Cisco 2600 for VPN request forwarding...

I have a Cisco 2600 series on my network. I have recently setup a Windows 2000 Server box using RAS to accept incoming VPN request. I have tested this setup and it works great internally. I want the router to forward all VPN request to a specified internal server. I have added the following lines to my router config:

permit tcp host A.B.C.D eq 1723 host A.B.C.D eq 1723
permit tcp host A.B.C.D eq 47 host A.B.C.D eq 47

When I try and telent to the external address on the router and do a manual port prob using telnet to port 1723 or 47 the port is not open.....What am I missing... Oh, my router is using IOS ver. 12.0....
compdigitAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Great! Can you go ahead and close this question:
http://www.experts-exchange.com/Hardware/Routers/help.jsp#hs7

- Thanks!
0
 
lrmooreCommented:
>permit tcp host A.B.C.D eq 47 host A.B.C.D eq 47
Change this to:
permit gre host A.B.C.D host A.B.C.D
          ^^
GRE is Protocol 47, not TCP port 47

Are you also using NAT on the router? if so, you need a static nat address map to the RAS server..

0
 
compdigitAuthor Commented:
Great thank you... I am not sure of the correct synax for nat going to a specifice inside global address to a inside local address and specifing the port numbers....Please help....
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
lrmooreCommented:
To nat an ouside address to an inside address:

    ip nat inside source static <local IP> <public ip>

you can't specify port numbers because GRE has no concept of ports.
0
 
compdigitAuthor Commented:
thank you for your quick responce. I made the changes to the nat table still no luck.  :-( I see referance to ip address and port numbers in my nat table like A.B.C.D:port# . I tried doing this for the port 1723 and it did not like the syntax... :-(
0
 
lrmooreCommented:
>I tried doing this for the port 1723 and it did not like the syntax
You can use a port translation like this:
   ip nat inside source static tcp <local ip> 1723 <public ip> 1723

However, your GRE tunnel will require that you have a separate dedicated public IP just for the VPN server, using the syntax in my previous post. If you have one and only one public IP that is assigned to the WAN interface, you will not be able to accomplish your goal.
0
 
compdigitAuthor Commented:
Great thank you very much for all your help !!!!
0
 
compdigitAuthor Commented:
Bad news no luck...... :-( I am trying to use the external interface of my router as the public ip that people hit for the vpn connection:

I have added the following to the access-list

permit tcp host a.b.c.d eq 1723 host a.b.c.d eq 1723
pemit udp host a.b.c.d eq 1723 host a.b.c.d eq 1723
permit gre host a.b.c.d host a.b.c.d

Nat table

ip nat inside source static <private ip> <public ip>
ip nat inside source static tcp <private ip> <public ip>
ip nat inside source static udp <private ip> <public ip>

Note I have tried different public ip addresses other than the one used for the external interface of the router with no luck.......... :-(
0
 
lrmooreCommented:
>I am trying to use the external interface of my router as the public ip that people hit for the vpn connection:
You're right. No luck. If you have a different IP that you can use, this is what your config should look like:

Interface Eth 0/0
 ip address 4.5.6.7 255.255.255.248  <= example only
 ip nat outside
 ip access-list 101 in
!
Interface Eth0/1
 ip address 192.168.168.1 255.255.255.0
 ip nat inside
!
ip nat inside source static 192.168.168.100 4.5.6.8
!
access-list 101 permit tcp any host 4.5.6.8 eq 1723
access-list 101 permit gre any host 4.5.6.8
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
!
!
0
 
lrmooreCommented:
Let me revise the nat:

!
access-list 1 deny 192.168.168.100
access-list 1 permit 192.168.168.0 0.0.0.255
!
ip nat inside source list 1 interface Eth0/0 overload
ip nat inside source static 192.168.168.100 4.5.6.8
!
0
 
compdigitAuthor Commented:
It worked thank you...One problem though I lost my RDP to my terminal server port 3389 and owa access to my exchange server. How do I add these setting to my access-list that I applied to my external interface of the router.......
0
 
compdigitAuthor Commented:
I got it .....I merged my new access-group into my old one and everything is working... Thank you for all your help..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.