• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

cisco 1750 nat to a 10.10.10.x blocks protocol 43 and port 47 for pptp vpn access

I have an ISP that installed a cisco 1750, at first it was just a passthrough not doing anything, just a link to the internet, which was feeding to my linksys that was configured to do DHCP, NAT and port forwarding.at this point PPTP VPN worked like a charm, We started having issues with our ip phones dropping  a few times a week, they suspected the linksys, so we removed the linksys and the ISP configured the cisco with DHCP,NAT and port forwarding, ports 110,25,3389 all work fine when I try to VPN with pptp It times out on authenticating username and password.  Port detective reports port 47 blocked 1723 is in use ,Symantec security reports 1723 is closed and does not scan port 47,, My question is should there be An ACL list created for protocol 43 on the cisco?

HynesCo
0
HynesCo
Asked:
HynesCo
  • 4
  • 4
  • 3
2 Solutions
 
lrmooreCommented:
>My question is should there be An ACL list created for protocol 43 on the cisco?
Almost - protocol 47, not port 47. Protocol 47 is GRE and there should be something in the router to allow/forward GRE to the inside server IP just like it is setup for tcp 1723 - except that you have to have a separate public IP address to dedicated just for tcp 1723 and GRE together.

I would expect both a NAT entry and an access-list entry.
0
 
Tim HolmanCommented:
If a VPN client times out (with a 721 error) it usually means it cannot see TCP 1723 or protocol 47 (GRE) on the VPN server.
To get this working, you would usually need a static ip any any NAT statement on your router to ensure ALL VPN packets head toward your Linksys, rather than just a few, as appear in your original Q.
0
 
HynesCoAuthor Commented:
tim,

the linksys has been taken out of the picture. When the ISP equipment cisco 1750 was just used as a passthrough to the linksys I was nating a public /private  in the linksys box, now that the linksys is nolonger attached to the lan, the cisco 1750 is now doing the natting public/private. 1723 is open and ready to go, what is not is protocol 47 GRE, this is getting hung at the router,so I decides to scrap the pptp vpn and go with l2tp opend up ports 1701 , 500.  the 1701 port is being  blocked even though the ISP is saying they opened  and forwarded the port. There is no software firewall on the server, it is a windows 2000 box that worked like a charm before I removed the linksys from the picture

ISP---------->cisco1750------------>Dell Powerconnect switch|

HynesCo
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Tim HolmanCommented:
On the Cisco 1750, configure a direct one-to-one NAT with the public IP address and your VPN server, so that ALL ports get passed through to it.  The ISP just opening GRE and TCP/1723 will not be enough, as GRE does not respond to NAT and needs to be let through unscathed.  Get them to open ALL ports.

If they get stuck, show them this:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
0
 
lrmooreCommented:
Any progress? Are you still working on this? Do you need more information?
0
 
HynesCoAuthor Commented:
Hi lrmoore,

I sent the info to the ISP-AirBand, they wont let me have access to the router so I have to wait on them, still havent heard anything. Thanks for asking, I hope to hear something soon.

HynesCo
0
 
lrmooreCommented:
OK. Thanks for the update!
0
 
HynesCoAuthor Commented:
Please advise,

I heard back from the ISP last night, he looked at the info I sent him from tim holman's post above, and said it would open up the lan to the world, there would be no protection from the router if he did a 1to1 nat and open up all ports, I told him to hold off until I confirmed with this post,

Does this type of configuration leave me vulnerable to anyone, or is it anyone who has the right username and password for authenticating, Also will the LAN be easy access of hackers? I would like to get some feedback on this issue for my peace of mind before I implement this change for the company. Also the Lan consists of 2 NT2000 server's and 15 XP pro users.

HynesCo
0
 
lrmooreCommented:
1) you have no choice but to create the static 1-1 nat map. This by itself does not open you up to anything.
2) " did a 1to1 nat and open up all ports" --- you have to open ONLY tcp port 1723 and GRE permitted to that IP address in an inbound access-list
3) that's how it works. If they don't have an inbound access-list applied, then yes, you could potentially expose that particular machine "to the world". That's their fault, but now you have to make a decision. Do you want the VPN capability or not?
4) would I hang any Microsoft product system "in the wind" like that - HECK NO.
5) refer back to 2) above. You need an access-list for minimal protection. Unless you want to invest in your own firewall that you can manage on your own.


0
 
Tim HolmanCommented:
I've had problems in the past opening just TCP 1723 and GRE via a 1-to-1 NAT rule, and had to open up all ports to get VPNs to work.  Would be keen to see whether or not you can do this on the Cisco 1750 though - what IOS are they running ?  Maybe my issues have finally been resolved and Cisco understand not to NAT GRE even if there's an ACL saying it shouldn't be...
0
 
HynesCoAuthor Commented:
Hi Guys ,
sorry for the wait, the ISP is extremly lacking in the router config area, it looks like all they had to do was to allow the GRE passthrough, I am going to award both with a split, thanks for all your help.

HynesCo
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now