VPN access to a Win2k server through 1710 router configured as a firewall??

roconnell · ‎09-10-2002

I am trying to setup my router so that I can VPN into a Windows 2000 server. I am able to VPN to the server on the Local network but cannot connect through the 1710 router. I configured my ACL at the external interface to allow ports 1723 and 47 but every time I try to connect from an external source I get to verifying username and password and then I get the error code 721: the remote computer is not responding. So I'm guessing I'm doing this all wrong and that I should be setting up VPN in a different manner. Any help would be appreciated

Question, What am I doing wrong?

Here is my config file

Using 2169 out of 29688 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Test-Ind

!

enable secret 5 $1$PTeP$8xXkHun2tn70JotIyrDKv0

enable password 7 090D1F5A4B01161C4A0908

!

memory-size iomem 15

ip subnet-zero

!

ip inspect name Test tcp alert on

ip inspect name Test udp alert on

ip inspect name Test ftp

ip inspect name Test http

ip inspect name Test smtp

ip inspect name Test tftp

ip inspect name Test realaudio

ip inspect name Test h323

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

!

interface Ethernet0

description External Interface

ip address 66.x.x.x 255.255.255.248

ip access-group 100 in

ip nat outside

half-duplex

no cdp enable

!

interface FastEthernet0

description Internal Interface

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip inspect Test in

speed auto

half-duplex

ntp disable

no cdp enable

!

ip nat translation timeout 3600

ip nat inside source list 1 interface Ethernet0 overload

ip nat inside source static tcp 192.168.1.20 47 interface Ethernet0 47

ip nat inside source static tcp 192.168.1.20 1723 interface Ethernet0 1723

ip nat inside source static tcp 192.168.1.20 25 interface Ethernet0 25

ip nat inside source static tcp 192.168.1.20 80 interface Ethernet0 80

ip nat inside source static tcp 192.168.1.20 3389 interface Ethernet0 3389

ip classless

ip route 0.0.0.0 0.0.0.0 66.x.x.x

no ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any eq 3389

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq 1723

access-list 100 permit tcp any any eq 47

access-list 100 permit icmp any any unreachable

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any traceroute

access-list 100 permit icmp any any administratively-prohibited

no cdp run

!

line con 0

line aux 0

line vty 0 4

password 7 01525757090F2601284942

login

!

end

chlovell · ‎09-10-2002

you cant port map so to say protocol 47 which is gre..you have to have a one to one static nat for the server you are terminating to or terminate on the router. You are correct in having gre and tcp 1723 open to that device but the router cant port map gre

roconnell · ‎09-10-2002

Thanks for your feedback, but I don't follow what your trying to say.

Do I leave Port 1723 and 47 open on the external interface?

Can you give me an example of how to create a one to one static nat?? I'm not sure what your trying to say.

What do I have to change ?

Thanks Ryan

acrain · ‎09-12-2002

This should Help you http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm

I was having the same problems till I found out that you can't use PAT for MS PPTP VPN. You need a public IP for each NAT'ed inside IP you want to access the VPN.