• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

Problem connecting to remote VPN server when sat behind Cisco 1841 router

Hi All,

This is the situation, The owner of our company is sat behind a Cisco 1841 router (firewall turned off), he is trying to initiate a VPN connection to a server outside of our company.

In the way is our company firewall.

I have opened a rule in the firewall to allow access through to a certain address (the vpn server of the other company). I can see traffic passing through our firewall after meeting this rule.

However, he is getting a "verifying username and password" message and then it times out.

I have narrowed it down to the router, has anyone else had this problem?

Here is an example of the router's config :


!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname OFFICE
!
boot-start-marker
boot-end-marker
!
logging queue-limit 100
no logging buffered
enable secret 5 $1$SJ30$08lBzf7AVKDQswtBpmmLZ1
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip cef
!
!
ip dhcp excluded-address 172.16.XXX.129 172.16.XXX.140
ip dhcp excluded-address 172.16.XXX.1 172.16.XXX.16
!
ip dhcp pool CLIENT
   import all
   network 172.16.XXX.128 255.255.255.128
   default-router 172.16.XXX.129
   dns-server 192.168.8.18 192.168.10.13 192.168.4.5
!
ip dhcp pool STAFF
   import all
   network 172.16.XXX.0 255.255.255.128
   default-router 172.16.XXX.1
   dns-server 192.168.8.18 192.168.10.13 192.168.4.5
   lease 2
!
no ip domain lookup
!
no ftp-server write-enable
!
!
interface FastEthernet0/0
 description Connection to the STAFF ethernet segment
 ip address 172.16.XXX.1 255.255.255.128
 ip access-group 10 out
 half-duplex
 hold-queue 100 out

interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0/1
 description Connection to the CLIENT ethernet segment
 ip address 172.16.XXX.129 255.255.255.128
 ip access-group 10 out
 half-duplex
 hold-queue 100 out
!

!
interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname OFFICE@A4EADSL.CO.UK
 ppp chap password 0 PASSPHRASE
 ppp pap sent-username OFFICE@A4EADSL.CO.UK password 0 PASSPHRASE
 ppp ipcp dns request
 ppp ipcp wins request
 hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 10 permit 172.16.XXX.16
access-list 10 permit 172.16.XXX.0 0.0.0.15
access-list 10 deny   172.16.XXX.0 0.0.0.127
access-list 10 permit any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 password 7 104D000A0618
 login
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 password 7 14141B180F0B
 login
 length 0
!
scheduler max-task-time 5000
!
control-plane
!
end
0
A4eIT
Asked:
A4eIT
  • 2
1 Solution
 
SorensonCommented:
What vpn client is he using?  If it is a cisco vpn client, be sure that the vpn server (firewall, router, pix, asa) has nat traversal enabled (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm) .  If it is a microsoft, or PPTP vpn, he will need a static translation through the firewall (not a hide or global) and the firewall will need to allow pptp ports back to that address.
0
 
A4eITAuthor Commented:
Hi sorry it's a bog standard windows VPN connection
0
 
A4eITAuthor Commented:
Turned out to be a NAT problem. thanks for the help anyway.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now