Re: Cisco 828 SDSL Router - VPN Pass Through - SBS 2003

MattPage1 · ‎08-04-2005

We are having problems getting VPN Pass Through to work on a Cisco 828 SDSL Router.

The Windows Server 2003 SBS is configured to allow VPN connections. On our old ADSL (Draytek ADSL modem) the system works perfectly and forwarding port 1723 allows people to login to the VPN and use the network remotely.

Purchased new SDSL line and Cisco 828 SDSL Router. Configured port 1723 and GRE (see config below).

When a client tries to connect it verifies username and password and then returns Error 721 - No response from server (suggesting that GRE is not being handled correctly)

All clients are Windows XP Pro with all service packs and patches.

Have read various posts and comments about this error, but all the suggestions state forward 1723 and enable GRE, which has been done.

Does GRE need to be enabled on the out-going access list? Which I assume is access-list 1

I have a reasonable understanding of networking and routing but this is the first Cisco router I have had to work with.

Any suggestions or help are gratefully received.

=========================================

Network Diagram

=========================================

Internet

|

| (83.X.Y.Z)

CISCO 828 SDSL Router

| (192.168.1.1)

|

| (192.168.1.2)

Windows Server 2003 SBS

| (192.168.32.10)

|

Switch

| | |

Local network / workstations

=========================================

CISCO 828 Router Config

=========================================

Current configuration : 2470 bytes

!

version 12.3

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname i-83-X-Y-Z

!

boot-start-marker

boot system flash c828-oy6-mz.123-11.T3.bin

boot-end-marker

!

enable secret 5 xxxx

!

username admin password 7 xxxx

no aaa new-model

ip subnet-zero

!

ip cef

ip domain name myisp.net

ip name-server 194.X.Y.Z

ip inspect udp idle-time 180

ip inspect tcp idle-time 7500

ip inspect name f2s sip

ip inspect name f2s ftp

ip inspect name f2s icmp

ip inspect name f2s tcp

ip inspect name f2s udp

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl equipment-type CPE

dsl operating-mode GSHDSL symmetric annex B

dsl linerate AUTO

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Dialer1

ip address negotiated

ip access-group 150 in

ip accounting output-packets

ip nat outside

ip inspect f2s out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxx

ppp chap password 7 xxxx

ppp pap sent-username xxxx password 7 xxxx

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.2 443 83.X.Y.Z 443 extendable

ip nat inside source static udp 192.168.1.2 443 83.X.Y.Z 443 extendable

ip nat inside source static tcp 192.168.1.2 1723 83.X.Y.Z 1723 extendable

ip nat inside source static udp 192.168.1.2 1723 83.X.Y.Z 1723 extendable

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 150 permit tcp any host 83.X.Y.Z eq 443

access-list 150 permit udp any host 83.X.Y.Z eq 443

access-list 150 permit tcp any host 83.X.Y.Z eq 1723

access-list 150 permit udp any host 83.X.Y.Z eq 1723

access-list 150 permit gre any host 83.X.Y.Z

access-list 150 deny ip any any

snmp-server enable traps tty

no cdp run

!

control-plane

!

line con 0

exec-timeout 120 0

transport preferred none

transport output none

stopbits 1

line vty 0 4

exec-timeout 120 0

password 7 xxxx

login

length 0

transport preferred none

transport input telnet

transport output none

!

scheduler max-task-time 5000

Georg Pauwen · ‎08-07-2005

Hello,

try and take access list 150 off the dialer interface alltogether, for tesing purposes, and check if that makes a difference.

Which VPN client are you using ?

Regards,

GP

MattPage1 · ‎08-08-2005

This has been tried and made no difference. Still getting the same errors.

VPN clients are Windows XP Pro (using the standard windows vpn connection)

Georg Pauwen · ‎08-08-2005

Hello Matt,

the problem might be with the NAT, which alters the IP address of the VPN server. Try to disable address validation in your XP client´s registry:

1. Click Start, and then click Run.

2. In the Open box, type regedit, and then click OK.

3. Locate the following subkey, where <000x> is the network adapter for the WAN Miniport (PPTP) driver:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}\<000x>

4. On the Edit menu, point to New, and then click DWORD Value.

5. Type ValidateAddress, and then press ENTER.

Note By default, the Data value is 0 (Off).

6. Quit Registry Editor.

7. Restart your computer.

Let me know if that does not help...

Regards,

GP

MattPage1 · ‎08-08-2005

Thanks for the advice, but it doesn't seem to make any difference. Still getting the same error.

721: No reposonse from server.

Just FYI 'show access-lists' lists the GRE line with 53 connections. This goes up as people try to connect... No connections are logged on the VPN server.

Could it be anything to do with the IP INSPECT lines?

Report Inappropriate Content · ‎08-08-2005

tanvictor · ‎08-16-2005

I'm having this problem too with my Cisco 877W ADSL.

I've tried IOS version 12.3(8)YI, 12.8(14) and 12.4(2)T, disable cef, but it still exhibits the same problem.

I suspect there's PPTP passthrough problem with the IOS (using a sniffer, fragmented GRE exchanged indefinitely until the windows xp vpn client times out while verifying username/password).

Finally, my workaround was to use allow only 1 client behind the router access VPN (by static NAT to that client). The rest of the clients use PAT.

This is definitely not satisfactory, but at least it enables a machine access vpn.

I'm keen to hear any solution (not ruling out my config error, but i've tried LOTS of variation).

MattPage1 · ‎08-16-2005

Lets hope someone from Cisco looks at these forums and gives us some help. Earth calling Cisco ... anyone there?

Utopian, can you paste your config in here (just the NAT and PAT lines) so I can have a quick look. Do you mean that only 1 client can access the VPN?

I guess that is better than none, but as we have 3 remote workers at home it is not ideal.

vedran.djakovic · ‎08-22-2005

>Error 721

Problem is with GRE, I don't know how to solve it on Cisco but I had same problem with Linux routers GRE redirection fix it.

Try with this (for tesing):

!

access-list 101 permit ip any any

access-list 101 permit gre any any

!

ip nat inside source list 101 interface Dialer1 overload

!

MattPage1 · ‎11-21-2005

Heres an update if anyone is having the same problems....

Got a Cisco Engineer in on £_loads_a_dosh per hour and he spent a day and a half struggling with it. His comment was the config is perfect. Doing a packet trace shows the connection packets arriving at the router, forwarded to the SBS server, SBS server replies, goes into the router and then promptly disappears. The client never gets a response back and timesout.

Eventually got a new router (Cisco 878) and it worked perfectly first time. The config above is correct.

The problem is with the Cisco 828 routers or buggy IOS code. Haven't been able to try another 828 so it could have just been this one.

Thanks to everyone who offered their help and advice.

tanvictor · ‎03-09-2006

Hi, may I know what IOS version of your 828 that fixes the issue? I've tried many many versions on my 877 and still doesn't work. Config is similar to yours. Keen to try out the version that works on yours.