cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
475
Views
0
Helpful
7
Replies

VPN Issue

jclark888
Level 1
Level 1

I recently swapped out service providers and routers at a remote location.

Now they cannot connect to a third party vendors VPN. I have the following statements in my access list

permit gre any any

permit tcp any host ipaddyvendor eq 1723

They keep receiving error 721 when they try to connect. I have removed the access-list completly and they still receive the same error. The Third Party Vendor as well as the ISP insist everything is perfectly fine on there end.

the router is a Cisco 1720 running ISO 12.1

1 T1 WIC

1 Fast Ethernet Port

Access-list 101 applied to in bound traffic on the s0. There fore this company has no restrictions on there outbound traffic so the access-list shouldn't even matter.

Please assist.

PS: before the swap out everything worked fine.

7 Replies 7

paddyxdoyle
Level 6
Level 6

Hi,

With our PPTP VPN, we only permit GRE and 1723 from specific IP addresses, i.e. the external IP of a remote VPN gateway or NAT device.

If you have changed ISPs do you now have a different public IP address on your 1720 or NAT device.

If so your third party may need to add this to their inbound access-list or firewall policy.

Your third party should be able to assist you further and tell you whether your PPTP traffic is hitting their external router.

HTH

Paddy

Unfortunatly the Third Party vendor says they cannot see me hitting there server and they cannot check there router logs(so they say).

We do have different public IP addresses and they tell me the only firewall they have setup is on that server and it is set to allow any pptp traffic.

Any other help would be great.

Hi,

Can you still trace all the way to the VPN gateway, if so what happens when you try telneting to the VPN gateway using port 1723

I think the VPN gateway will be listening on 1723 for inbound PPTP connections - i can't test this though at the moment.

I believe if you try telneting from your router to tcp port 1723 on the remote VPN gateway (telnet 1723) and you see the word "open" then this would indicate that you can pass through the firewall to the VPN server OK. If it times out then this would indicate something is blocking your connection

HTH

Paddy

well I telnet from the router I do receive open. However I still cannot connect.

If this is a new router, what was the model of the old router and what version of the IOS was it running? Connect the old router if you still have it and see if the problem goes away. If it does, then i would look at trying a different IOS on the new router.

old router and new router are exact same model and same IOS. However this still will not work...

Anyone have any other ideas?

IOS: 12.1

ROuter: 1720

Ok, let's recap here. You said, removing the ACL reports the same problem and the only major change was the Service Provider. Can you find out if the service provider is NAT'ng their connection somewhere? I've seen that behavior happening more often now among carriers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: