Solved

Problem connecting to remote VPN server when sat behind Cisco 1841 router

Posted on 2007-03-20
3
252 Views
Last Modified: 2008-03-03
Hi All,

This is the situation, The owner of our company is sat behind a Cisco 1841 router (firewall turned off), he is trying to initiate a VPN connection to a server outside of our company.

In the way is our company firewall.

I have opened a rule in the firewall to allow access through to a certain address (the vpn server of the other company). I can see traffic passing through our firewall after meeting this rule.

However, he is getting a "verifying username and password" message and then it times out.

I have narrowed it down to the router, has anyone else had this problem?

Here is an example of the router's config :


!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname OFFICE
!
boot-start-marker
boot-end-marker
!
logging queue-limit 100
no logging buffered
enable secret 5 $1$SJ30$08lBzf7AVKDQswtBpmmLZ1
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip cef
!
!
ip dhcp excluded-address 172.16.XXX.129 172.16.XXX.140
ip dhcp excluded-address 172.16.XXX.1 172.16.XXX.16
!
ip dhcp pool CLIENT
   import all
   network 172.16.XXX.128 255.255.255.128
   default-router 172.16.XXX.129
   dns-server 192.168.8.18 192.168.10.13 192.168.4.5
!
ip dhcp pool STAFF
   import all
   network 172.16.XXX.0 255.255.255.128
   default-router 172.16.XXX.1
   dns-server 192.168.8.18 192.168.10.13 192.168.4.5
   lease 2
!
no ip domain lookup
!
no ftp-server write-enable
!
!
interface FastEthernet0/0
 description Connection to the STAFF ethernet segment
 ip address 172.16.XXX.1 255.255.255.128
 ip access-group 10 out
 half-duplex
 hold-queue 100 out

interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0/1
 description Connection to the CLIENT ethernet segment
 ip address 172.16.XXX.129 255.255.255.128
 ip access-group 10 out
 half-duplex
 hold-queue 100 out
!

!
interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname OFFICE@A4EADSL.CO.UK
 ppp chap password 0 PASSPHRASE
 ppp pap sent-username OFFICE@A4EADSL.CO.UK password 0 PASSPHRASE
 ppp ipcp dns request
 ppp ipcp wins request
 hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 10 permit 172.16.XXX.16
access-list 10 permit 172.16.XXX.0 0.0.0.15
access-list 10 deny   172.16.XXX.0 0.0.0.127
access-list 10 permit any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 password 7 104D000A0618
 login
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 password 7 14141B180F0B
 login
 length 0
!
scheduler max-task-time 5000
!
control-plane
!
end
0
Comment
Question by:A4eIT
  • 2
3 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
ID: 18759079
What vpn client is he using?  If it is a cisco vpn client, be sure that the vpn server (firewall, router, pix, asa) has nat traversal enabled (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm) .  If it is a microsoft, or PPTP vpn, he will need a static translation through the firewall (not a hide or global) and the firewall will need to allow pptp ports back to that address.
0
 

Author Comment

by:A4eIT
ID: 18762503
Hi sorry it's a bog standard windows VPN connection
0
 

Author Comment

by:A4eIT
ID: 18904199
Turned out to be a NAT problem. thanks for the help anyway.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question