kthornb
asked on
Using VPN from home behind CISCO 804
I recently moved and went from a Cable modem and Netgear RP114 cable router (using NAT) to ISDN using a CISCO 804 router. I had no problems accessing my employers network via VPN over the internet using the cable configurtion, but now using the 804 router after I authenticate, I am not able to get any response. It is as if a port is being blocked, but I don't see in the IOS config anything to indicate that. I am using NAT.
Thoughts?
Thanks
Thoughts?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Following is a dump of the techinfo. It has the version and release. This is a basic IOS config generated by the FastStep configurator. Some of the data was replaced by x's to protect the inocent.
I don't actually know what VPN we are running, however, at one point, I was running a personal firewall product, and VPN would not work without port 500 open.
Thanks for the replies.
------->
show tech
------------------ show version ------------------
Cisco Internetwork Operating System Software
IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1, RELEASE SOFTWARE (fc1)
TAC:Home:SW:IOS:Specials for info
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Wed 30-Dec-98 13:34 by ayeh
Image text-base: 0x000E9000, data-base: 0x004F5000
ROM: TinyROM version 1.0(2)
xxxxxxxx uptime is 1 day, 6 hours, 52 minutes
System restarted by power-on at 09:53:04 UTC Sat Aug 7 2004
System image file is "flash:c800-g3-mw.120-1.XB
Cisco C804 (MPC850) processor (revision 0) with 43260K bytes of virtual memory.
Processor board ID JAD03033085
CPU part number 33
Bridging software.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
4M bytes of physical memory (DRAM)
8K bytes of non-volatile configuration memory
8M bytes of flash on board (4M from flash card)
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration:
!
! Last configuration change at 16:30:05 UTC Sun Aug 8 2004
! NVRAM config last updated at 10:07:48 UTC Sat Aug 7 2004
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxx
logging buffered 8192 debugging
enable secret 5 <removed>
!
username xxxxx password 7 <removed>
!
dial-peer voice 1 pots
call-waiting
ring 0
port 1
destination-pattern xxxx
!
dial-peer voice 2 pots
call-waiting
ring 0
port 2
destination-pattern xxxx
!
pots country US
ip subnet-zero
no ip source-route
!
ip dhcp pool DHCPPoolLAN_0
network 192.168.11.0 255.255.255.0
dns-server .xxx.xxx.xxx .xxx.xxx.xxx
default-router 192.168.11.1
!
ip name-server .xxx.xxx.xxx
ip name-server .xxx.xxx.xxx
isdn switch-type basic-ni
!
!
!
interface Ethernet0
ip address 192.168.11.1 255.255.255.0
ip access-group 121 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
!
interface BRI0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 xxxxxxx0101 xxxx
isdn spid2 xxxxxxx0101 xxxx
isdn incoming-voice modem
ppp authentication chap pap callin
ppp multilink
!
interface Dialer1
description ISP
ip address negotiated
ip access-group 121 in
no ip directed-broadcast
no ip proxy-arp
ip nat outside
encapsulation ppp
no ip split-horizon
dialer remote-name Cisco1
dialer idle-timeout 300
dialer string xxxx class DialClass
dialer hold-queue 10
dialer load-threshold 10 either
dialer pool 1
dialer-group 1
pulse-time 0
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp pap sent-username xxxxx password 7 xxxxx
ppp multilink
!
ip nat inside source list 18 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
map-class dialer DialClass
dialer isdn speed 56
access-list 18 permit 192.168.11.0 0.0.0.255
access-list 121 deny udp any eq netbios-dgm any
access-list 121 deny udp any eq netbios-ns any
access-list 121 deny udp any eq 139 any
access-list 121 deny tcp any eq 137 any
access-list 121 deny tcp any eq 138 any
access-list 121 deny tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
!
time-range TIME
periodic daily 0:00 to 23:59
!
end
I don't actually know what VPN we are running, however, at one point, I was running a personal firewall product, and VPN would not work without port 500 open.
Thanks for the replies.
------->
show tech
------------------ show version ------------------
Cisco Internetwork Operating System Software
IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1, RELEASE SOFTWARE (fc1)
TAC:Home:SW:IOS:Specials for info
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Wed 30-Dec-98 13:34 by ayeh
Image text-base: 0x000E9000, data-base: 0x004F5000
ROM: TinyROM version 1.0(2)
xxxxxxxx uptime is 1 day, 6 hours, 52 minutes
System restarted by power-on at 09:53:04 UTC Sat Aug 7 2004
System image file is "flash:c800-g3-mw.120-1.XB
Cisco C804 (MPC850) processor (revision 0) with 43260K bytes of virtual memory.
Processor board ID JAD03033085
CPU part number 33
Bridging software.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
4M bytes of physical memory (DRAM)
8K bytes of non-volatile configuration memory
8M bytes of flash on board (4M from flash card)
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration:
!
! Last configuration change at 16:30:05 UTC Sun Aug 8 2004
! NVRAM config last updated at 10:07:48 UTC Sat Aug 7 2004
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxx
logging buffered 8192 debugging
enable secret 5 <removed>
!
username xxxxx password 7 <removed>
!
dial-peer voice 1 pots
call-waiting
ring 0
port 1
destination-pattern xxxx
!
dial-peer voice 2 pots
call-waiting
ring 0
port 2
destination-pattern xxxx
!
pots country US
ip subnet-zero
no ip source-route
!
ip dhcp pool DHCPPoolLAN_0
network 192.168.11.0 255.255.255.0
dns-server .xxx.xxx.xxx .xxx.xxx.xxx
default-router 192.168.11.1
!
ip name-server .xxx.xxx.xxx
ip name-server .xxx.xxx.xxx
isdn switch-type basic-ni
!
!
!
interface Ethernet0
ip address 192.168.11.1 255.255.255.0
ip access-group 121 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
!
interface BRI0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 xxxxxxx0101 xxxx
isdn spid2 xxxxxxx0101 xxxx
isdn incoming-voice modem
ppp authentication chap pap callin
ppp multilink
!
interface Dialer1
description ISP
ip address negotiated
ip access-group 121 in
no ip directed-broadcast
no ip proxy-arp
ip nat outside
encapsulation ppp
no ip split-horizon
dialer remote-name Cisco1
dialer idle-timeout 300
dialer string xxxx class DialClass
dialer hold-queue 10
dialer load-threshold 10 either
dialer pool 1
dialer-group 1
pulse-time 0
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp pap sent-username xxxxx password 7 xxxxx
ppp multilink
!
ip nat inside source list 18 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
map-class dialer DialClass
dialer isdn speed 56
access-list 18 permit 192.168.11.0 0.0.0.255
access-list 121 deny udp any eq netbios-dgm any
access-list 121 deny udp any eq netbios-ns any
access-list 121 deny udp any eq 139 any
access-list 121 deny tcp any eq 137 any
access-list 121 deny tcp any eq 138 any
access-list 121 deny tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
!
time-range TIME
periodic daily 0:00 to 23:59
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It appears the link implies Ver 12.2 or higher. I am at 12.0, so I don't see that it will work for me.
Rather than spend the money on an IOS upgrade, I am going to try to find an ISDN Modem and build a gateway from a PC. I've done it before, and since I don't need the complexity of CISCO IOS to get the job done, it will be good enough until SBC gets DSL in this area.
Does anyone else have as hard a time navigating CISCO's website? I found it nearly impossible to work with.
Also, not having instant access to initiate a service contract is unreasonable in this electronic age. A CISCO Authorized vendor stated it would take two to three weeks to get a contract processed.
Rather than spend the money on an IOS upgrade, I am going to try to find an ISDN Modem and build a gateway from a PC. I've done it before, and since I don't need the complexity of CISCO IOS to get the job done, it will be good enough until SBC gets DSL in this area.
Does anyone else have as hard a time navigating CISCO's website? I found it nearly impossible to work with.
Also, not having instant access to initiate a service contract is unreasonable in this electronic age. A CISCO Authorized vendor stated it would take two to three weeks to get a contract processed.
Navigating Cisco.com is quite hard, but then it is a huge site, probably the best resource for networking information on the web, apart from experts-exchange ;).
It is rubbish that you can't get the latest version of IOS, , I just found that they have finally cottoned on to the fact that I moved companies (it was nearly a year ago) and now I can't access any sort of software downloads. What a pain.
It is rubbish that you can't get the latest version of IOS, , I just found that they have finally cottoned on to the fact that I moved companies (it was nearly a year ago) and now I can't access any sort of software downloads. What a pain.
You get used to the Cisco website...
Tim you do and then they revamp it or alter the menus again!!
ASKER
Shortly after the last comment above, while loading a new release of the VPN client on my pc, I was informed that there was a different security server for NAT'd login's. After changing to point to the new security server, I had no problems with my original IOS.
It makes me wonder why my previous configuration (cable modem and cable router) was working, and seems like a hole in the security server, but it's beyond me. It also makes me wonder my current IOS has all the functionality it needs, even though later IOS release notes IOS's indicate that the functionality wasn't provided until later releases of IOS.
It makes me wonder why my previous configuration (cable modem and cable router) was working, and seems like a hole in the security server, but it's beyond me. It also makes me wonder my current IOS has all the functionality it needs, even though later IOS release notes IOS's indicate that the functionality wasn't provided until later releases of IOS.
ASKER
Also, if it isn't appropriate, someone can slap my hand, but kudo's to the people at Black Box Corp, for escalating the initiation of a CISCO service contract for me (3 days) and at least making an IOS upgrade possible, should I have needed it.
What type of VPN are you using (prefereably with names of your empoyer's equipment)?