09-10-2002 08:01 AM - edited 02-21-2020 12:03 PM
I am trying to setup my router so that I can VPN into a Windows 2000 server. I am able to VPN to the server on the Local network but cannot connect through the 1710 router. I configured my ACL at the external interface to allow ports 1723 and 47 but every time I try to connect from an external source I get to verifying username and password and then I get the error code 721: the remote computer is not responding. So I'm guessing I'm doing this all wrong and that I should be setting up VPN in a different manner. Any help would be appreciated
Question, What am I doing wrong?
Here is my config file
Using 2169 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Test-Ind
!
enable secret 5 $1$PTeP$8xXkHun2tn70JotIyrDKv0
enable password 7 090D1F5A4B01161C4A0908
!
memory-size iomem 15
ip subnet-zero
!
!
!
ip inspect name Test tcp alert on
ip inspect name Test udp alert on
ip inspect name Test ftp
ip inspect name Test http
ip inspect name Test smtp
ip inspect name Test tftp
ip inspect name Test realaudio
ip inspect name Test h323
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
!
!
interface Ethernet0
description External Interface
ip address 66.x.x.x 255.255.255.248
ip access-group 100 in
ip nat outside
half-duplex
no cdp enable
!
interface FastEthernet0
description Internal Interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip inspect Test in
speed auto
half-duplex
ntp disable
no cdp enable
!
ip nat translation timeout 3600
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.20 47 interface Ethernet0 47
ip nat inside source static tcp 192.168.1.20 1723 interface Ethernet0 1723
ip nat inside source static tcp 192.168.1.20 25 interface Ethernet0 25
ip nat inside source static tcp 192.168.1.20 80 interface Ethernet0 80
ip nat inside source static tcp 192.168.1.20 3389 interface Ethernet0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 66.x.x.x
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 3389
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq 1723
access-list 100 permit tcp any any eq 47
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any administratively-prohibited
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
password 7 01525757090F2601284942
login
!
end
09-10-2002 09:35 AM
you cant port map so to say protocol 47 which is gre..you have to have a one to one static nat for the server you are terminating to or terminate on the router. You are correct in having gre and tcp 1723 open to that device but the router cant port map gre
09-10-2002 09:42 AM
Thanks for your feedback, but I don't follow what your trying to say.
Do I leave Port 1723 and 47 open on the external interface?
Can you give me an example of how to create a one to one static nat?? I'm not sure what your trying to say.
What do I have to change ?
Thanks Ryan
09-12-2002 12:05 PM
This should Help you http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm
I was having the same problems till I found out that you can't use PAT for MS PPTP VPN. You need a public IP for each NAT'ed inside IP you want to access the VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide