policy 2
 hash md5
 authentication pre-share
!
crypto isakmp key bla1 address 111.111.111.51
!
crypto ipsec transform-set bla2 esp-3des esp-sha-hmac
!
crypto map Test 32 ipsec-isakmp
 set peer 111.111.111.51
 set transform-set bla2
 match address 132
!
interface se0
 ip addess 222.222.222.100 255.255.255.252
 ip nat outside
 crypto map Test

inteface fa0
 ip address 10.10.0.254 255.255.0.0
 ip nat inside

ip nat inside source 103 interface serial0 overload
ip route 0.0.0.0 0.0.0.0 serial 0

access-list 132 permit ip 10.10.0.0 0.0.255.255 10.100.200.0 0.0.0.255
access-list 103 permit ip 10.10.0.0 0.0.255.255 10.0.0.0 0.255.255.255

SL
--
<><><><><><><><><><><><><><><><><><><><>
Steve Lim - Network Engineer (Michigan)
Corecomm -An ATX Communications Company
Life is a feast, enjoy it while you wait
for desert -limmer

_______________________________________________
cisco-nsp mailing list  cisco-nsp@xxxxxxxxxxxxxxx
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/