Solved

cisco 1750 nat to a 10.10.10.x blocks protocol 43 and port 47 for pptp vpn access

Posted on 2004-10-19
11
334 Views
Last Modified: 2010-04-12
I have an ISP that installed a cisco 1750, at first it was just a passthrough not doing anything, just a link to the internet, which was feeding to my linksys that was configured to do DHCP, NAT and port forwarding.at this point PPTP VPN worked like a charm, We started having issues with our ip phones dropping  a few times a week, they suspected the linksys, so we removed the linksys and the ISP configured the cisco with DHCP,NAT and port forwarding, ports 110,25,3389 all work fine when I try to VPN with pptp It times out on authenticating username and password.  Port detective reports port 47 blocked 1723 is in use ,Symantec security reports 1723 is closed and does not scan port 47,, My question is should there be An ACL list created for protocol 43 on the cisco?

HynesCo
0
Comment
Question by:HynesCo
  • 4
  • 4
  • 3
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>My question is should there be An ACL list created for protocol 43 on the cisco?
Almost - protocol 47, not port 47. Protocol 47 is GRE and there should be something in the router to allow/forward GRE to the inside server IP just like it is setup for tcp 1723 - except that you have to have a separate public IP address to dedicated just for tcp 1723 and GRE together.

I would expect both a NAT entry and an access-list entry.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
If a VPN client times out (with a 721 error) it usually means it cannot see TCP 1723 or protocol 47 (GRE) on the VPN server.
To get this working, you would usually need a static ip any any NAT statement on your router to ensure ALL VPN packets head toward your Linksys, rather than just a few, as appear in your original Q.
0
 
LVL 1

Author Comment

by:HynesCo
Comment Utility
tim,

the linksys has been taken out of the picture. When the ISP equipment cisco 1750 was just used as a passthrough to the linksys I was nating a public /private  in the linksys box, now that the linksys is nolonger attached to the lan, the cisco 1750 is now doing the natting public/private. 1723 is open and ready to go, what is not is protocol 47 GRE, this is getting hung at the router,so I decides to scrap the pptp vpn and go with l2tp opend up ports 1701 , 500.  the 1701 port is being  blocked even though the ISP is saying they opened  and forwarded the port. There is no software firewall on the server, it is a windows 2000 box that worked like a charm before I removed the linksys from the picture

ISP---------->cisco1750------------>Dell Powerconnect switch|

HynesCo
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
On the Cisco 1750, configure a direct one-to-one NAT with the public IP address and your VPN server, so that ALL ports get passed through to it.  The ISP just opening GRE and TCP/1723 will not be enough, as GRE does not respond to NAT and needs to be let through unscathed.  Get them to open ALL ports.

If they get stuck, show them this:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Any progress? Are you still working on this? Do you need more information?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:HynesCo
Comment Utility
Hi lrmoore,

I sent the info to the ISP-AirBand, they wont let me have access to the router so I have to wait on them, still havent heard anything. Thanks for asking, I hope to hear something soon.

HynesCo
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
OK. Thanks for the update!
0
 
LVL 1

Author Comment

by:HynesCo
Comment Utility
Please advise,

I heard back from the ISP last night, he looked at the info I sent him from tim holman's post above, and said it would open up the lan to the world, there would be no protection from the router if he did a 1to1 nat and open up all ports, I told him to hold off until I confirmed with this post,

Does this type of configuration leave me vulnerable to anyone, or is it anyone who has the right username and password for authenticating, Also will the LAN be easy access of hackers? I would like to get some feedback on this issue for my peace of mind before I implement this change for the company. Also the Lan consists of 2 NT2000 server's and 15 XP pro users.

HynesCo
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
1) you have no choice but to create the static 1-1 nat map. This by itself does not open you up to anything.
2) " did a 1to1 nat and open up all ports" --- you have to open ONLY tcp port 1723 and GRE permitted to that IP address in an inbound access-list
3) that's how it works. If they don't have an inbound access-list applied, then yes, you could potentially expose that particular machine "to the world". That's their fault, but now you have to make a decision. Do you want the VPN capability or not?
4) would I hang any Microsoft product system "in the wind" like that - HECK NO.
5) refer back to 2) above. You need an access-list for minimal protection. Unless you want to invest in your own firewall that you can manage on your own.


0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
Comment Utility
I've had problems in the past opening just TCP 1723 and GRE via a 1-to-1 NAT rule, and had to open up all ports to get VPNs to work.  Would be keen to see whether or not you can do this on the Cisco 1750 though - what IOS are they running ?  Maybe my issues have finally been resolved and Cisco understand not to NAT GRE even if there's an ACL saying it shouldn't be...
0
 
LVL 1

Author Comment

by:HynesCo
Comment Utility
Hi Guys ,
sorry for the wait, the ISP is extremly lacking in the router config area, it looks like all they had to do was to allow the GRE passthrough, I am going to award both with a split, thanks for all your help.

HynesCo
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now