• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 25583
  • Last Modified:

Port forwarding in ADSL router Linksys


Actually we had some problem with our old router and today we replaced our router with Linksys model WAG200G.

Also we use ISA, for VPN clients we have to forward ports and I have forwarded the following ports also from this new router

50
500
51
1723

After this when VPN dial-up connection is trying to establish connection and it is only showing verifying user name and password.

It was working fine with our old router, is there any other things to be checked for VPnS in this router

Your earliest response is highly appreciated

Jinesh
0
Jinesh Kumar Kochath
Asked:
Jinesh Kumar Kochath
  • 6
  • 4
  • 2
  • +3
1 Solution
 
Irwin SantosComputer Integration SpecialistCommented:
0
 
RekolitusCommented:
You need to setup protocol 47/50/51 forwarding; they're not TCP/UDP ports, they're IP protocol numbers.

There should be some sort of IPSec/PPTP passthrough option you need to enable on your router.
0
 
Jinesh Kumar KochathAuthor Commented:
I opened all ports mentioned above
I tried all these options and also IPSEC/PPTP also enablsed in my router
please advise how to solve this issue

regards
Jinesh
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Jinesh Kumar KochathAuthor Commented:
Hi Rekolitus
you mentioned before

You need to setup protocol 47/50/51 forwarding; they're not TCP/UDP ports, they're IP protocol numbers.

I done it as TCP/UDP, other than where I have to forward these ports

0
 
RekolitusCommented:
They don't have anything to do with TCP or UDP ports. They're IP protocol numbers which you need to forward. You need to configure your router to forward IP protocols 47/50/51 to your LAN machine.
0
 
Jinesh Kumar KochathAuthor Commented:
done it and still not working dear
0
 
Rob WilliamsCommented:
How is your VPN create. I assume since you are forwarding ports you are using the built-in Windows firewall, if so it uses PPTP.
 (note below, that if not using PPTP your VPN protocol may not be supported)
Also, is this your sole connection device, i.e. modem and router. If so fine. But if you have an additional routing device, port forwarding will need to be enabled as well.
Updating to the latest firmware is also a good idea if having problems.
To reiterate what Rekolitus stated:

PPTP (most likely option) requires:
  Forward only TCP 1723
  Enable GRE, protocol 47 (not port 47) by enabling PPTP pass-through on the Security 'tab' page of the WAG200G
 
L2TP over IPSec requires:
  To allow IKE forward UDP port 500.
  To allow IPSec NAT-T forward port UDP 4500.
  To allow L2TP forward port UDP 1701.
  If using ESP (Encapsulation Security Payload) protocols 50 enable IPSec pass-through on the Security 'tab' page of the WAG200G
  If using AH (Authentication Header Protocol) protocol 51 you need another router, yours does not support this protocol

IPSec requires:
   To allow IKE forward UDP port 500.
   To allow IPSec NAT-T forward port UDP 4500.
   If using ESP (Encapsulation Security Payload) protocols 50 enable IPSec pass-through on the Security 'tab' page of the WAG200G
   If using AH (Authentication Header Protocol) protocol 51 you need another router, yours does not support this protocol

Once done verify the port forwarding is working by logging onto the VPN server and going to   http://www.canyouseeme.org and test for the appropriate port to see that it is forwarded correctly. This will not allow you to test protocols.

Assuming that is working correctly, and your are using the "standard Windows PPTP VPN, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
 
Jinesh Kumar KochathAuthor Commented:
Hi Robwill as I explained in my old post, I had some problems with my old router, that is why now I purchased Linksys model WAG200G.

Everything is configured and working fine, except VPN
for that I have forwarded the following ports from router
50
51
500
1723

Also enabled IPSEC/PPTP pass through all those services enabled, but after this when my vpn clients trying to connect, they are getting a message saying that verifying user name and password and disconnecting it.

Now tell me what all extra steps I have to in my router WAG200G

Awaiting your feedback
regards
Jinesh

0
 
Rob WilliamsCommented:
The point is those are the only steps. I provided the port forwarding information as you had not advised of the type of VPN.

As asked, what type of VPN are you using, or how is it created. I assume Windows default PPTP VPN? If so there is no need of UDP 500, and at no point does forwarding 50 and 51 help.

Are there any other routing devices between the Internet and the VPN server, other than the WAG200G?

Have you run the canyouseeme and the pptpsrv/pptpclnt tests I outlined ? any luck with those?

Do you get an error message # when it fails to connect such as 721, 800, 691, or similar?
0
 
Jinesh Kumar KochathAuthor Commented:
I am out of office now.
tomorrow morning I will test it and let you know all these.

We are using ISA 2004 server with VPn

No other routing devices, router ethernet cable is connected directly to external network card of ISA server and my old router is working fine.. the only issue is with dyndns.org, that is why we changed the router as you instructed in our last post.

Regarding canyouseeme.org I will do it tomorrow morning, now I am in home, tomorrow morning I will come back to you.

thanks a lot

Jinesh
0
 
Rob WilliamsCommented:
OK sounds good.
The canyouseeme and pptpsrv/clnt tests should help to narrow down the problem area.
Let us know how it goes.

It would be good to confirm the VPN protocol, if possible, since you are using ISA it could be pptp/l2tp/ipsec.

Also was there a connection error # ?
0
 
Jinesh Kumar KochathAuthor Commented:

Hi
after referring microsoft document, I have enable DMZ port in router and ISA external IP forwarded from this port.
then VPN started working.

regards

Jinesh Kumar
0
 
Rob WilliamsCommented:
Putting it in the DMZ allows all traffic which is less secure, but with ISA that should not be a problem, I wouldn't recomend it otherwise. It must be that your WAG200G is not forwarding the appropriate encryption protocol GRE, AH, or ESP (you haven't stated which at this point). The basic port forwarding of 1723 must have been working as you were receiving "verifying user name and password". It is possible this feature does not work on that unit, or were you using AH, which as mentioned is not supported.

Are you happy leaving it in the DMZ, or would you like further assistance?
--Rob
0
 
mzeggieCommented:


To my knowledge Cisco (owner of Linksys) took out all VPN support (inbound that is) out of the Linksys routers and modems.   So no more inbound VPN connections available unless you start to use the router in the DMZ as described above.  
regards,
MZeggie.
0
 
francis_0822Commented:
if the enabling the DMZ on the router makes the VPN or any applications recognize by the router it only means that the right port is NOT yet properly open on the router and that is the reason why the firewall is blocking it.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 4
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now