Cisco 2600 IP Routing Change

Hello.  I need to allow VPN traffic into an internal VPN server, and am not familiar with the syntax to do that.  Normally I rely on Cisco, but they're not helping me until I get our Smartnet maintenance renewed, which is going to drag for a week and I can't wait.  I know the ports that need to be opened, but again do not know the command sequence to make the changes to the router.  Any help is appreciated.

Thanks,
Damian Gardner
Laco Industries
Damian GardnerIT AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

calvinetterCommented:
 For an IPSec VPN server:
access-list 100 permit udp any host <public IP> eq 500
access-list 100 permit udp any host <public IP> eq 4500
access-list 100 permit esp any host <public IP>
access-list 100 permit ahp any host <public IP>

  For a PPTP VPN server:
access-list 100 permit tcp any host <public IP> eq 1723
  If your router is doing PAT for your internal network (single public IP on router), you'll have to tweak your NAT config for the server.  eg:  ip nat inside source static tcp <inside IP> 1723 interface FastEthernet0/0 1723
  ( example from the following Cisco doc:  http://www.cisco.com/warp/public/471/pptp_pat.html )

cheers
Damian GardnerIT AdminAuthor Commented:
Great.  Let me give it a try.

Thanks very much.
calvinetterCommented:
Have you tried this out yet? Do you still need help?

cheers
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Damian GardnerIT AdminAuthor Commented:
Sorry.  Got side tracked.  Let me try it now...
Damian GardnerIT AdminAuthor Commented:
By the way - I also need to see the syntax for making a static address link between an internal and public IP.  Can you give me an example of those entries?

Thanks,
Damian
Damian GardnerIT AdminAuthor Commented:
Disregard that last request.  Just saw you included the syntax.

Sorry
Damian GardnerIT AdminAuthor Commented:
No go.  Keeps giving me this:

Router>en
Password:
Router#access-list 101 permit tcp any host 12.161.143.52 eq 1723
              ^
% Invalid input detected at '^' marker.

Router#



calvinetterCommented:
You need to get into "config mode":
router# conf t    (short for: configure terminal)
router(config)#  *now you can enter the commands I'd previously posted. Sorry, I assumed you were aware of that.

cheers
Damian GardnerIT AdminAuthor Commented:
No problem.  Let me try that.

Thanks,
Damian
Damian GardnerIT AdminAuthor Commented:
Is there a command to make it stick, sort of like a 'commit' or something?  It takes the command no problem, but I don't see it on a show config.

Thanks,
Damian
calvinetterCommented:
"show run" will display what you just configured, what's currently running on your router in RAM.
"show config" only shows the saved config file used a bootup (the "startup-config")

To make changes permanent:
 router# copy run start

  Hopefully these will help:
http://www.fantek.org/cisco/wpbascom.htm
  for IOS 12.2, but most commands are valid for newer IOS versions:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca73c.html

cheers
Damian GardnerIT AdminAuthor Commented:
Doesn't seem to work, when I try to VPN into 12.161.143.52.  Here's a piece of my current router config.  Currently users VPN into the .53 address.  I want to switch them onto .52.  Does it need more ports open?

access-list 101 permit tcp any host 12.161.143.51 eq telnet
access-list 101 permit tcp any host 12.161.143.52 eq smtp
access-list 101 permit tcp any host 12.161.143.53 eq www
access-list 101 permit tcp any host 12.119.26.94 eq telnet
access-list 101 permit udp any host 12.161.143.53 eq isakmp
access-list 101 permit tcp any host 12.161.143.53 eq 1723
access-list 101 permit gre any host 12.161.143.53
access-list 101 permit esp any host 12.161.143.53
access-list 101 permit tcp any host 12.161.143.53 eq ftp-data
access-list 101 permit tcp any host 12.161.143.53 eq ftp
access-list 101 permit tcp any host 12.161.143.52 eq 1723
access-list 107 permit ip any host 192.168.1.235
access-list 107 permit ip host 192.168.1.235 any
access-list 107 permit ip host 192.168.1.20 any
calvinetterCommented:
You never specified what type of VPN: IPSec or PPTP.  Please see my 1st post, & notice that currently traffic to the .52 address is only partially allowing traffic for PPTP.

  If it's an IPSec VPN, & you want to allow VPN to 12.161.143.52, add these:
access-list 101 permit udp any host 12.161.143.52 eq 4500
access-list 101 permit udp any host 12.161.143.52 eq 500
access-list 101 permit esp any host 12.161.143.52
access-list 101 permit ahp any host 12.161.143.52

  If it's a PPTP VPN, & you want to allow VPN to 12.161.143.52, add this:
access-list 101 permit gre any host 12.161.143.52

cheers

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Damian GardnerIT AdminAuthor Commented:
Sorry - I thought you could tell by the code.  It's PPTP.  Let me try the extra line.  Will let you know.

Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.