• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 450
  • Last Modified:

How to enable multiple VPN passthroughs on a CISCO 837 router

Hi  Networking Gurus,

I  am trying to enable multiple VPN passthroughs on a CISCo 837, so that people can establish multiple VPN connections to our head office, using Microsoft VPN client software.

I read through the manual and it tells me that I need to do add the following line to he confguratin:
  ip nat inside source list n interface BVI yy oveload

I looked at the router configuration and it is added by default by the lines
"ip nat inside source list 102 interface Dialer1 overload " and "access-list 102 permit ip 137.219.23.0 0.0.0.255 any"

However I can not establish multiple VPN connectons. Am I not reading this right? What am I doing wrong?

 Router config is appended below:
Interface Ethernet0                  
 description CRWS Generated text. Please do not delete this:137.219.23.1-255.255                                                                                
.255.0      
 ip address 137.219.23.1 255.255.255.0 secondary                                                
 ip address 10.10.10.1 255.255.255.0                                    
 ip nat inside              
 ip tcp adjust-mss 1452                      
 hold-queue 100 out                  
!
interface ATM0              
 no ip address              
 atm vc-per-vp 64                
 no atm ilmi-keepalive                      
 pvc 8/35        
  pppoe-client dial-pool-number 1                                
 !  
 dsl operating-mode auto                        
!
interface FastEthernet1                      
 no ip address              
 duplex auto            
 speed auto          
!
interface FastEthernet2                      
 no ip address              
 duplex auto            
 speed auto          
!
interface FastEthernet3                      
 no ip address              
 duplex auto            
 speed auto          
!
interface FastEthernet4                      
 no ip address              
 duplex auto            
 speed auto          
!
interface Dialer1                
 ip address negotiated                      
 ip access-group 111 in                      
 ip mtu 1492            
 ip nat outside              
 ip inspect myfw out                    
 encapsulation ppp                  
 ip tcp adjust-mss 1452                      
 dialer pool 1              
 dialer remote-name redback                          
 dialer-group 1              
 ppp authentication pap chap callin                                  
 ppp chap hostname mic837                          
 ppp chap password 7 xxxxxx                                    
 ppp pap sent-username micrrh2 password 7 xxxxxxx                                                          
!
ip nat inside source list 102 interface Dialer1 overload                                                        
ip nat inside source static udp 137.219.23.251 5666 interface Dialer1 5666                                                                          
ip nat inside source static tcp 137.219.23.251 5666 interface Dialer1 5666                                                                          
ip nat inside source static udp 137.219.23.251 22 interface Dialer1 22                                                                      
ip nat inside source static tcp 137.219.23.251 22 interface Dialer1 22                                                                      
ip classless            
ip route 0.0.0.0 0.0.0.0 Dialer1                                
                   
!
!
access-list 23 permit 137.219.23.0 0.0.0.255                                            
access-list 23 permit 10.10.10.0 0.0.0.255                                          
access-list 102 permit ip 137.219.23.0 0.0.0.255 any                                                    
access-list 111 permit udp any any eq 5666                                          
access-list 111 permit tcp any any eq 5666                                          
access-list 111 permit udp any any eq 22                                        
access-list 111 permit tcp any any eq 22                                        
access-list 111 permit icmp any any administratively-prohibited                                                              
access-list 111 permit icmp any any echo                                        
access-list 111 permit icmp any any echo-reply                                              
access-list 111 permit icmp any any packet-too-big                                                  
access-list 111 permit icmp any any time-exceeded                                                
access-list 111 permit icmp any any traceroute                                              
access-list 111 permit icmp any any unreachable                                              
access-list 111 permit udp any eq bootps any eq bootpc                                                      
access-list 111 permit udp any eq bootps any eq bootps                                                      
access-list 111 permit udp any eq domain any                                            
access-list 111 permit esp any any                                  
access-list 111 permit udp any any eq isakmp                                            
access-list 111 permit udp any any eq 10000                                          
access-list 111 permit tcp any any eq 1723                                          
access-list 111 permit tcp any any eq 139                                        
access-list 111 permit udp any any eq netbios-ns                                                
access-list 111 permit udp any any eq netbios-dgm                                                
access-list 111 permit gre any any                                  
access-list 111 deny   ip any any                                
dialer-list 1 protocol ip permit                                
!
control-plane            
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end
0
lakshmanl
Asked:
lakshmanl
  • 3
1 Solution
 
stressedout2004Commented:
You are not missing anything. You won't be able to establish multiple Microsoft VPN connection using PAT (port address translation) because of the port restriction. Microsoft VPN connection uses GRE which is portless. Therefore the Cisco 837 will have no way of mapping succeeding VPN connection since it uses port to identify traffic.

Your other option is to acquire multiple public IP address for your users and mapped them on the Cisco 837 via the "ip nat inside static" command or switch to IPSEC (depending on what device you have on your head office).
0
 
stressedout2004Commented:
I stand corrected, prior to 12.1(4)T what I have stated earlier is true. But with newer code there is a featured called
NAT—Support for PPTP in an Overload which allows multiple PPTP connections behind PAT. With your existing configuration, you should be able to establish multiple connections without having to add anything provided the code
that you are running supports that feature.

If you have access to Cisco's Tool called Feature Navigator, you will be able to check if your router supports that functionality. Features supported on a router varies depending on the feature set and version which is why you need to
check this.
0
 
stressedout2004Commented:
BTW, here are some documents for your perusal:

Configuring PPTP Through PAT to a Microsoft PPTP Server
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

NAT—Support for PPTP in an Overload
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/prod_bulletin09186a0080091abd.html#wp45349

Hope it helps.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now