Solved

Using VPN from home behind CISCO 804

Posted on 2004-08-05
11
1,018 Views
Last Modified: 2013-11-16
I recently moved and went from a Cable modem and Netgear RP114 cable router (using NAT) to ISDN using a CISCO 804 router.  I had no problems accessing my employers network via VPN over the internet  using the cable configurtion, but now using the 804 router after I authenticate, I am not able to get any response.  It is as if a port is being blocked, but I don't see in the IOS config anything to indicate that.  I am using NAT.

Thoughts?

Thanks
0
Comment
Question by:kthornb
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 7

Assisted Solution

by:scdavis
scdavis earned 50 total points
Comment Utility
I dunno about the 804 -- but if it's like the PiX, see if there are "Protocol Fixup" commands.

The baby PiX 501E's (when config'd with PAT) require the addition of a "Fixup Protocol PPTP 1723" command..  before they'll handle the GRE correctly.


Unnh, that's assuming your "vpn" is Microsoft-pptp kinda VPN stuff, eh?

-- Scott.

0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
What IOS version and edition are you using?

What type of VPN are you using (prefereably with names of your empoyer's equipment)?
0
 

Author Comment

by:kthornb
Comment Utility
Following is a dump of the techinfo.  It has the version and release.  This is a basic IOS config generated by the FastStep configurator.  Some of the data was replaced by x's to protect the inocent.

I don't actually know what VPN we are running, however, at one point, I was running a personal firewall product, and VPN would not work without port 500 open.

Thanks for the replies.

------->
show tech

------------------ show version ------------------

Cisco Internetwork Operating System Software
IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1,  RELEASE SOFTWARE (fc1)
TAC:Home:SW:IOS:Specials for info
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Wed 30-Dec-98 13:34 by ayeh
Image text-base: 0x000E9000, data-base: 0x004F5000

ROM: TinyROM version 1.0(2)
xxxxxxxx uptime is 1 day, 6 hours, 52 minutes
System restarted by power-on at 09:53:04 UTC Sat Aug 7 2004
System image file is "flash:c800-g3-mw.120-1.XB1"

Cisco C804 (MPC850) processor (revision 0) with 43260K bytes of virtual memory.
Processor board ID JAD03033085
CPU part number 33
Bridging software.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
4M bytes of physical memory (DRAM)
8K bytes of non-volatile configuration memory
8M bytes of flash on board (4M from flash card)

Configuration register is 0x2102


------------------ show running-config ------------------


Building configuration...

Current configuration:
!
! Last configuration change at 16:30:05 UTC Sun Aug 8 2004
! NVRAM config last updated at 10:07:48 UTC Sat Aug 7 2004
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname    xxxxx
logging buffered 8192 debugging
enable secret 5 <removed>
!
username    xxxxx password 7 <removed>
!
dial-peer voice 1 pots
 call-waiting
 ring 0
 port 1
 destination-pattern    xxxx
!
dial-peer voice 2 pots
 call-waiting
 ring 0
 port 2
 destination-pattern    xxxx
!
pots country US
ip subnet-zero
no ip source-route
!
ip dhcp pool DHCPPoolLAN_0
   network 192.168.11.0 255.255.255.0
   dns-server    .xxx.xxx.xxx    .xxx.xxx.xxx
   default-router 192.168.11.1
!
ip name-server    .xxx.xxx.xxx
ip name-server    .xxx.xxx.xxx
isdn switch-type basic-ni
!
!
!
interface Ethernet0
 ip address 192.168.11.1 255.255.255.0
 ip access-group 121 in
 no ip directed-broadcast
 no ip proxy-arp
 ip nat inside
!
interface BRI0
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-ni
 isdn spid1    xxxxxxx0101    xxxx
 isdn spid2    xxxxxxx0101    xxxx
 isdn incoming-voice modem
 ppp authentication chap pap callin
 ppp multilink
!
interface Dialer1
 description ISP
 ip address negotiated
 ip access-group 121 in
 no ip directed-broadcast
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip split-horizon
 dialer remote-name Cisco1
 dialer idle-timeout 300
 dialer string    xxxx class DialClass
 dialer hold-queue 10
 dialer load-threshold 10 either
 dialer pool 1
 dialer-group 1
 pulse-time 0
 ppp authentication chap pap callin
 ppp chap hostname    xxxxx
 ppp chap password 7    xxxxx
 ppp pap sent-username    xxxxx password 7    xxxxx
 ppp multilink
!
ip nat inside source list 18 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
map-class dialer DialClass
 dialer isdn speed 56
access-list 18 permit 192.168.11.0 0.0.0.255
access-list 121 deny   udp any eq netbios-dgm any
access-list 121 deny   udp any eq netbios-ns any
access-list 121 deny   udp any eq 139 any
access-list 121 deny   tcp any eq 137 any
access-list 121 deny   tcp any eq 138 any
access-list 121 deny   tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 0 0
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
!
time-range TIME
 periodic daily 0:00 to 23:59
!
end

0
 
LVL 3

Accepted Solution

by:
fatlad earned 400 total points
Comment Utility
You will need to enable NAT traversal for this to work correctly, there is an issue with encrypted packets passign through a NAT boundary, and this feature allows it to occur. Unfortunately the version of IOS you are using (12.0) does not support this, you will need at least 12.2(13)T.

Get an IOS image from http://www.cisco.com/cgi-bin/tablebuild.pl?topic=270571981 (you will need to register with Cisco first). You will only need the basic IP feature set.

It should autimatically recognise IPSec traffic and use NAT traversal.

Good Luck

FatLad
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 50 total points
Comment Utility
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Author Comment

by:kthornb
Comment Utility
It appears the link implies Ver 12.2 or higher. I am at 12.0, so I don't see that it will work for me.

Rather than spend the money on an IOS upgrade, I am going to try to find an ISDN Modem and build a gateway from a PC.  I've done it before, and since I don't need the complexity of CISCO IOS to get the job done, it will be good enough until SBC gets DSL in this area.

Does anyone else have as hard a time navigating CISCO's website?  I found it nearly impossible to work with.

Also, not having instant access to initiate a service contract is unreasonable in this electronic age.  A CISCO Authorized vendor stated it would take two to three weeks to get a contract processed.  



0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
Navigating Cisco.com is quite hard, but then it is a huge site, probably the best resource for networking information on the web, apart from experts-exchange ;).

It is rubbish that you can't get the latest version of IOS, , I just found that they have finally cottoned on to the fact that I moved companies (it was nearly a year ago) and now I can't access any sort of software downloads. What a pain.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
You get used to the Cisco website...
0
 
LVL 3

Expert Comment

by:fatlad
Comment Utility
Tim you do and then they revamp it or alter the menus again!!
0
 

Author Comment

by:kthornb
Comment Utility
Shortly after the last comment above, while loading a new release of the VPN client on my pc, I was informed that there was a different security server for NAT'd login's.  After changing to point to the new security server, I had no problems with my original IOS.  

It makes me wonder why my previous configuration (cable modem and cable router) was working, and seems like a hole in the security server, but it's beyond me.  It also makes me wonder my current IOS has all the functionality it needs, even though later IOS release notes IOS's indicate that the functionality wasn't provided until later releases of IOS.
0
 

Author Comment

by:kthornb
Comment Utility
Also, if it isn't appropriate, someone can slap my hand, but kudo's to the people at Black Box Corp, for escalating the initiation of a CISCO service contract for me (3 days) and at least making an IOS upgrade possible, should I have needed it.  
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
OWASP ZAP get started. Step 2. 2 54
Virus Kronos 4 62
Ipad question 2 38
Google G Suite Email Redirection to exchange server 4 44
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now