Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

cisco 1750 nat to a 10.10.10.x blocks protocol 43 and port 47 for pptp vpn access

Posted on 2004-10-19
11
337 Views
Last Modified: 2010-04-12
I have an ISP that installed a cisco 1750, at first it was just a passthrough not doing anything, just a link to the internet, which was feeding to my linksys that was configured to do DHCP, NAT and port forwarding.at this point PPTP VPN worked like a charm, We started having issues with our ip phones dropping  a few times a week, they suspected the linksys, so we removed the linksys and the ISP configured the cisco with DHCP,NAT and port forwarding, ports 110,25,3389 all work fine when I try to VPN with pptp It times out on authenticating username and password.  Port detective reports port 47 blocked 1723 is in use ,Symantec security reports 1723 is closed and does not scan port 47,, My question is should there be An ACL list created for protocol 43 on the cisco?

HynesCo
0
Comment
Question by:HynesCo
  • 4
  • 4
  • 3
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12351866
>My question is should there be An ACL list created for protocol 43 on the cisco?
Almost - protocol 47, not port 47. Protocol 47 is GRE and there should be something in the router to allow/forward GRE to the inside server IP just like it is setup for tcp 1723 - except that you have to have a separate public IP address to dedicated just for tcp 1723 and GRE together.

I would expect both a NAT entry and an access-list entry.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12369499
If a VPN client times out (with a 721 error) it usually means it cannot see TCP 1723 or protocol 47 (GRE) on the VPN server.
To get this working, you would usually need a static ip any any NAT statement on your router to ensure ALL VPN packets head toward your Linksys, rather than just a few, as appear in your original Q.
0
 
LVL 1

Author Comment

by:HynesCo
ID: 12369957
tim,

the linksys has been taken out of the picture. When the ISP equipment cisco 1750 was just used as a passthrough to the linksys I was nating a public /private  in the linksys box, now that the linksys is nolonger attached to the lan, the cisco 1750 is now doing the natting public/private. 1723 is open and ready to go, what is not is protocol 47 GRE, this is getting hung at the router,so I decides to scrap the pptp vpn and go with l2tp opend up ports 1701 , 500.  the 1701 port is being  blocked even though the ISP is saying they opened  and forwarded the port. There is no software firewall on the server, it is a windows 2000 box that worked like a charm before I removed the linksys from the picture

ISP---------->cisco1750------------>Dell Powerconnect switch|

HynesCo
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12379999
On the Cisco 1750, configure a direct one-to-one NAT with the public IP address and your VPN server, so that ALL ports get passed through to it.  The ISP just opening GRE and TCP/1723 will not be enough, as GRE does not respond to NAT and needs to be let through unscathed.  Get them to open ALL ports.

If they get stuck, show them this:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12403507
Any progress? Are you still working on this? Do you need more information?
0
 
LVL 1

Author Comment

by:HynesCo
ID: 12407197
Hi lrmoore,

I sent the info to the ISP-AirBand, they wont let me have access to the router so I have to wait on them, still havent heard anything. Thanks for asking, I hope to hear something soon.

HynesCo
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12407236
OK. Thanks for the update!
0
 
LVL 1

Author Comment

by:HynesCo
ID: 12420890
Please advise,

I heard back from the ISP last night, he looked at the info I sent him from tim holman's post above, and said it would open up the lan to the world, there would be no protection from the router if he did a 1to1 nat and open up all ports, I told him to hold off until I confirmed with this post,

Does this type of configuration leave me vulnerable to anyone, or is it anyone who has the right username and password for authenticating, Also will the LAN be easy access of hackers? I would like to get some feedback on this issue for my peace of mind before I implement this change for the company. Also the Lan consists of 2 NT2000 server's and 15 XP pro users.

HynesCo
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12421176
1) you have no choice but to create the static 1-1 nat map. This by itself does not open you up to anything.
2) " did a 1to1 nat and open up all ports" --- you have to open ONLY tcp port 1723 and GRE permitted to that IP address in an inbound access-list
3) that's how it works. If they don't have an inbound access-list applied, then yes, you could potentially expose that particular machine "to the world". That's their fault, but now you have to make a decision. Do you want the VPN capability or not?
4) would I hang any Microsoft product system "in the wind" like that - HECK NO.
5) refer back to 2) above. You need an access-list for minimal protection. Unless you want to invest in your own firewall that you can manage on your own.


0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
ID: 12421481
I've had problems in the past opening just TCP 1723 and GRE via a 1-to-1 NAT rule, and had to open up all ports to get VPNs to work.  Would be keen to see whether or not you can do this on the Cisco 1750 though - what IOS are they running ?  Maybe my issues have finally been resolved and Cisco understand not to NAT GRE even if there's an ACL saying it shouldn't be...
0
 
LVL 1

Author Comment

by:HynesCo
ID: 12535539
Hi Guys ,
sorry for the wait, the ISP is extremly lacking in the router config area, it looks like all they had to do was to allow the GRE passthrough, I am going to award both with a split, thanks for all your help.

HynesCo
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question