HynesCo
asked on
cisco 1750 nat to a 10.10.10.x blocks protocol 43 and port 47 for pptp vpn access
I have an ISP that installed a cisco 1750, at first it was just a passthrough not doing anything, just a link to the internet, which was feeding to my linksys that was configured to do DHCP, NAT and port forwarding.at this point PPTP VPN worked like a charm, We started having issues with our ip phones dropping a few times a week, they suspected the linksys, so we removed the linksys and the ISP configured the cisco with DHCP,NAT and port forwarding, ports 110,25,3389 all work fine when I try to VPN with pptp It times out on authenticating username and password. Port detective reports port 47 blocked 1723 is in use ,Symantec security reports 1723 is closed and does not scan port 47,, My question is should there be An ACL list created for protocol 43 on the cisco?
HynesCo
HynesCo
If a VPN client times out (with a 721 error) it usually means it cannot see TCP 1723 or protocol 47 (GRE) on the VPN server.
To get this working, you would usually need a static ip any any NAT statement on your router to ensure ALL VPN packets head toward your Linksys, rather than just a few, as appear in your original Q.
To get this working, you would usually need a static ip any any NAT statement on your router to ensure ALL VPN packets head toward your Linksys, rather than just a few, as appear in your original Q.
ASKER
tim,
the linksys has been taken out of the picture. When the ISP equipment cisco 1750 was just used as a passthrough to the linksys I was nating a public /private in the linksys box, now that the linksys is nolonger attached to the lan, the cisco 1750 is now doing the natting public/private. 1723 is open and ready to go, what is not is protocol 47 GRE, this is getting hung at the router,so I decides to scrap the pptp vpn and go with l2tp opend up ports 1701 , 500. the 1701 port is being blocked even though the ISP is saying they opened and forwarded the port. There is no software firewall on the server, it is a windows 2000 box that worked like a charm before I removed the linksys from the picture
ISP---------->cisco1750---
HynesCo
the linksys has been taken out of the picture. When the ISP equipment cisco 1750 was just used as a passthrough to the linksys I was nating a public /private in the linksys box, now that the linksys is nolonger attached to the lan, the cisco 1750 is now doing the natting public/private. 1723 is open and ready to go, what is not is protocol 47 GRE, this is getting hung at the router,so I decides to scrap the pptp vpn and go with l2tp opend up ports 1701 , 500. the 1701 port is being blocked even though the ISP is saying they opened and forwarded the port. There is no software firewall on the server, it is a windows 2000 box that worked like a charm before I removed the linksys from the picture
ISP---------->cisco1750---
HynesCo
On the Cisco 1750, configure a direct one-to-one NAT with the public IP address and your VPN server, so that ALL ports get passed through to it. The ISP just opening GRE and TCP/1723 will not be enough, as GRE does not respond to NAT and needs to be let through unscathed. Get them to open ALL ports.
If they get stuck, show them this:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
If they get stuck, show them this:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
Any progress? Are you still working on this? Do you need more information?
ASKER
Hi lrmoore,
I sent the info to the ISP-AirBand, they wont let me have access to the router so I have to wait on them, still havent heard anything. Thanks for asking, I hope to hear something soon.
HynesCo
I sent the info to the ISP-AirBand, they wont let me have access to the router so I have to wait on them, still havent heard anything. Thanks for asking, I hope to hear something soon.
HynesCo
OK. Thanks for the update!
ASKER
Please advise,
I heard back from the ISP last night, he looked at the info I sent him from tim holman's post above, and said it would open up the lan to the world, there would be no protection from the router if he did a 1to1 nat and open up all ports, I told him to hold off until I confirmed with this post,
Does this type of configuration leave me vulnerable to anyone, or is it anyone who has the right username and password for authenticating, Also will the LAN be easy access of hackers? I would like to get some feedback on this issue for my peace of mind before I implement this change for the company. Also the Lan consists of 2 NT2000 server's and 15 XP pro users.
HynesCo
I heard back from the ISP last night, he looked at the info I sent him from tim holman's post above, and said it would open up the lan to the world, there would be no protection from the router if he did a 1to1 nat and open up all ports, I told him to hold off until I confirmed with this post,
Does this type of configuration leave me vulnerable to anyone, or is it anyone who has the right username and password for authenticating, Also will the LAN be easy access of hackers? I would like to get some feedback on this issue for my peace of mind before I implement this change for the company. Also the Lan consists of 2 NT2000 server's and 15 XP pro users.
HynesCo
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Guys ,
sorry for the wait, the ISP is extremly lacking in the router config area, it looks like all they had to do was to allow the GRE passthrough, I am going to award both with a split, thanks for all your help.
HynesCo
sorry for the wait, the ISP is extremly lacking in the router config area, it looks like all they had to do was to allow the GRE passthrough, I am going to award both with a split, thanks for all your help.
HynesCo
Almost - protocol 47, not port 47. Protocol 47 is GRE and there should be something in the router to allow/forward GRE to the inside server IP just like it is setup for tcp 1723 - except that you have to have a separate public IP address to dedicated just for tcp 1723 and GRE together.
I would expect both a NAT entry and an access-list entry.