Solved

Cisco 2600 for VPN request forwarding...

Posted on 2004-09-20
12
215 Views
Last Modified: 2010-04-17
I have a Cisco 2600 series on my network. I have recently setup a Windows 2000 Server box using RAS to accept incoming VPN request. I have tested this setup and it works great internally. I want the router to forward all VPN request to a specified internal server. I have added the following lines to my router config:

permit tcp host A.B.C.D eq 1723 host A.B.C.D eq 1723
permit tcp host A.B.C.D eq 47 host A.B.C.D eq 47

When I try and telent to the external address on the router and do a manual port prob using telnet to port 1723 or 47 the port is not open.....What am I missing... Oh, my router is using IOS ver. 12.0....
0
Comment
Question by:compdigit
  • 6
  • 6
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107533
>permit tcp host A.B.C.D eq 47 host A.B.C.D eq 47
Change this to:
permit gre host A.B.C.D host A.B.C.D
          ^^
GRE is Protocol 47, not TCP port 47

Are you also using NAT on the router? if so, you need a static nat address map to the RAS server..

0
 

Author Comment

by:compdigit
ID: 12108250
Great thank you... I am not sure of the correct synax for nat going to a specifice inside global address to a inside local address and specifing the port numbers....Please help....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12108310
To nat an ouside address to an inside address:

    ip nat inside source static <local IP> <public ip>

you can't specify port numbers because GRE has no concept of ports.
0
 

Author Comment

by:compdigit
ID: 12113296
thank you for your quick responce. I made the changes to the nat table still no luck.  :-( I see referance to ip address and port numbers in my nat table like A.B.C.D:port# . I tried doing this for the port 1723 and it did not like the syntax... :-(
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12113405
>I tried doing this for the port 1723 and it did not like the syntax
You can use a port translation like this:
   ip nat inside source static tcp <local ip> 1723 <public ip> 1723

However, your GRE tunnel will require that you have a separate dedicated public IP just for the VPN server, using the syntax in my previous post. If you have one and only one public IP that is assigned to the WAN interface, you will not be able to accomplish your goal.
0
 

Author Comment

by:compdigit
ID: 12113878
Great thank you very much for all your help !!!!
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:compdigit
ID: 12117520
Bad news no luck...... :-( I am trying to use the external interface of my router as the public ip that people hit for the vpn connection:

I have added the following to the access-list

permit tcp host a.b.c.d eq 1723 host a.b.c.d eq 1723
pemit udp host a.b.c.d eq 1723 host a.b.c.d eq 1723
permit gre host a.b.c.d host a.b.c.d

Nat table

ip nat inside source static <private ip> <public ip>
ip nat inside source static tcp <private ip> <public ip>
ip nat inside source static udp <private ip> <public ip>

Note I have tried different public ip addresses other than the one used for the external interface of the router with no luck.......... :-(
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12117645
>I am trying to use the external interface of my router as the public ip that people hit for the vpn connection:
You're right. No luck. If you have a different IP that you can use, this is what your config should look like:

Interface Eth 0/0
 ip address 4.5.6.7 255.255.255.248  <= example only
 ip nat outside
 ip access-list 101 in
!
Interface Eth0/1
 ip address 192.168.168.1 255.255.255.0
 ip nat inside
!
ip nat inside source static 192.168.168.100 4.5.6.8
!
access-list 101 permit tcp any host 4.5.6.8 eq 1723
access-list 101 permit gre any host 4.5.6.8
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
!
!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12117663
Let me revise the nat:

!
access-list 1 deny 192.168.168.100
access-list 1 permit 192.168.168.0 0.0.0.255
!
ip nat inside source list 1 interface Eth0/0 overload
ip nat inside source static 192.168.168.100 4.5.6.8
!
0
 

Author Comment

by:compdigit
ID: 12118579
It worked thank you...One problem though I lost my RDP to my terminal server port 3389 and owa access to my exchange server. How do I add these setting to my access-list that I applied to my external interface of the router.......
0
 

Author Comment

by:compdigit
ID: 12122361
I got it .....I merged my new access-group into my old one and everything is working... Thank you for all your help..
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 12136433
Great! Can you go ahead and close this question:
http://www.experts-exchange.com/Hardware/Routers/help.jsp#hs7

- Thanks!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now