Hi Luis,

luis.sarabando · ‎10-07-2016

Hello i need help configuring my 897 cisco router to forward vpn packets to my windows server, my server is 192.168.1.1 and i need ports TCP 1723

my current config is as following, what do i need to add?

!
version 15.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EWS1630955
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
logging buffered 50000
logging persistent url flash:/log
enable password 7 050A020228421F5B4A
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default local none
!
!
!
!
!
aaa session-id common
process cpu threshold type total rising 80 interval 5 falling 30 interval 5
process cpu statistics limit entry-percentage 80
clock summer-time PT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
prompt EWS1630955%p%s
no ip source-route
!
!
!
!
!
!
!
!
no ip dhcp conflict logging
!
ip dhcp pool DHCP-DADOS
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 62.28.40.173 62.28.116.41
class DHCP-DADOS1
address range 192.168.1.64 192.168.1.253
!
!
ip dhcp class DHCP-DADOS1
!
!
no ip domain lookup
ip domain name ptprime.pt
ip cef
login quiet-mode access-class 7
login on-failure log
login on-success log
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C897VA-M-K9 sn FCZ203195BZ
!
!
memory reserve critical 1000
memory reserve console 4096
memory free low-watermark processor 20000
memory free low-watermark IO 20000
vtp mode transparent
username Administrator password 7 045A0F0B062F1D1C5A
!
!
!
!
!
controller VDSL 0
!
vlan 300
name DADOS
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map match-any Platinium-Voice
match ip precedence 5
class-map match-any Management
match access-group 180
class-map match-any Silver
match ip precedence 1
class-map match-all IN-class
match access-group 140
class-map match-any Gold-Premium
match ip precedence 3
match ip precedence 4
!
policy-map SHAPE-20
class class-default
shape average 9500000 95000 0
!
!
!
!
!
!
!
!
!
!
!
!
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
switchport access vlan 300
no ip address
!
interface GigabitEthernet1
switchport access vlan 300
no ip address
!
interface GigabitEthernet2
switchport access vlan 300
no ip address
!
interface GigabitEthernet3
switchport access vlan 300
no ip address
!
interface GigabitEthernet4
description == Ligacao Switch ==
switchport trunk allowed vlan 1,2,300,1002-1005
switchport mode trunk
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
switchport access vlan 300
no ip address
!
interface GigabitEthernet6
switchport access vlan 300
no ip address
!
interface GigabitEthernet7
switchport access vlan 300
no ip address
!
interface GigabitEthernet8
description == Circuito IXS: IXS.15.58439 GECA: null 1701086075==userns
no ip address
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet8.20
description == Internet IXS: IXS.15.57688 VLAN: 20 ==
encapsulation dot1Q 20
ip address 68.28.203.106 255.255.255.252
ip access-group 113 in
ip nat outside
ip virtual-reassembly in
service-policy output SHAPE-20
!
interface GigabitEthernet8.22
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan9
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan13
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip policy route-map voip-premium
shutdown
!
interface Vlan300
description == LAN: Rede de Dados ==
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 10
ip nat translation syn-timeout 10
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 10
ip nat inside source list 100 interface GigabitEthernet8.20 overload
ip route 0.0.0.0 0.0.0.0 62.28.203.105
ip route 10.0.0.0 255.0.0.0 Null0 250
ip route 172.16.0.0 255.240.0.0 Null0 250
ip route 192.168.0.0 255.255.0.0 Null0 250
!
no logging trap
!
access-list 7 remark === Gestao PT ===
access-list 7 permit 172.31.250.0 0.0.0.255
access-list 7 permit 172.28.250.0 0.0.0.255
access-list 7 permit 172.21.250.0 0.0.0.255
access-list 7 permit 62.48.131.96 0.0.0.31
access-list 7 permit 62.48.131.128 0.0.0.15
access-list 100 remark === NAT ===
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 remark === Filtro Entrada ===
access-list 113 remark === Router Gestao OMG-LIGHT, Seguranca no Router ===
access-list 113 deny tcp any any fragments
access-list 113 deny udp any any fragments
access-list 113 deny icmp any any fragments
access-list 113 deny ip any any fragments
access-list 113 deny ip 0.0.0.0 0.255.255.255 any
access-list 113 deny ip 224.0.0.0 31.255.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 permit ip 62.48.131.96 0.0.0.31 any
access-list 113 permit ip 62.48.131.128 0.0.0.15 any
access-list 113 permit tcp any any established
access-list 113 permit tcp any eq ftp-data any
access-list 113 permit udp any any eq domain
access-list 113 permit udp any eq domain any
access-list 113 permit udp any eq ntp any
access-list 113 permit icmp any any echo-reply
access-list 113 permit icmp any any time-exceeded
access-list 113 permit icmp any any traceroute
access-list 113 permit icmp any any packet-too-big
access-list 113 permit icmp any any unreachable
access-list 113 permit udp any any eq non500-isakmp
access-list 113 permit udp any any eq isakmp
access-list 113 permit udp any eq isakmp any
access-list 113 permit udp any eq non500-isakmp any
access-list 113 permit esp any any
access-list 113 permit gre any any
access-list 113 remark Adicionar Servers do cliente, web, mail, etc
!
!
control-plane host
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
login authentication Secure
no modem enable
line aux 0
login authentication Secure
line vty 0 4
access-class 7 in
logging synchronous
login authentication Secure
transport input telnet ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 5
scheduler allocate 20000 1000
ntp server 83.240.141.94
!
!
end

Paul Norris · ‎10-10-2016

You will need to do the following.

Add you Nat forwarding rules

ip nat inside source static tcp 192.168.1.1 ( Internal Server ) 500 (port number) interface GigabitEthernet8.20 500 ( external port )

eg Port 500, 50, 4500 for ipsec vpn

Then open the acl at 113 and permit the same ports above

ie permit tcp any any eq 500

Most of the cisco vpn rules are already in the access list 113 so it will already work unless the vpn is pptp in which case 1723 will need to be open.

luis.sarabando · ‎10-10-2016

Thanks Paul for your answer ill try it right now and give feedback.

alisathik · ‎03-19-2017

Hi Luis,

does it worked?

I have VPN devices(Juniper) behind cisco router 2911 with PAT configured in router.

How do i allow ESP packets behind NAT device and How to allow NAT passthru in cisco router.

VPN Passthrough (NAT)