slater27
asked on
VPN not working from public internet but does work from local outside the firewall...
Hopefully an easy question here...
First a quick synopsys of the background to the problem:
I have set up VPN access into my SBS2003 box. I had logged another question on experts-exchange because initially my tests could not connect through to the server. I was attempting to connect through to the VPN server by plugging directly into the ADSL router and putting the test notebook on the external 10.0.0.x network (thus attempting to replicate being outside the network). My internal network is 192.168.0.x. When testing in this manner I was using the actual public IP address however I could not connect. This was resolved when someone here said that I was testing it incorrectly and rather than put the external public static address I should be putting the 10.0.0.8 address which is to the "external NIC" on the SBS2003 box. I tried this and the VPN worked successfully. I thought the problem had therefore been solved...
However I now have had the opportunity to attempt to VPN from a real external internet connection and unfortunately I cannot connect through. I'm getting an Error 721.
I have ensured that my firewall is off on the client to be sure but no luck.
What's different from connecting via the 10.0.0.x address through the ADSL router and a public internet addresss going through the same ADSL router (obviously via the ADSL connection rather than directly into a port on the back of the router). I would have thought that both ways would still be routed by the routers same firewall routing rules? Or have I got this incorrect....??
Given that it works from the 10.0.0.x address the only difference is the source IP and the fact that the public IP is coming through the ADSL telephone link as opposed to a direct UTP connection into the router...
Any ideas?... I'm flying out tonight and need this resolved ASAP!!!...
Cheers.
First a quick synopsys of the background to the problem:
I have set up VPN access into my SBS2003 box. I had logged another question on experts-exchange because initially my tests could not connect through to the server. I was attempting to connect through to the VPN server by plugging directly into the ADSL router and putting the test notebook on the external 10.0.0.x network (thus attempting to replicate being outside the network). My internal network is 192.168.0.x. When testing in this manner I was using the actual public IP address however I could not connect. This was resolved when someone here said that I was testing it incorrectly and rather than put the external public static address I should be putting the 10.0.0.8 address which is to the "external NIC" on the SBS2003 box. I tried this and the VPN worked successfully. I thought the problem had therefore been solved...
However I now have had the opportunity to attempt to VPN from a real external internet connection and unfortunately I cannot connect through. I'm getting an Error 721.
I have ensured that my firewall is off on the client to be sure but no luck.
What's different from connecting via the 10.0.0.x address through the ADSL router and a public internet addresss going through the same ADSL router (obviously via the ADSL connection rather than directly into a port on the back of the router). I would have thought that both ways would still be routed by the routers same firewall routing rules? Or have I got this incorrect....??
Given that it works from the 10.0.0.x address the only difference is the source IP and the fact that the public IP is coming through the ADSL telephone link as opposed to a direct UTP connection into the router...
Any ideas?... I'm flying out tonight and need this resolved ASAP!!!...
Cheers.
ASKER
Hi Robwill thanks for your speedy response. It is a combined router/adsl (Speed touch pro). I have copied all the settings below. From thinking about it some more it has to be a translation/routing table issue...somewhere this config is not right...
In regards to the ports and protocol 47 this is already setup in the NAT as you will see below. Remmebering that VPN does work if I am on the 10.0.0.x network AND I am selecting the internal ip 10.0.0.8 of the SBS server. It doesn't work when I go to the external fixed IP of 61.9.247.216 from an external location.
Here's the config of the Speedtouch Pro:
Initial Setup:
IP address: 10.0.0.1
subnetmask 255.255.255.0
Phonebook:
Bigpond VPI:8 VCI:35 Type:PPP Usage:Confirmed
PPP Dial-in Connections:
(None).
Routing:
IP ADDRESS TABLE
Intf Address Netmask Type Transl
BigPond 61.9.247.216 255.0.0.0 Auto pat
eth0 10.0.0.1 255.255.255.0 User none
loop 127.0.0.1 255.0.0.0 Auto none
IP ROUTE TABLE:
Destination Source Gateway Intf
10.0.0.0/24 10.0.0.0/24 10.0.0.1 eth0
61.9.247.216/32 any 61.9.247.216 BigPond
10.0.0.1/32 any 10.0.0.1 eth0
127.0.0.1/32 any 127.0.0.1 loop
255.255.255.255/32 any 10.0.0.1 eth0
10.0.0.0/24 any 10.0.0.1 eth0
default 10.0.0.8/0 61.9.247.216 BigPond
PPP:
Name Encap Mode State Status
BigPond vc-mux always-on up on
PPP CONFIG:
Authentication
User : (myname@static.bigpond)
Password : *******
Routing
Connection Sharing: Everybody
Destination networks All networks
Specific network (Blank)
Address translation (NAT-PAT) (checked)
Primary DNS 10.0.0.8 Secondary DNS (none)
Options
Local IP: none
Remote IP: none
Mode : always-on
Idle time limit : (none)
LCP echo(currently enabled)
PAP(currently disabled)
ACCOMP(currently enabled)
CIP Interfaces:
(none)
CIP Connections:
(none)
PPTP Connections:
(None)
Bridging Ports:
(none)
Aging: 300 seconds
DHCP:
NO DHCP
DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)
DNS hostname table:
[Hostname] [address]
SpeedTouch own address
Upgrade:
Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)
When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs Expir State Control
1 6 0.0.1.187:10 61.9.247.216:443 0.0.0.0:0 instance
2 6 10.0.0.8:1723 61.9.247.216:1723 0.0.0.0:0 instance
3 17 10.0.0.1:4672 61.9.247.216:4672 0.0.0.0:0 instance
4 6 10.0.0.1:4711 61.9.247.216:4711 0.0.0.0:0 instance
5 6 10.0.0.8:4125 61.9.247.216:4125 0.0.0.0:0 instance
6 6 10.0.0.1:4662 61.9.247.216:4662 0.0.0.0:0 instance
7 17 10.0.0.100:1029 61.9.247.216:10019 61.9.240.14:53 1 20 10
8 6 10.0.0.1:4661 61.9.247.216:4661 0.0.0.0:0 instance
9 17 10.0.0.1:4665 61.9.247.216:4665 0.0.0.0:0 instance
10 6 10.0.0.8:61953 61.9.247.216:10026 67.19.96.18:80 1 1 6
11 47 10.0.0.8:1 61.9.247.216:1 0.0.0.0:0 instance
12 17 10.0.0.1:4672 0.0.0.0:4672 0.0.0.0:0 template
13 6 10.0.0.1:4662 0.0.0.0:4662 0.0.0.0:0 template
14 6 10.0.0.1:4661 0.0.0.0:4661 0.0.0.0:0 template
15 17 10.0.0.1:4665 0.0.0.0:4665 0.0.0.0:0 template
16 6 10.0.0.1:4711 0.0.0.0:4711 0.0.0.0:0 template
17 6 10.0.0.8:1723 0.0.0.0:1723 0.0.0.0:0 template
18 47 10.0.0.8:1 0.0.0.0:1 0.0.0.0:0 template
19 6 10.0.0.8:4125 0.0.0.0:4125 0.0.0.0:0 template
20 6 0.0.1.187:10 0.0.0.0:443 0.0.0.0:0 template
In regards to the ports and protocol 47 this is already setup in the NAT as you will see below. Remmebering that VPN does work if I am on the 10.0.0.x network AND I am selecting the internal ip 10.0.0.8 of the SBS server. It doesn't work when I go to the external fixed IP of 61.9.247.216 from an external location.
Here's the config of the Speedtouch Pro:
Initial Setup:
IP address: 10.0.0.1
subnetmask 255.255.255.0
Phonebook:
Bigpond VPI:8 VCI:35 Type:PPP Usage:Confirmed
PPP Dial-in Connections:
(None).
Routing:
IP ADDRESS TABLE
Intf Address Netmask Type Transl
BigPond 61.9.247.216 255.0.0.0 Auto pat
eth0 10.0.0.1 255.255.255.0 User none
loop 127.0.0.1 255.0.0.0 Auto none
IP ROUTE TABLE:
Destination Source Gateway Intf
10.0.0.0/24 10.0.0.0/24 10.0.0.1 eth0
61.9.247.216/32 any 61.9.247.216 BigPond
10.0.0.1/32 any 10.0.0.1 eth0
127.0.0.1/32 any 127.0.0.1 loop
255.255.255.255/32 any 10.0.0.1 eth0
10.0.0.0/24 any 10.0.0.1 eth0
default 10.0.0.8/0 61.9.247.216 BigPond
PPP:
Name Encap Mode State Status
BigPond vc-mux always-on up on
PPP CONFIG:
Authentication
User : (myname@static.bigpond)
Password : *******
Routing
Connection Sharing: Everybody
Destination networks All networks
Specific network (Blank)
Address translation (NAT-PAT) (checked)
Primary DNS 10.0.0.8 Secondary DNS (none)
Options
Local IP: none
Remote IP: none
Mode : always-on
Idle time limit : (none)
LCP echo(currently enabled)
PAP(currently disabled)
ACCOMP(currently enabled)
CIP Interfaces:
(none)
CIP Connections:
(none)
PPTP Connections:
(None)
Bridging Ports:
(none)
Aging: 300 seconds
DHCP:
NO DHCP
DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)
DNS hostname table:
[Hostname] [address]
SpeedTouch own address
Upgrade:
Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)
When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs Expir State Control
1 6 0.0.1.187:10 61.9.247.216:443 0.0.0.0:0 instance
2 6 10.0.0.8:1723 61.9.247.216:1723 0.0.0.0:0 instance
3 17 10.0.0.1:4672 61.9.247.216:4672 0.0.0.0:0 instance
4 6 10.0.0.1:4711 61.9.247.216:4711 0.0.0.0:0 instance
5 6 10.0.0.8:4125 61.9.247.216:4125 0.0.0.0:0 instance
6 6 10.0.0.1:4662 61.9.247.216:4662 0.0.0.0:0 instance
7 17 10.0.0.100:1029 61.9.247.216:10019 61.9.240.14:53 1 20 10
8 6 10.0.0.1:4661 61.9.247.216:4661 0.0.0.0:0 instance
9 17 10.0.0.1:4665 61.9.247.216:4665 0.0.0.0:0 instance
10 6 10.0.0.8:61953 61.9.247.216:10026 67.19.96.18:80 1 1 6
11 47 10.0.0.8:1 61.9.247.216:1 0.0.0.0:0 instance
12 17 10.0.0.1:4672 0.0.0.0:4672 0.0.0.0:0 template
13 6 10.0.0.1:4662 0.0.0.0:4662 0.0.0.0:0 template
14 6 10.0.0.1:4661 0.0.0.0:4661 0.0.0.0:0 template
15 17 10.0.0.1:4665 0.0.0.0:4665 0.0.0.0:0 template
16 6 10.0.0.1:4711 0.0.0.0:4711 0.0.0.0:0 template
17 6 10.0.0.8:1723 0.0.0.0:1723 0.0.0.0:0 template
18 47 10.0.0.8:1 0.0.0.0:1 0.0.0.0:0 template
19 6 10.0.0.8:4125 0.0.0.0:4125 0.0.0.0:0 template
20 6 0.0.1.187:10 0.0.0.0:443 0.0.0.0:0 template
ASKER
Further to this I did an open port check on 1723 from a workstation that sits behind the SBS2003 server (on the internal 192.168.0.x subnet) using canyouseeme.org
The website detected my workstation as my static IP on the router 61.9.247.216 and came back with "Success: I can see your service on 61.9.247.216 on port (1723) Your ISP is not blocking port 1723"
So from this it would appear that the 1723 port is open - does this necessarily mean that the packets are getting passed to the server?
Help!
The website detected my workstation as my static IP on the router 61.9.247.216 and came back with "Success: I can see your service on 61.9.247.216 on port (1723) Your ISP is not blocking port 1723"
So from this it would appear that the 1723 port is open - does this necessarily mean that the packets are getting passed to the server?
Help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok thanks Robwill for your comments. You may have tested just when I was testing as I had disabled the firewall on the Speedtouch through telnet by issuing the nat command defserver addr 10.0.0.8 This then immediately worked and I could VPN into the server. I have now reenabled the firewall and it no longer works again. My external test is a notebook dialing out via bluetooth modem onto the internet via GPRS. So confirmed working with the speedtouch pro firewall off and not working when turned back on.
So therefore there is definately something wrong with the configuration of the speedtouch pro. The fact that canyouseeme.org sees 1723 port as open is a bit baffling though as that would seem to indicate that the port is ok although it may be having a problem with GRE translation as you pointed out. Still I am examining the Nat List as in my config above to see what might be the problem there but at least the problem is narrowed right down now to the speedtouch pro router.
If you can focus your superior networking skills in this area you hopefully will be able to solve it much faster than me as I need time to pack my bags to catch my flight!!
I'll be keeping this onscreen and refreshed so if you do come up with something let me know asap!! Many thanks for your suggestions thus far!...
So therefore there is definately something wrong with the configuration of the speedtouch pro. The fact that canyouseeme.org sees 1723 port as open is a bit baffling though as that would seem to indicate that the port is ok although it may be having a problem with GRE translation as you pointed out. Still I am examining the Nat List as in my config above to see what might be the problem there but at least the problem is narrowed right down now to the speedtouch pro router.
If you can focus your superior networking skills in this area you hopefully will be able to solve it much faster than me as I need time to pack my bags to catch my flight!!
I'll be keeping this onscreen and refreshed so if you do come up with something let me know asap!! Many thanks for your suggestions thus far!...
Which model SpeedTouch ?
I will look through the manual to see if there is anything I can find. Specifically are there any options such as "allow PPTP pass-through" ?
Some older Alcatel Speedtouch units I have seen have High, medium, low and off firewall security settings. Is this the case here? Seems to me if so, it requires the medium setting, high and low will not work.
I will look through the manual to see if there is anything I can find. Specifically are there any options such as "allow PPTP pass-through" ?
Some older Alcatel Speedtouch units I have seen have High, medium, low and off firewall security settings. Is this the case here? Seems to me if so, it requires the medium setting, high and low will not work.
ASKER
It's simply called a "Speedtouch Pro". From info on the net it is one of the earlier ADSL models provided by Telstra in Australia. There was a speedtouch home and a speedtouch pro. Then there were some later models with numbers after them. However this one is definately referred to as simply the Speed Touch Pro.
There is no "allow PPTP pass-through" option and no high,medium,low and off setting. If you look back at my configuration above that is effectively a copy from each available setting on the web interface the the Speedtouch pro. Other than that you have to telnet in to do NAT's.
There is no "allow PPTP pass-through" option and no high,medium,low and off setting. If you look back at my configuration above that is effectively a copy from each available setting on the web interface the the Speedtouch pro. Other than that you have to telnet in to do NAT's.
Seems others have had problems as well, but I found no solutions. As you suggested it must be the firewall. I can't seem to find any further information on how to configure it. There are dozens of Speed touch units with even more firmware versions for different vendors. I will keep looking and let you know if I find anything.
--Rob
--Rob
ASKER
OK. Just in case it is a firmware problem I found a later firmware revision at http://www.nzdsl.co.nz/software/alcatel/Default.htm . I installed it - Gv8bab3.281 (1005372) - however unfortunately it has not resolved the problem.
Certainly from the NAT perspective the entries for VPN specifically seem fine.... Is the IP Route table and the options below it correct?....
For example is the following options correct? What's PAP, lCP echo and ACCOMP? and should I have the localip defined as 10.0.0.1 and remote ip as 61.9.247.216 ?
Options
Local IP: none
Remote IP: none
Mode : always-on
Idle time limit : (none)
LCP echo(currently enabled)
PAP(currently disabled)
ACCOMP(currently enabled)
Certainly from the NAT perspective the entries for VPN specifically seem fine.... Is the IP Route table and the options below it correct?....
For example is the following options correct? What's PAP, lCP echo and ACCOMP? and should I have the localip defined as 10.0.0.1 and remote ip as 61.9.247.216 ?
Options
Local IP: none
Remote IP: none
Mode : always-on
Idle time limit : (none)
LCP echo(currently enabled)
PAP(currently disabled)
ACCOMP(currently enabled)
I am not very familiar with these protocols but there should be no need for any of them:
LCP echo - Link Control Protocol Echo
PAP -Password authentication protocol
ACCOMP - Access Control Compression
However I would think you have to configure the local and remote IP's Local 10.0.0.8 and remote 0.0.0.0 = any
Wonder if you should consider un-binding PPTP and GRE as per article below. Seems backward to my thinking but if it makes sense to you you could try.
http://www.speedtouch.net.nz/DisableALG.htm
LCP echo - Link Control Protocol Echo
PAP -Password authentication protocol
ACCOMP - Access Control Compression
However I would think you have to configure the local and remote IP's Local 10.0.0.8 and remote 0.0.0.0 = any
Wonder if you should consider un-binding PPTP and GRE as per article below. Seems backward to my thinking but if it makes sense to you you could try.
http://www.speedtouch.net.nz/DisableALG.htm
ASKER
Unfortunately the unbiding is only relevant to the SpeedTouch 500 / 600 not the Pro. I have already tried this before :o)
I do have something weird happening now though. I thought I'd check the NAT list after the formware upgrade and noticed a few additional entries in the tables that were not there before. I thought I'd simply clear all the port forwards and start a fresh perhaps with the reissuing of the nat create under the new firmware might spark it into life. However I'm now finding that on each list (after I deleted them all) i'm getting weird port forwards appear and then disappear...?
Here is some repeated Nat lists with no change in between: (Very odd)
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 6 10.0.0.8:63704 61.9.247.216:10078 67.19.96.18:80 1
8 5
2 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
3 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
60 1
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 6 10.0.0.8:63704 61.9.247.216:10078 67.19.96.18:80 1
8 5
2 6 10.0.0.8:63708 61.9.247.216:10082 67.19.96.18:80 1
60 1
3 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
4 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
8 5
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 6 10.0.0.8:63704 61.9.247.216:10078 67.19.96.18:80 1
8 5
2 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
3 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
4 6 10.0.0.8:63708 61.9.247.216:10082 67.19.96.18:80 1
1 6
5 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
6 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
8 5
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 6 10.0.0.8:63704 61.9.247.216:10078 67.19.96.18:80 1
8 5
2 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
3 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
4 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
5 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
8 5
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
2 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
3 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
4 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
8 5
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
2 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
2 6 10.0.0.8:63712 61.9.247.216:10087 67.19.96.18:80 1
60 1
3 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
[nat]=>
I do have something weird happening now though. I thought I'd check the NAT list after the formware upgrade and noticed a few additional entries in the tables that were not there before. I thought I'd simply clear all the port forwards and start a fresh perhaps with the reissuing of the nat create under the new firmware might spark it into life. However I'm now finding that on each list (after I deleted them all) i'm getting weird port forwards appear and then disappear...?
Here is some repeated Nat lists with no change in between: (Very odd)
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 6 10.0.0.8:63704 61.9.247.216:10078 67.19.96.18:80 1
8 5
2 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
3 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
60 1
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 6 10.0.0.8:63704 61.9.247.216:10078 67.19.96.18:80 1
8 5
2 6 10.0.0.8:63708 61.9.247.216:10082 67.19.96.18:80 1
60 1
3 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
4 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
8 5
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 6 10.0.0.8:63704 61.9.247.216:10078 67.19.96.18:80 1
8 5
2 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
3 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
4 6 10.0.0.8:63708 61.9.247.216:10082 67.19.96.18:80 1
1 6
5 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
6 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
8 5
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 6 10.0.0.8:63704 61.9.247.216:10078 67.19.96.18:80 1
8 5
2 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
3 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
4 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
5 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
8 5
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
2 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
3 6 10.0.0.8:63706 61.9.247.216:10080 67.19.96.18:80 1
8 5
4 6 10.0.0.8:63707 61.9.247.216:10081 67.19.96.18:80 1
8 5
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
2 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
[nat]=>list
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs E
xpir State Control
1 17 10.0.0.8:63709 61.9.247.216:10084 70.112.78.227:20011 1
20 10
2 6 10.0.0.8:63712 61.9.247.216:10087 67.19.96.18:80 1
60 1
3 6 10.0.0.8:63710 61.9.247.216:10085 132.211.194.39:59216 1
60 1
[nat]=>
These may be temporary mappings created by outgoing connections, especially where mostly port 80. They tend to choose any available port.
ASKER
OK, I went back to the original firmware and now all my original port forwards are back again?.... It seems that the new firmware I tried was not right - very strange....
It could mean though that some of these firmwares do not work properly and therefore it still could be an issue with the firmware I have...I'm now going to look for some others to try.
It could mean though that some of these firmwares do not work properly and therefore it still could be an issue with the firmware I have...I'm now going to look for some others to try.
ASKER
sorry I posted in between your reponse. Is that normal behaviour then to see ports dynamically update like that in quick succession? Perhaps my original firmware didn't support this dynamic updates and the newer one does...
Which means that perhaps if I go back again to the new one and try and re enter the VPN ports it may be worth a try...?
First confirm if the above is normal as it wasn;t on my original firmware!!
Which means that perhaps if I go back again to the new one and try and re enter the VPN ports it may be worth a try...?
First confirm if the above is normal as it wasn;t on my original firmware!!
I wonder if the difference is just the reporting and you didn't get that information before. The previous list appears to be a static NAT list as opposed to the latter which seems more like a log report. At the risk of displaying my ignorance.....on a NAT router when a PC makes an outgoing connection to a site such as a web site, the router 'tags' the request and assigns a temporary port number. When the reply comes back it knows by the port number which PC to send the reply to. Thus, the temporary NAT table.
I did read in several forums about some versions being "flaky" especially the newest ones. However all references I read were quite different version numbers, so I believe they were for different models. Also noticed the commands and options changed with some versions.
If interested the following link has lots of similar information and many links within the text. Doesn't appear to apply to your SpeedTouch but still may be of some interest:
http://forums.whirlpool.net.au/forum-replies-archive.cfm/458420.html
Have to head out to a service call for a while.
--Rob
I did read in several forums about some versions being "flaky" especially the newest ones. However all references I read were quite different version numbers, so I believe they were for different models. Also noticed the commands and options changed with some versions.
If interested the following link has lots of similar information and many links within the text. Doesn't appear to apply to your SpeedTouch but still may be of some interest:
http://forums.whirlpool.net.au/forum-replies-archive.cfm/458420.html
Have to head out to a service call for a while.
--Rob
ASKER
OK, I tried putting in the options section - Local 10.0.0.8 and remote 0.0.0.0 = any However it wouldn't take 0.0.0.0 in the remote. So I also thought I'd try Local 10.0.0.8 and remote 61.9.247.216 That simply hung the router up...wouldn't reconnect to the net. I then thought that perhaps the local shouldn't be the server address but instead the router address so I tried that also ie: Local 10.0.0.1 and remote 61.9.247.216 - same result wouldn't connect to the net. So my final test was to try both server and adsl ips for the local and leave the remote blank. 10.0.0.1 as local by itself did the same thing. 10.0.0.8 didn't hang up the router (ie web interface could still work) but it simply wouldn't connect....
I then turned all these off:
LCP echo - Link Control Protocol Echo
PAP -Password authentication protocol
ACCOMP - Access Control Compression
The link came back up but when I tried to VPN in I got a 678 error not respond.
So I turned them all on. The link kept trying to come back up and wouldn't. So from all these results I would say that these options relate to the router dialing up the ISP to connect rather than specific options for the link once it is up.
By the way I found the manual here: http://www.speedtouchdsl.com/pdf/stpro_manual_01.pdf
I then turned all these off:
LCP echo - Link Control Protocol Echo
PAP -Password authentication protocol
ACCOMP - Access Control Compression
The link came back up but when I tried to VPN in I got a 678 error not respond.
So I turned them all on. The link kept trying to come back up and wouldn't. So from all these results I would say that these options relate to the router dialing up the ISP to connect rather than specific options for the link once it is up.
By the way I found the manual here: http://www.speedtouchdsl.com/pdf/stpro_manual_01.pdf
Looking at the manual, there is no reference to PPTP, GRE, VPN's or VPN pass-through, other than for ISP connections. Adding to that, look at the first "NAT LIST". In addition to your NAT configurations, there are other obscure mappings that I assume you did not set up. If they are outgoing, automatically configured/temporary NAT connections, then the PPTP and GRE are outgoing as well, based on the inside and outside addressing, probably for ISP type connections. I am wondering if the router supports PPTP incoming connections at all. Some older units do not. Is the router supplied by your ISP ? Wondering if it is possible to confirm whether it is supported with them?
I'm not being much help here.
--Rob
I'm not being much help here.
--Rob
slater27, any luck with this, and were you able to confirm if the router was VPN compatible?
--Rob
--Rob
ASKER
I have closed this now. At the time I had left promptly via plane to Melbourne and couldn't respond. The VPN ended up working remotely it was the testing mechanism through my bluetooth GPRS modem connection to my notebook which was causing the problem. Points awarded for the great help that Robwill provided regardless and he was on to it when he said that he could get through to the VPN himself but couldn't login without the userpass and password.
Cheers.
Cheers.
Thanks slater27.
--Rob
--Rob
If you were to provide make and model of your equipment we could be more specific as to how to configure.