Solved

Problem connecting to remote VPN server when sat behind Cisco 1841 router

Posted on 2007-03-20
3
251 Views
Last Modified: 2008-03-03
Hi All,

This is the situation, The owner of our company is sat behind a Cisco 1841 router (firewall turned off), he is trying to initiate a VPN connection to a server outside of our company.

In the way is our company firewall.

I have opened a rule in the firewall to allow access through to a certain address (the vpn server of the other company). I can see traffic passing through our firewall after meeting this rule.

However, he is getting a "verifying username and password" message and then it times out.

I have narrowed it down to the router, has anyone else had this problem?

Here is an example of the router's config :


!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname OFFICE
!
boot-start-marker
boot-end-marker
!
logging queue-limit 100
no logging buffered
enable secret 5 $1$SJ30$08lBzf7AVKDQswtBpmmLZ1
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip cef
!
!
ip dhcp excluded-address 172.16.XXX.129 172.16.XXX.140
ip dhcp excluded-address 172.16.XXX.1 172.16.XXX.16
!
ip dhcp pool CLIENT
   import all
   network 172.16.XXX.128 255.255.255.128
   default-router 172.16.XXX.129
   dns-server 192.168.8.18 192.168.10.13 192.168.4.5
!
ip dhcp pool STAFF
   import all
   network 172.16.XXX.0 255.255.255.128
   default-router 172.16.XXX.1
   dns-server 192.168.8.18 192.168.10.13 192.168.4.5
   lease 2
!
no ip domain lookup
!
no ftp-server write-enable
!
!
interface FastEthernet0/0
 description Connection to the STAFF ethernet segment
 ip address 172.16.XXX.1 255.255.255.128
 ip access-group 10 out
 half-duplex
 hold-queue 100 out

interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0/1
 description Connection to the CLIENT ethernet segment
 ip address 172.16.XXX.129 255.255.255.128
 ip access-group 10 out
 half-duplex
 hold-queue 100 out
!

!
interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname OFFICE@A4EADSL.CO.UK
 ppp chap password 0 PASSPHRASE
 ppp pap sent-username OFFICE@A4EADSL.CO.UK password 0 PASSPHRASE
 ppp ipcp dns request
 ppp ipcp wins request
 hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 10 permit 172.16.XXX.16
access-list 10 permit 172.16.XXX.0 0.0.0.15
access-list 10 deny   172.16.XXX.0 0.0.0.127
access-list 10 permit any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 password 7 104D000A0618
 login
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 password 7 14141B180F0B
 login
 length 0
!
scheduler max-task-time 5000
!
control-plane
!
end
0
Comment
Question by:A4eIT
  • 2
3 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
ID: 18759079
What vpn client is he using?  If it is a cisco vpn client, be sure that the vpn server (firewall, router, pix, asa) has nat traversal enabled (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm) .  If it is a microsoft, or PPTP vpn, he will need a static translation through the firewall (not a hide or global) and the firewall will need to allow pptp ports back to that address.
0
 

Author Comment

by:A4eIT
ID: 18762503
Hi sorry it's a bog standard windows VPN connection
0
 

Author Comment

by:A4eIT
ID: 18904199
Turned out to be a NAT problem. thanks for the help anyway.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now