We help IT Professionals succeed at work.

CISCO VPN PROBLEM WITH GRE

1,067 Views
Last Modified: 2008-07-07
Dear All

I have a client with the following network setup LAN--->CISCO 1751 RTR---->ISP

What I'm trying to do is setup a VPN connection from  a PC on the LAN to another companies corporate network. I have to use the MS VPN Client and PPTP to connect but am having difficulty when trying to establish the connection.

I'm recieving an MS Error 800: stating the GRE protocol is either not enabled or functioning on the firewall/router sitting between my PC and the ISP.

I've had a look around and seen various suggestions on how to resolve this issue. As far as I can see I need to enable some form of PPTP Passthrough on the Cisco 1751 router which I've tried by adding a static NAT allowing protocol 1723 to pass through to a local client IP address. This hasn't worked howver and I'm now totally stuck.

Please find attached the current Cisco 1751 config:
Building configuration...

Current configuration : 5119 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret xxxxx
!
username xxxxx password 0 xxxxx
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
!
!
!
!
ip domain name xxxxx
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPNgroup
 key xxxxx
 dns 192.168.16.2
 domain xxxxx
 pool VPNpool
crypto isakmp profile VPNclient
   match identity group VPNgroup
   client authentication list default
   isakmp authorization list default
   client configuration address respond
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set strong
 set isakmp-profile VPNclient
!
!
crypto map xxxxxmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface ATM0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
 description "Physical ADSL Connection"
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0/0
 ip address 192.168.16.3 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 no ip mroute-cache
 speed auto
!
interface Dialer1
 description "Logical ADSL Connection"
 mtu 4470
 bandwidth 2048
 ip address PUBLIC_IP 255.255.255.248
 ip access-group 130 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp chap hostname xxxxx
 ppp chap password 0 door0103
 ppp pap sent-username xxxxx
 crypto map xxxxxmap
!
ip local pool VPNpool 192.168.99.1 192.168.99.10
ip nat pool global x.x.x.33 x.x.x.34 netmask 255.255.255.248
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.16.2 25 x.x.x.38 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.17.0 255.255.255.0 192.168.16.254
no ip http server
no ip http secure-server
!
!
!
logging history debugging
logging trap errors
logging origin-id hostname
logging x.x.x.x
access-list 101 remark "Define Nat Traffic"
access-list 101 deny   ip 192.168.16.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 110 remark "Inbound ACL"
access-list 110 permit icmp any any
access-list 110 permit ip x.x.x.x 0.0.0.7 any
access-list 110 permit esp any host x.x.x.38
access-list 110 permit udp any host x.x.x.38 eq isakmp
access-list 110 permit ip 192.168.99.0 0.0.0.255 any
access-list 110 permit tcp any host x.x.x..38 eq smtp
access-list 110 permit udp any any gt 1024
access-list 110 permit tcp any any gt 1024
access-list 110 permit esp any host x.x.x.34
access-list 110 permit udp any host x.x.x.34 eq isakmp
access-list 110 permit tcp any any eq 22
access-list 110 permit ip host x.x.x.x any
access-list 110 permit tcp host x.x.x.x any eq 123
access-list 110 permit udp host x.x.x.x any eq ntp
access-list 120 remark "Outbound Traffic"
access-list 120 permit icmp any any
access-list 120 permit ip host 192.168.16.2 any
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq www
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq 443
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq ftp-data
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq ftp
access-list 130 remark "Inbound ACL"
access-list 130 permit icmp any any
access-list 130 permit esp any host x.x.x.34
access-list 130 permit udp any host x.x.x.34 eq isakmp
access-list 130 permit ip 192.168.99.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 130 permit tcp any host x.x.x.38 eq smtp
access-list 130 permit udp any any gt 1024
access-list 130 permit tcp any any gt 1024
access-list 130 permit udp any host x.x.x.x eq ntp
access-list 130 permit tcp any host x.x.x.x eq 123
access-list 130 permit tcp x.x.x.x 0.0.0.15 host x.x.x.x.34 eq 22
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 logging synchronous
!
no scheduler allocate
sntp server 192.168.16.2
sntp broadcast client
sntp multicast client
ntp source FastEthernet0/0
ntp server 192.168.16.2
!
end

Router#

Comment
Watch Question

Commented:
you have to open port 500 for tcp and udp for those hosts
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.