Changed, still same problem
Main Topics
Browse All Topics
Loading Advertisement...
Question
Cisco 871 cannot get windows VPN tunnel to work
I setup the router to forward 3389 to the server for RDP. Now I've tried to get the MS VPN tunnel to work. I forwarded 1723 and opened GRE but it just hangs on verifying username and password but nothing beyond that. WinXP gets error 721 Remote computer did not respond.
Here is my running config:
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
ok, well... looking deeper... there are some other things wrong with this configuration.
For example, access group 101... search for "101" and it only appears once. This means that your declairing an ACL, but your not using that ACL anywhere.
Search for "sdm-nat-pptp-1" which is what i think you used cisco config professional to create a PPTP custom protocol for 1723... sketchy... but ok... - it allows TCP 1723, but not UDP 500 and not GRE.
About line 70:
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
Then, line 330ish
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.10
Line 4:
ip port-map user-protocol--1 port tcp 3389
So, your saying "Permit 3389" when "destination is 192.168.1.10"
I'll have to think about this for a bit to determine what must be done to directly fix this.
Is this a school assignment or just custom install?
is CCP needed?
No, it's custom install. It's been about 10 years since I configured a cisco router (back when I was in school) and I haven't used cisco since. CCP is not needed, I was big into linux back in the day and know that command line always beats the gui interface but I was in a rush to get the internet and rdp working so I went with cisco's CCP.
Let me know what you find.
Thanks!
Look at this working example:
http://www.experts-exchang
Note the use of interfaces instead of ip addresses in the IP NAT STATIC assignments....
Made some changes based of the working config. Here's the update:
I'm a little confused on something. If you look at where mine goes out to the internet;
ip route 0.0.0.0 0.0.0.0 70.46.31.193
it's .193
In my access list I'm using the public address .194
Should I be using the .193 address?
BTW still does not get passed verifying username and password.
I think I may start getting it figured out. I didn't have any of the access lists bound to the interfaces. So everything I did really had no effect on making anything better. fasteth4 has no access group and neither does vlan1. I just applied access group 100 to vlan1 and it cut me off. I've been working on this remotely so now I'm kind of screwed. Looks like I'll be at their office as soon as they open tomorrow.
obviously since ag 100 to vlan1 just kicked me out, I take it that's wrong. Was that supposed to be on fastethernet4?
Which do I bind and where?
First lets work on getting the NAT working again. If you removed the command that I showed you earlier, then access list 105 would have taken over and natted all internal clients and allowed them out to the internet. The NAT access list is only used to dictate what traffic is going to be natted outbound from your network. The IP NAT INSIDE and OUTSIDE statements on the interfaces put this into effect. You don't need to assign an access group to an interface.
Don't assign any access lists to interfaces unless your actually doing security and picking and choosing what traffic you will allow/disallow. In your case here, your identifying traffic that you want to NAT based off of an access list, it's not being used for security.
What version of IOS Is on that router? You can get this by doing "show ver" from the CLI.
Router ver is 12.3(8r)YI4
I removed the entry I made last night. It's back up. I made the changes to 105 as you listed. I still cannot VPN in and I cannot use my custom port map either for RDP. I did make a change to GRE and port 1723 and 1701 for the VPN. From the working config you showed me earlier, he only has "my_static_ip" and I'm not sure if that's supposted to be my internet ip or my server's ip. Currently it is my servers IP.
Below is the current config:
What is this? "ip access-group group in" It's applied to the Ethernet4 interface but there is no access list called group.
Remove the zone-member securit off the interface temporarily. Let's try to get to basic config and get it working. Remove all the access lists except for 105 unless your using them somewhere else and remove all the static nat statements also. Just leave the global nat so they can get to the internet.
Once you remove all the nat statements, I want you to add this:
ip nat inside source static tcp 192.168.1.10 1723 70.46.31.194 1723 extendable.
After you do that, try to VPN to the VPN server. As your doing that, I want you to run "show ip nat translations *" on the router and post it here. I need to see if NAT is working properly.
Is RDP working? I see a NAT statement for it. What is the error message that you're getting when you try to PPTP to the VPN server? BTW, port 500 is for IPSEC and is not needed for PPTP.
I don't see any configuration for access list 1 or 100 that is being used. Do "show access-list 1" and the same thing with 100 and see if you have any matches.
Try removing this: class type inspect sdm-nat-pptp-1 from the policy map below on the router. See if that works. If not, post a new copy of the entire config with all the changes that have been made so far.
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-pptp-1
inspect
Here's the config:
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 104
match protocol pptp
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservice
match service any
class-map match-all pptp-port
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservice
log
reset
class class-default
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
class class-default
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
class class-default
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
class class-default
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect sdm-access
inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit zone-pair security sdm-zp-NATOutsideToInside-
service-policy type inspect sdm-pol-NATOutsideToInside
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 70.46.31.194 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.46.31.193
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source static udp 192.168.1.10 500 interface FastEthernet4 500 ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389 ip nat inside source list 105 interface FastEthernet4 overload ip nat inside source static tcp 192.168.1.10 1723 70.46.31.194 1723 extendable !
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
access-list 105 permit ip any any
no cdp run
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to use.
--------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C !
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
password 7 00141C5F544A1C545E
login
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
StMarkCisco#
I don't see any of the access lists on this config, put them back if there missing.
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 70.46.31.192 0.0.0.3 any
access-list 101 permit tcp any host 70.46.31.194 eq 1723
access-list 101 permit udp any host 70.46.31.194 eq isakmp
access-list 101 permit udp any host 70.46.31.194 eq 1701
access-list 101 permit gre any host 70.46.31.194
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.10
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.10
access-list 105 permit ip any any
Can you RDP to the server now? Try "clear ip nat translations *" on the router. Try to VPN or PPTP again. There will be a slight hiccup accessing the internet but it will come back in a few seconds.
I'm almost positive at this point it's the zone security causing your problems.
Try this from your workstation: telnet 70.46.31.194 1723
If you don't get a response, it's definately a zone security problem. Do you happen to have a firewall turned on on the RRAS server?
To test if it's zone security, you'll need to probably be on site but you need to remove the zone statements from both interfaces on the router. Without any security in place, I bet it works. IP inspection can cause some strange things on a router.
RPD works again. VPN does not, it once again doesn't get pas the ip address. No Verifying username or password or anything. Orginally it was actually getting to verifying username or password. RRAS is only setup for dial in, I never setup a firewall policy for it. I added ip nat inside source static tcp 192.168.1.171 3390 interface fastethernet4 3390 again and I still cannot even RDP into the other computer which is strange also.
Another thing, the VPN physical address is 192.168.1.10 but the internal address is 192.168.1.120 on the server. Should we have changed 1723 to .120 instead?
Yes, taht will remove the zone statements. Do the inside first and then the outside. The IP of the RRAS server, which you have indicated as 192.168.1.10 should be the correct one since it's the one listening for VPN traffic. However, lets do .120 anyhow.
First though, try this: telnet 70.46.31.194 1723
Then change it by removing the one and adding the new one like this:
no ip nat inside source static tcp 192.168.1.10 1723 70.46.31.194 1723
ip nat inside source static tcp 192.168.1.120 1723 70.46.31.194 1723
Then telnet again to the IP address and see what happens. Do you have DHCP set up on RRAS so that it hands out an IP address to clients or is it pointing to a DHCP server?
I just saw this:
class-map type inspect match-all sdm-nat-pptp-1
match access-group 104
match protocol pptp
match access-group 104, so does that mean for VPN to work, I need to put this:
access-list 101 permit tcp any host 70.46.31.194 eq 1723
access-list 101 permit udp any host 70.46.31.194 eq isakmp
access-list 101 permit udp any host 70.46.31.194 eq 1701
access-list 101 permit gre any host 70.46.31.194
on access-list 104 instead?
I've been looking over several cisco documents and they all seem to point me in the direction of assigning access-lists to the interfaces for proper NATing. I think tomorrow while I'm there I'll try to create one for what the network needs, which in the long run will suite me since they will be streaming video within the next couple of months.
I'll let you know how it goes.
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: asdlkfPosted on 2009-08-18 at 14:49:50ID: 25128017
On line 317, forward UDP, not TCP for port 500...
change:
ip nat inside source static tcp 192.168.1.10 500 70.46.31.194 500 extendable
to:
ip nat inside source static udp 192.168.1.10 500 70.46.31.194 500 extendable