11-22-2010 9:52 PM
I've got a pretty standard Cisco set up, just at home. I'm trying to set up a microcell and not having the best luck.
Currently my microcell picked up IP 192.168.0.18, so i built a few inbound NAT's and also permitted the traffic on my inbound ACL, but it's still not working. I have been searching on & off for days trying to find any documentation on how to get one of these to work from behind a cisco router but I've come up empty.
here's a snip of my config - I only have one internet IP (on my Fa4) interface:
ip nat inside source static udp 192.168.0.18 4500 interface FastEthernet4 4500
ip nat inside source static udp 192.168.0.18 123 interface FastEthernet4 123
ip nat inside source static udp 192.168.0.18 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.0.18 4500 interface FastEthernet4 4500 (the documentation lists UDP twice, but I figured this was worth a try)
ip nat inside source static esp 192.168.0.18 interface FastEthernet4
ip nat inside source static tcp 192.168.0.18 443 interface FastEthernet4 443
permit udp 22.214.171.124 0.0.1.255 any eq ntp
permit udp 126.96.36.199 0.0.1.255 eq ntp any
permit udp 188.8.131.52 0.0.1.255 any eq isakmp
permit udp 184.108.40.206 0.0.1.255 eq isakmp any
permit udp 220.127.116.11 0.0.1.255 any eq non500-isakmp
permit udp 18.104.22.168 0.0.1.255 eq non500-isakmp any
permit tcp 22.214.171.124 0.0.1.255 any eq 4500
permit tcp 126.96.36.199 0.0.1.255 any eq 443
permit esp 188.8.131.52 0.0.1.255 any log-input
permit udp 184.108.40.206 0.0.1.255 any log-input
permit tcp 220.127.116.11 0.0.1.255 any log-input
permit ip 18.104.22.168 0.0.1.255 any log-input
deny ip 22.214.171.124 0.0.1.255 any log-input
I know the microcell works since I swapped my cisco with an old netgear router and things connected just fine. Not sure why this is so difficult. I tried shotgunning permits at this thing and still everything lights up and the connect bars blink green occasionally instead of sync'ing up.
12-02-2010 3:15 PM
Anyone??? Next step will have to be a sniffer on the inside & out to see if something is getting missed...
12-03-2010 9:12 AM
I've got a Cisco 2621XM Running 12.4T that works with a Microcell behind it without any special NAT port forwarding done. Have you tried removing all the special forwarded ports you've got setup and just let it sit for a few hours and see if it'll register?
Once I get home I'll post my config for you to check out and compare to yours.
12-03-2010 10:18 AM
I have tried it without the NAT stuff in there, but from what I had read, I had to put some of that in. It seems to pick up and work fine when I take the Cisco out and use it with a little Linksys type router.
Thanks for the heads up though - good to know it's possible!
12-05-2010 2:49 PM
12-06-2010 12:28 PM
So you don't have an outside ACL at all then? I'll give it a try without as that'll make it easier to sniff the traffic, but I'll have to apply an ACL before I can call this done.
01-07-2011 8:04 AM
Were you able to get this working with an ASA in front of the MicroCell? I have the same problems as you do when using the ASA.
01-07-2011 8:11 AM
I never was able to get it working. It was a loaner from someone at work and I had to get it back to them. Not sure if I'll bother buying one for myself even though it would really help me at home. I did a sniffer capture on the inside & out and couldn't figure out why it wasn't working. The only other thing I was going to try, was doing a sniffer capture in & out when it was hooked through a Linksys that works, then compare the results.
I'd be happy to help decode if you can get some captures, but I don't have a microcell to keep testing.
01-25-2011 6:25 PM
May need to configure IPSec Passthrough
ip inspect name General-Fixups purpose isakmp
ip inspect name General-Fixups purpose ipsec-msft
Then on your outside interface
ip inspect General-Fixups in
ip inspect General-Fixups out
I'm flying from memory here, but maybe give that a try
06-20-2011 1:01 PM
I was able to get mine working. Here is the relevant part of the configuration.
nat (inside,outside) dynamic interface
access-list Outside-In extended permit udp any any eq 500
access-list Outside-In extended permit udp any any eq 4500
access-list Outside-In extended permit esp any any.
The port for ESP must be open along with the other relevant ports. NAT was not an issue.