akafiti
asked on
Error 721 - PPTP VPN NAT'd through Cisco Router/Authenticated on Firewall
Fairly complex, but I will give all information and hope someone can give some help:
My topology is as follows: Qwest T1 Circuit to Adrtan TSU - connected with serial cable to a Cisco 2610 router (doing NAT) - Watchguard Firebox X700 (firewall) - then my servers.
We switched to Qwest in December and had no problems. The following problem has occured since our switch. My VPN users authenticate to my firewall. Sometimes they can connect. Most times they can not. No changes occur from when they can connect to when they can not. VPN is typical Windows PPTP VPN connection.
With our previous ISP, all our IP's were on the same subnet (same class). With this new ISP, my Qwest Serial and customer Serial IP's are /30. My LAN block they gave me are /29. My router NAT's addresses to my firewall. Firewall also NAT's to the appropriate servers inside my enrionment. My VPN users authenticate to the firewall. I can always see my users attempt to connect via the firewall traffic monitor. If they don't get past verifying user name/password right away, it hangs there and errors out 721: Remote computer not responding. The next day, that same user may be able to connect.
I've exhausted all my options here. I've spoken with Cisco and they say the router config is fine.
I've spoken with Watchguard and they say the firewall is fine
I've spoken with Qwest and they say their circuit is clean and they are not blocking anything
I've tried bridging the router to the firewall - no luck with the IP's given since they are 2 different types.
All I know if this worked fine with our previous ISP and had no problem even with the double NAT. All my IP's at that time we all on the same class/subnet.
Any ideas anyone has to help me figure out why this is happening and can help get my VPN users connected everytime they try will get all the points I have.
My topology is as follows: Qwest T1 Circuit to Adrtan TSU - connected with serial cable to a Cisco 2610 router (doing NAT) - Watchguard Firebox X700 (firewall) - then my servers.
We switched to Qwest in December and had no problems. The following problem has occured since our switch. My VPN users authenticate to my firewall. Sometimes they can connect. Most times they can not. No changes occur from when they can connect to when they can not. VPN is typical Windows PPTP VPN connection.
With our previous ISP, all our IP's were on the same subnet (same class). With this new ISP, my Qwest Serial and customer Serial IP's are /30. My LAN block they gave me are /29. My router NAT's addresses to my firewall. Firewall also NAT's to the appropriate servers inside my enrionment. My VPN users authenticate to the firewall. I can always see my users attempt to connect via the firewall traffic monitor. If they don't get past verifying user name/password right away, it hangs there and errors out 721: Remote computer not responding. The next day, that same user may be able to connect.
I've exhausted all my options here. I've spoken with Cisco and they say the router config is fine.
I've spoken with Watchguard and they say the firewall is fine
I've spoken with Qwest and they say their circuit is clean and they are not blocking anything
I've tried bridging the router to the firewall - no luck with the IP's given since they are 2 different types.
All I know if this worked fine with our previous ISP and had no problem even with the double NAT. All my IP's at that time we all on the same class/subnet.
Any ideas anyone has to help me figure out why this is happening and can help get my VPN users connected everytime they try will get all the points I have.
ASKER
I know the firewall IP and it's default gateway must be of the same subnet/IP schema such as both being a 65.x.x.x or 192.168.x.x, or 208.x.x.x number. However I will most definetly attempt this when my users leave today. I think I may have to do this. What do you think?
int ser 0/0
ip add 65.b.c.d /30
no ip nat outside
inter Eth 0/0
ip add 208.a.b.c /29
no ip nat inside
Firebox
IP 208. b.c.d/29
Gateway 208.a.b.c
You give me hope!!!
int ser 0/0
ip add 65.b.c.d /30
no ip nat outside
inter Eth 0/0
ip add 208.a.b.c /29
no ip nat inside
Firebox
IP 208. b.c.d/29
Gateway 208.a.b.c
You give me hope!!!
That should work perfectly for you.
Make sure your default route points to the Quest ip:
ip route 0.0.0.0 0.0.0.0 65.b.c.e
Make sure your default route points to the Quest ip:
ip route 0.0.0.0 0.0.0.0 65.b.c.e
ASKER
currently my ip route command is as follows
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 111.0.0.0 255.0.0.0 192.168.100.4
Are those legit? I know traffic comes in and out ok with it that way. Are you saying to point the ip route to the Qwest Serial ip of 65.b.c.e or the Quest serial of 65.b.c.d which i delcared in the serial command in the previous post?
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 111.0.0.0 255.0.0.0 192.168.100.4
Are those legit? I know traffic comes in and out ok with it that way. Are you saying to point the ip route to the Qwest Serial ip of 65.b.c.e or the Quest serial of 65.b.c.d which i delcared in the serial command in the previous post?
>ip route 0.0.0.0 0.0.0.0 Serial0/0
Will work, but this is much more efficient (cuts down on ARP requests)
ip route 0.0.0.0 0.0.0.0 65.b.c.e <== Qwest end, not your own end
>my Qwest Serial and customer Serial IP's are /30
Customer serial assigned to your interface
Qwest Serial is your gateway IP
Will work, but this is much more efficient (cuts down on ARP requests)
ip route 0.0.0.0 0.0.0.0 65.b.c.e <== Qwest end, not your own end
>my Qwest Serial and customer Serial IP's are /30
Customer serial assigned to your interface
Qwest Serial is your gateway IP
ASKER
Thanks. I'll give this a go tonight if possible. If not, I may not be able to try till Monday. If this works I'm endebted to you. You'll get all the points. Cisco/Qwest/Watchguard could not come up with a solution.
I'm quite confident that it will work for you.
Good luck!
Good luck!
You may find the pptpsrv and pptpclnt utilities with W2K useful here - sort of like a PPTP / GRE ping.
Most instances of error 721 I've seen have been down to GRE blocking. Are you sure all the routers/firewalls involved are forwarding this correctly ? Do IPSEC VPN Clients work OK ?
Most instances of error 721 I've seen have been down to GRE blocking. Are you sure all the routers/firewalls involved are forwarding this correctly ? Do IPSEC VPN Clients work OK ?
ASKER
IPSEC has trouble connecting outbound from time to time. the GRE blocking I would think would deny them all the time, and not just occassionally. I'm gonna try lrmoore's answer tonight and see if that helps. then if that doesn't work, i'll try those utilities. lrmoore's sounds quite logical to me though.
If there are general problems, then it could be client MTU size causing these issues:
http://www.dslreports.com/tweaks/MTU
http://www.dslreports.com/tweaks/MTU
ASKER
lrmoore - I tried what you advised. It didn't work. However - I was able to ping the firebox from within the network. I was also able to ping the gateway which we gave the firebox and the router.
An outside person could also ping the router and the IP of the firebox. However when he did a tracert of the IP of the firebox it never came to the routers IP address, so I don't know what exactly he was pinging. To me it looks like there may be something within the router config that is causing all the problems in my current setting and with what you advised also.
Should my only IP route command be that of 0.0.0.0 0.0.0.0 65.b.c.e (Qwest End?)
I'm assuming in my interface commands when I say no IP nat inside/outside makes the router ignore any of the nat commands it has?
I have a couple commands which say access-list 1 permit 111.0.0.0 0.255.255.255
and access-list 1 permit 192.168.100.0 0.0.0.255
Do these do anything?
Also a line that looks like this -
router igrp 1
redistribute connected
netowrk 111.0.0.0
What is this doing?
I was so confident your suggestion would work, and now I'm back at square one. I don't know if I was missing just one line in the router or possibly needed to add anything into the firebox but all I know is I couldn't get out and things couldn't get in.... any other advise would be appreceiated.
An outside person could also ping the router and the IP of the firebox. However when he did a tracert of the IP of the firebox it never came to the routers IP address, so I don't know what exactly he was pinging. To me it looks like there may be something within the router config that is causing all the problems in my current setting and with what you advised also.
Should my only IP route command be that of 0.0.0.0 0.0.0.0 65.b.c.e (Qwest End?)
I'm assuming in my interface commands when I say no IP nat inside/outside makes the router ignore any of the nat commands it has?
I have a couple commands which say access-list 1 permit 111.0.0.0 0.255.255.255
and access-list 1 permit 192.168.100.0 0.0.0.255
Do these do anything?
Also a line that looks like this -
router igrp 1
redistribute connected
netowrk 111.0.0.0
What is this doing?
I was so confident your suggestion would work, and now I'm back at square one. I don't know if I was missing just one line in the router or possibly needed to add anything into the firebox but all I know is I couldn't get out and things couldn't get in.... any other advise would be appreceiated.
If you can post your complete config, I'll be happy to take a look at it.
ASKER
can I email it? i trust you but I'm a little worried about other folk.
ASKER
if you'd like, you can email me at akafiti@1-888-ohiocomp.com
We need to keep everything within this forum, else it won't be any good as a future problem/solution set for the database.
You can edit the real ip addresses and any passwords before posting, but it will be safe. If I see anything that would not be safe to keep, I'll have a moderator edit it.
I'm off to some appointments for a couple of hours and won't have access to email ..
Be back soonest...
You can edit the real ip addresses and any passwords before posting, but it will be safe. If I see anything that would not be safe to keep, I'll have a moderator edit it.
I'm off to some appointments for a couple of hours and won't have access to email ..
Be back soonest...
ASKER
Ok. Here is the router config I'll also post the firewall config too. Remember that my firewall only takes IP's on the same subnet. My big problem here again is that my VPN users usually can't get in, but some can. Those who can't can get in when nothing has changed. I was going to change the firebox IP and gateway to a 208 if possible. I'll post that config next.
mco2610#show run
Building configuration...
Current configuration:
!
version 12.0
service config
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mco2610
!
no logging console
enable secret
enable password
!
ip subnet-zero
no ip source-route
ip cef
ip domain-name ALTER.NET
ip name-server 198.6.1.2
!
!
!
!
interface Ethernet0/0
ip address 192.168.100.1 255.255.255.0
ip directed-broadcast
ip nat inside
ip route-cache flow
no ip route-cache cef
no cdp enable
!
interface Serial0/0
ip address 65.112.65.30 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip mroute-cache
bandwidth 1536
no cdp enable
!
router igrp 1
redistribute connected
network 111.0.0.0
!
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static 192.168.100.0 208.44.113.153
ip nat inside source static 192.168.100.2 208.44.113.154 extendable
ip nat inside source static 192.168.100.3 208.44.113.155 extendable
ip nat inside source static 192.168.100.4 208.44.113.156 extendable
ip nat inside source static 192.168.100.5 208.44.113.157 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 111.0.0.0 255.0.0.0 192.168.100.2
!
access-list 1 permit 111.0.0.0 0.255.255.255
access-list 1 permit 192.168.100.0 0.0.0.255
no cdp run
snmp-server community public RO
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password
!
end
mco2610#show run
Building configuration...
Current configuration:
!
version 12.0
service config
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mco2610
!
no logging console
enable secret
enable password
!
ip subnet-zero
no ip source-route
ip cef
ip domain-name ALTER.NET
ip name-server 198.6.1.2
!
!
!
!
interface Ethernet0/0
ip address 192.168.100.1 255.255.255.0
ip directed-broadcast
ip nat inside
ip route-cache flow
no ip route-cache cef
no cdp enable
!
interface Serial0/0
ip address 65.112.65.30 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip mroute-cache
bandwidth 1536
no cdp enable
!
router igrp 1
redistribute connected
network 111.0.0.0
!
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static 192.168.100.0 208.44.113.153
ip nat inside source static 192.168.100.2 208.44.113.154 extendable
ip nat inside source static 192.168.100.3 208.44.113.155 extendable
ip nat inside source static 192.168.100.4 208.44.113.156 extendable
ip nat inside source static 192.168.100.5 208.44.113.157 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 111.0.0.0 255.0.0.0 192.168.100.2
!
access-list 1 permit 111.0.0.0 0.255.255.255
access-list 1 permit 192.168.100.0 0.0.0.255
no cdp run
snmp-server community public RO
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password
!
end
ASKER
This is our firebox info:
External
IP: 192.168.100.2/24
Gateway: 192.168.100.1
Aliases: 192.168.100.3
192.168.100.4
192.168.100.5
Trusted:
111.111.120.254/24
Secondary Networks:
111.111.200.254/24 Trusted
111.111.111.254/24 Trusted
External
IP: 192.168.100.2/24
Gateway: 192.168.100.1
Aliases: 192.168.100.3
192.168.100.4
192.168.100.5
Trusted:
111.111.120.254/24
Secondary Networks:
111.111.200.254/24 Trusted
111.111.111.254/24 Trusted
Have you tried the MTU setting ?
ASKER
I haven't, but I can and will now. This is something I need to check on the clients which are getting rejected correct? What about XP machines? That article doesn't mention anything about XP.
ASKER
No luck with the MTU's...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll give this a try and it looks very similar to what I had last night I believe. I'm not sure exactly what IGRP is. could it keep the config from working?
It won't keep the config from working.
No ISP that I know of will participate in any dynamic routing protocol other than BGP, so I would say you are perfectly safe to remove it..
no router igrp 1
No ISP that I know of will participate in any dynamic routing protocol other than BGP, so I would say you are perfectly safe to remove it..
no router igrp 1
ASKER
lrmoore - you are a genius! Thank you so much for your help. Cisco had looked at our config and said we were fine with how we were. We configured the firebox and router as you suggested and people who hadn't been logged onto the VPN for weeks were able to get on. I'm on as we speak.
Again, thank you so much and I hope if I ever have a problem and post it on here that you stumble across it and can help me out again.
AK
Again, thank you so much and I hope if I ever have a problem and post it on here that you stumble across it and can help me out again.
AK
Glad to help!
ASKER
Hope this finds you lrmoore. We're up and running. However I manage 2 different companies email servers here. One is NAT'd to 208.44.113.154. The other is 208.44.113.155. 154's emails are working fine. 155's can send amongst themselves and can email out. However they are not getting any emails from the outside world. Any suggestions?
Are the MX records at the DNS hosting correct?
If yes, most likely issue is in the firewall with the mapping/access. Unfortunately, I'm not a Watchguard guru..
If yes, most likely issue is in the firewall with the mapping/access. Unfortunately, I'm not a Watchguard guru..
ASKER
Again, thanks for you follow up. It seems within the past 10 minutes outside emails have begun dropping in for them. So unless i hear anything further from them, I'm gonna assume all is working.
Stop natting on the router and only do it on the Watchguard.
Pass all traffic through the router directly to the watchguard
2610
int ser 0/0
ip add a.b.c.d /30
no ip nat outside
inter Eth 0/0
ip add b.c.d.e /29
no ip nat inside
Firebox
outside b.c.d.f /29
inside 192.168.100.x (private IP)
Your troubles are over.