Solved

Port forwarding in ADSL router Linksys

Posted on 2006-11-12
17
25,491 Views
Last Modified: 2013-11-29

Actually we had some problem with our old router and today we replaced our router with Linksys model WAG200G.

Also we use ISA, for VPN clients we have to forward ports and I have forwarded the following ports also from this new router

50
500
51
1723

After this when VPN dial-up connection is trying to establish connection and it is only showing verifying user name and password.

It was working fine with our old router, is there any other things to be checked for VPnS in this router

Your earliest response is highly appreciated

Jinesh
0
Comment
Question by:Jinesh Kumar Kochath
  • 6
  • 4
  • 2
  • +3
17 Comments
 
LVL 30

Expert Comment

by:irwinpks
ID: 17924851
0
 

Expert Comment

by:Rekolitus
ID: 17924886
You need to setup protocol 47/50/51 forwarding; they're not TCP/UDP ports, they're IP protocol numbers.

There should be some sort of IPSec/PPTP passthrough option you need to enable on your router.
0
 

Author Comment

by:Jinesh Kumar Kochath
ID: 17924970
I opened all ports mentioned above
I tried all these options and also IPSEC/PPTP also enablsed in my router
please advise how to solve this issue

regards
Jinesh
0
 

Author Comment

by:Jinesh Kumar Kochath
ID: 17924972
Hi Rekolitus
you mentioned before

You need to setup protocol 47/50/51 forwarding; they're not TCP/UDP ports, they're IP protocol numbers.

I done it as TCP/UDP, other than where I have to forward these ports

0
 

Expert Comment

by:Rekolitus
ID: 17924988
They don't have anything to do with TCP or UDP ports. They're IP protocol numbers which you need to forward. You need to configure your router to forward IP protocols 47/50/51 to your LAN machine.
0
 

Author Comment

by:Jinesh Kumar Kochath
ID: 17924993
done it and still not working dear
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17925060
How is your VPN create. I assume since you are forwarding ports you are using the built-in Windows firewall, if so it uses PPTP.
 (note below, that if not using PPTP your VPN protocol may not be supported)
Also, is this your sole connection device, i.e. modem and router. If so fine. But if you have an additional routing device, port forwarding will need to be enabled as well.
Updating to the latest firmware is also a good idea if having problems.
To reiterate what Rekolitus stated:

PPTP (most likely option) requires:
  Forward only TCP 1723
  Enable GRE, protocol 47 (not port 47) by enabling PPTP pass-through on the Security 'tab' page of the WAG200G
 
L2TP over IPSec requires:
  To allow IKE forward UDP port 500.
  To allow IPSec NAT-T forward port UDP 4500.
  To allow L2TP forward port UDP 1701.
  If using ESP (Encapsulation Security Payload) protocols 50 enable IPSec pass-through on the Security 'tab' page of the WAG200G
  If using AH (Authentication Header Protocol) protocol 51 you need another router, yours does not support this protocol

IPSec requires:
   To allow IKE forward UDP port 500.
   To allow IPSec NAT-T forward port UDP 4500.
   If using ESP (Encapsulation Security Payload) protocols 50 enable IPSec pass-through on the Security 'tab' page of the WAG200G
   If using AH (Authentication Header Protocol) protocol 51 you need another router, yours does not support this protocol

Once done verify the port forwarding is working by logging onto the VPN server and going to   http://www.canyouseeme.org and test for the appropriate port to see that it is forwarded correctly. This will not allow you to test protocols.

Assuming that is working correctly, and your are using the "standard Windows PPTP VPN, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Jinesh Kumar Kochath
ID: 17925311
Hi Robwill as I explained in my old post, I had some problems with my old router, that is why now I purchased Linksys model WAG200G.

Everything is configured and working fine, except VPN
for that I have forwarded the following ports from router
50
51
500
1723

Also enabled IPSEC/PPTP pass through all those services enabled, but after this when my vpn clients trying to connect, they are getting a message saying that verifying user name and password and disconnecting it.

Now tell me what all extra steps I have to in my router WAG200G

Awaiting your feedback
regards
Jinesh

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17925364
The point is those are the only steps. I provided the port forwarding information as you had not advised of the type of VPN.

As asked, what type of VPN are you using, or how is it created. I assume Windows default PPTP VPN? If so there is no need of UDP 500, and at no point does forwarding 50 and 51 help.

Are there any other routing devices between the Internet and the VPN server, other than the WAG200G?

Have you run the canyouseeme and the pptpsrv/pptpclnt tests I outlined ? any luck with those?

Do you get an error message # when it fails to connect such as 721, 800, 691, or similar?
0
 

Author Comment

by:Jinesh Kumar Kochath
ID: 17925386
I am out of office now.
tomorrow morning I will test it and let you know all these.

We are using ISA 2004 server with VPn

No other routing devices, router ethernet cable is connected directly to external network card of ISA server and my old router is working fine.. the only issue is with dyndns.org, that is why we changed the router as you instructed in our last post.

Regarding canyouseeme.org I will do it tomorrow morning, now I am in home, tomorrow morning I will come back to you.

thanks a lot

Jinesh
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17925422
OK sounds good.
The canyouseeme and pptpsrv/clnt tests should help to narrow down the problem area.
Let us know how it goes.

It would be good to confirm the VPN protocol, if possible, since you are using ISA it could be pptp/l2tp/ipsec.

Also was there a connection error # ?
0
 

Author Comment

by:Jinesh Kumar Kochath
ID: 17945765

Hi
after referring microsoft document, I have enable DMZ port in router and ISA external IP forwarded from this port.
then VPN started working.

regards

Jinesh Kumar
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17946327
Putting it in the DMZ allows all traffic which is less secure, but with ISA that should not be a problem, I wouldn't recomend it otherwise. It must be that your WAG200G is not forwarding the appropriate encryption protocol GRE, AH, or ESP (you haven't stated which at this point). The basic port forwarding of 1723 must have been working as you were receiving "verifying user name and password". It is possible this feature does not work on that unit, or were you using AH, which as mentioned is not supported.

Are you happy leaving it in the DMZ, or would you like further assistance?
--Rob
0
 

Expert Comment

by:mzeggie
ID: 22474833


To my knowledge Cisco (owner of Linksys) took out all VPN support (inbound that is) out of the Linksys routers and modems.   So no more inbound VPN connections available unless you start to use the router in the DMZ as described above.  
regards,
MZeggie.
0
 
LVL 2

Expert Comment

by:francis_0822
ID: 23471391
if the enabling the DMZ on the router makes the VPN or any applications recognize by the router it only means that the right port is NOT yet properly open on the router and that is the reason why the firewall is blocking it.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now