We help IT Professionals succeed at work.

Cisco 1720 VPN w/ Win2K Server

PLAlanPack asked
Last Modified: 2010-04-17
Hello. I'm trying to make it so we can connect to a VPN located on a server behind our Cisco 1720's firewall. I can connect to the VPN locally, so I know it is set up properly on the Windows 2000 server. I have a block of 12 IP addresses that I can assign to do this VPN, but I'm not sure what needs to be assigned to what. Currently we have two NICs on our W2K box, one getting its ip address from the router via DHCP and the other set statically to Does this need to be changed? As you'll see below, I've attempted to open the PPTP port (1723) for traffic. I'm aware that it responds in GRE though. I just can't get it to let the GRE traffic out.

Here is our current Cisco config:

Building configuration...

Current configuration : 2070 bytes
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname [cut]
logging rate-limit console 10 except errors
no logging on
[cut for security]
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip domain-list *
ip domain-name [cut]
ip name-server 63.x.x.11
ip name-server 63.x.x.10
ip dhcp excluded-address
ip dhcp pool internal
   domain-name [cut]
   netbios-node-type h-node
   dns-server 63.x.x.11 63.x.x.10
   lease 0 2
ip dhcp-server
no ip dhcp-client network-discovery
ip address-pool dhcp-proxy-client
appletalk routing
ipx routing 000d.28db.8c2e
interface Ethernet0
 ip address 209.x.x.146
 ip access-group 10 in
 ip nat outside
 no ip route-cache
interface FastEthernet0
 ip address
 ip nat inside
 no ip route-cache
 speed auto
 appletalk address 0.133
 appletalk discovery
ip default-gateway 209.x.x.145
ip nat pool ext-net2 209.x.x.146 209.x.x.158 netmask
ip nat inside source list 10 interface Ethernet0 overload
ip nat inside source static tcp 1723 interface Ethernet0 1723
ip nat inside source static tcp 8080 interface Ethernet0 8080
ip nat inside source static tcp 80 interface Ethernet0 80
ip nat inside source static 209.x.x.157 <---- This is where I'm trying to do 1-1 nat with one of our unused IPs.
ip classless
ip route
no ip http server
access-list 1 permit
access-list 1 permit any
access-list 10 permit any
access-list 20 permit
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
line con 0
line aux 0
line vty 0 4
 password [cut]
Watch Question

So if I understand this correctly, you are trying to VPN to the static NAT 209.x.x.157 ?

A couple things to remember here,

IPSec with AH enabled will not work behind a NAT, but it sounds like you are only using PPTP, which should be ok.

The static NAT should take precedence over the PAT configuration, so I don't think that is a problem.

This one is on us!
(Get your first solution completely free - no credit card required)


Thanks. After doing this it took off.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.