Solved

cisco 1750 nat to a 10.10.10.x blocks protocol 43 and port 47 for pptp vpn access

Posted on 2004-10-19
11
339 Views
Last Modified: 2010-04-12
I have an ISP that installed a cisco 1750, at first it was just a passthrough not doing anything, just a link to the internet, which was feeding to my linksys that was configured to do DHCP, NAT and port forwarding.at this point PPTP VPN worked like a charm, We started having issues with our ip phones dropping  a few times a week, they suspected the linksys, so we removed the linksys and the ISP configured the cisco with DHCP,NAT and port forwarding, ports 110,25,3389 all work fine when I try to VPN with pptp It times out on authenticating username and password.  Port detective reports port 47 blocked 1723 is in use ,Symantec security reports 1723 is closed and does not scan port 47,, My question is should there be An ACL list created for protocol 43 on the cisco?

HynesCo
0
Comment
Question by:HynesCo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12351866
>My question is should there be An ACL list created for protocol 43 on the cisco?
Almost - protocol 47, not port 47. Protocol 47 is GRE and there should be something in the router to allow/forward GRE to the inside server IP just like it is setup for tcp 1723 - except that you have to have a separate public IP address to dedicated just for tcp 1723 and GRE together.

I would expect both a NAT entry and an access-list entry.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12369499
If a VPN client times out (with a 721 error) it usually means it cannot see TCP 1723 or protocol 47 (GRE) on the VPN server.
To get this working, you would usually need a static ip any any NAT statement on your router to ensure ALL VPN packets head toward your Linksys, rather than just a few, as appear in your original Q.
0
 
LVL 1

Author Comment

by:HynesCo
ID: 12369957
tim,

the linksys has been taken out of the picture. When the ISP equipment cisco 1750 was just used as a passthrough to the linksys I was nating a public /private  in the linksys box, now that the linksys is nolonger attached to the lan, the cisco 1750 is now doing the natting public/private. 1723 is open and ready to go, what is not is protocol 47 GRE, this is getting hung at the router,so I decides to scrap the pptp vpn and go with l2tp opend up ports 1701 , 500.  the 1701 port is being  blocked even though the ISP is saying they opened  and forwarded the port. There is no software firewall on the server, it is a windows 2000 box that worked like a charm before I removed the linksys from the picture

ISP---------->cisco1750------------>Dell Powerconnect switch|

HynesCo
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12379999
On the Cisco 1750, configure a direct one-to-one NAT with the public IP address and your VPN server, so that ALL ports get passed through to it.  The ISP just opening GRE and TCP/1723 will not be enough, as GRE does not respond to NAT and needs to be let through unscathed.  Get them to open ALL ports.

If they get stuck, show them this:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12403507
Any progress? Are you still working on this? Do you need more information?
0
 
LVL 1

Author Comment

by:HynesCo
ID: 12407197
Hi lrmoore,

I sent the info to the ISP-AirBand, they wont let me have access to the router so I have to wait on them, still havent heard anything. Thanks for asking, I hope to hear something soon.

HynesCo
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12407236
OK. Thanks for the update!
0
 
LVL 1

Author Comment

by:HynesCo
ID: 12420890
Please advise,

I heard back from the ISP last night, he looked at the info I sent him from tim holman's post above, and said it would open up the lan to the world, there would be no protection from the router if he did a 1to1 nat and open up all ports, I told him to hold off until I confirmed with this post,

Does this type of configuration leave me vulnerable to anyone, or is it anyone who has the right username and password for authenticating, Also will the LAN be easy access of hackers? I would like to get some feedback on this issue for my peace of mind before I implement this change for the company. Also the Lan consists of 2 NT2000 server's and 15 XP pro users.

HynesCo
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12421176
1) you have no choice but to create the static 1-1 nat map. This by itself does not open you up to anything.
2) " did a 1to1 nat and open up all ports" --- you have to open ONLY tcp port 1723 and GRE permitted to that IP address in an inbound access-list
3) that's how it works. If they don't have an inbound access-list applied, then yes, you could potentially expose that particular machine "to the world". That's their fault, but now you have to make a decision. Do you want the VPN capability or not?
4) would I hang any Microsoft product system "in the wind" like that - HECK NO.
5) refer back to 2) above. You need an access-list for minimal protection. Unless you want to invest in your own firewall that you can manage on your own.


0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
ID: 12421481
I've had problems in the past opening just TCP 1723 and GRE via a 1-to-1 NAT rule, and had to open up all ports to get VPNs to work.  Would be keen to see whether or not you can do this on the Cisco 1750 though - what IOS are they running ?  Maybe my issues have finally been resolved and Cisco understand not to NAT GRE even if there's an ACL saying it shouldn't be...
0
 
LVL 1

Author Comment

by:HynesCo
ID: 12535539
Hi Guys ,
sorry for the wait, the ISP is extremly lacking in the router config area, it looks like all they had to do was to allow the GRE passthrough, I am going to award both with a split, thanks for all your help.

HynesCo
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question