curwengroup
asked on
Help pushing GRE through Cisco 871 firewall
Hi i'm having an issue with my Cisco 871.
We have a PPTP VPN server on our LAN and i need to be able to push connectivity to it through the Cisco firewall.
Pushing port 1723 works but i can not figure out how to push GRE 47 through the firewall through SDM.
right now i am a this point with the firewall on, the vpn client attempts to connect to the server, hte server registers the connection but it never finished connecting and the client gets timed out
if i turn off the firewall i can establish the connection no problems.
Can anyone offer some assistance?
Thanks
We have a PPTP VPN server on our LAN and i need to be able to push connectivity to it through the Cisco firewall.
Pushing port 1723 works but i can not figure out how to push GRE 47 through the firewall through SDM.
right now i am a this point with the firewall on, the vpn client attempts to connect to the server, hte server registers the connection but it never finished connecting and the client gets timed out
if i turn off the firewall i can establish the connection no problems.
Can anyone offer some assistance?
Thanks
ASKER
i have also tried L2TP+IPSEC but it's a no go as well. basically the same.
I have checked the client side router a linksys RV0041 and it has PPTP, L2TP and IPSEC passthrough enabled. I have also tried it from behind a Linksys WRT54G, and a D-link DIR-625, and with no router connected.
My thinking is that it's related to the fact the the CISCO 871 has it's own VPN features that might mess it up.
I have checked the client side router a linksys RV0041 and it has PPTP, L2TP and IPSEC passthrough enabled. I have also tried it from behind a Linksys WRT54G, and a D-link DIR-625, and with no router connected.
My thinking is that it's related to the fact the the CISCO 871 has it's own VPN features that might mess it up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is the router config:
_______
Building configuration...
Current configuration : 11660 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$DXKX$kn2/vuu6n0oT.nrNK1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3259827954
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3259827954
!
!
crypto pki certificate chain TP-self-signed-3259827954
certificate self-signed 01
30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323539 38323739 3534301E 170D3032 30333031 30303036
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32353938
32373935 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AD37 25DA8401 526F42D2 5DA2D511 FEC74BA1 200E520A DC663AD4 93A9F18E
7AD1BF05 998D5C2D 37F5D337 31D255E5 5EE4275E 76FA2240 AEDD25EE 3A77770E
9751ADE8 C956C6E2 955D5068 D0A1E7C1 3535C36A DFA37A8A 103C3A64 6384684B
1861CAF8 D8CEB0DB 37A84B08 E9DAF8D3 EC4D3F49 E3E6E33A 6B8D0DDF 04F9CE45
D6070203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
551D1104 22302082 1E696E64 6576726F 75746572 2E696E64 6576656C 6F706D65
6E74732E 636F6D30 1F060355 1D230418 30168014 FC835D2E 641B5991 BD6E8E1C
D19DA54A 7B5C3F97 301D0603 551D0E04 160414FC 835D2E64 1B5991BD 6E8E1CD1
9DA54A7B 5C3F9730 0D06092A 864886F7 0D010104 05000381 810054FA 2E03CD38
3E52BFB3 886AEC15 701CAD3D C1EA3995 46D9FC24 18EEB36D 461656A6 C3FD34C9
3C6FCD37 9A87100B 25EE8F87 70359336 01F5918E 889E6C40 405282C2 3B139CE0
1AD204A9 D8F41551 7AD2244F 935CBFBA CFAD2573 BEBBBC2E 2819FFD0 FBD50AEA
A9B4D4E2 A0EBE633 E918B4CE FD527774 732F3E8A 8A815D51 A532
quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.151 192.168.100.254
ip dhcp excluded-address 192.168.100.1 192.168.100.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.100.0 255.255.255.0
dns-server 192.168.100.200
default-router 192.168.100.1
!
!
no ip bootp server
ip domain name indevelopments.com
ip name-server 192.168.100.200
ip port-map user-protocol--2 port tcp 3283
ip port-map user-protocol--3 port udp 3283
ip port-map user-protocol--1 port udp 1723
ip port-map user-protocol--6 port tcp 47
ip port-map user-protocol--7 port udp 47
ip port-map user-protocol--4 port tcp 5900
ip port-map user-protocol--5 port udp 5900
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username root privilege 15 secret 5 $1$PDj7$ANTZiw3sdTpuLgq2CX
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 108
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 116
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 107
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-2
match access-group 117
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 106
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 105
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 104
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--1-3
match access-group 119
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 113
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any test
match class-map SDM_GRE
class-map type inspect match-all sdm-cls-sdm-pol-NATOutside
match class-map test
match access-group name test
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 114
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 115
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-isakmp-1
match access-group 109
match protocol isakmp
class-map type inspect match-all sdm-nat-pptp-1
match access-group 101
match protocol pptp
class-map type inspect match-all sdm-nat-pptp-2
match access-group 112
match protocol pptp
class-map type inspect match-all sdm-nat-pptp-3
match access-group 118
match protocol pptp
class-map type inspect match-all sdm-nat-l2tp-1
match access-group 111
match protocol l2tp
class-map type inspect match-all sdm-nat-ipsec-msft-1
match access-group 110
match protocol ipsec-msft
class-map type inspect match-all sdm-invalid-src
match access-group 100
!
!
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-pptp-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-isakmp-1
inspect
class type inspect sdm-nat-ipsec-msft-1
inspect
class type inspect sdm-cls-sdm-pol-NATOutside
inspect
class type inspect sdm-nat-l2tp-1
inspect
class type inspect sdm-nat-pptp-2
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class class-default
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--3-2
inspect
class type inspect sdm-nat-user-protocol--4-2
inspect
class type inspect sdm-nat-user-protocol--5-2
inspect
class type inspect sdm-nat-pptp-3
inspect
class type inspect sdm-nat-user-protocol--1-3
inspect
class class-default
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 70.75.X.X 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.75.X.X
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.100.200 3283 interface FastEthernet4 3283
ip nat inside source static udp 192.168.100.200 3283 interface FastEthernet4 3283
ip nat inside source static tcp 192.168.100.200 5900 interface FastEthernet4 5900
ip nat inside source static udp 192.168.100.200 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.100.200 1723 interface FastEthernet4 1723
ip nat inside source static udp 192.168.100.200 1723 interface FastEthernet4 1723
!
ip access-list extended SDM_GRE
remark SDM_ACL Category=0
permit gre any any
ip access-list extended test
remark SDM_ACL Category=128
permit ip any host 192.168.100.200
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.100.200
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.100.100
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.100.200
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.100.200
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.100.200
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.100.200
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.100.200
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.100.200
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 192.168.100.200
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip any host 192.168.100.200
access-list 111 remark SDM_ACL Category=0
access-list 111 permit ip any host 192.168.100.200
access-list 112 remark SDM_ACL Category=0
access-list 112 permit ip any host 192.168.100.200
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip any host 192.168.100.200
access-list 114 remark SDM_ACL Category=0
access-list 114 permit ip any host 192.168.100.200
access-list 115 remark SDM_ACL Category=0
access-list 115 permit ip any host 192.168.100.200
access-list 116 remark SDM_ACL Category=0
access-list 116 permit ip any host 192.168.100.200
access-list 117 remark SDM_ACL Category=0
access-list 117 permit ip any host 192.168.100.200
access-list 118 remark SDM_ACL Category=0
access-list 118 permit ip any host 192.168.100.200
access-list 119 remark SDM_ACL Category=0
access-list 119 permit ip any host 192.168.100.200
no cdp run
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
--------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
_______
Building configuration...
Current configuration : 11660 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$DXKX$kn2/vuu6n0oT.nrNK1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3259827954
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3259827954
!
!
crypto pki certificate chain TP-self-signed-3259827954
certificate self-signed 01
30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323539 38323739 3534301E 170D3032 30333031 30303036
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32353938
32373935 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AD37 25DA8401 526F42D2 5DA2D511 FEC74BA1 200E520A DC663AD4 93A9F18E
7AD1BF05 998D5C2D 37F5D337 31D255E5 5EE4275E 76FA2240 AEDD25EE 3A77770E
9751ADE8 C956C6E2 955D5068 D0A1E7C1 3535C36A DFA37A8A 103C3A64 6384684B
1861CAF8 D8CEB0DB 37A84B08 E9DAF8D3 EC4D3F49 E3E6E33A 6B8D0DDF 04F9CE45
D6070203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
551D1104 22302082 1E696E64 6576726F 75746572 2E696E64 6576656C 6F706D65
6E74732E 636F6D30 1F060355 1D230418 30168014 FC835D2E 641B5991 BD6E8E1C
D19DA54A 7B5C3F97 301D0603 551D0E04 160414FC 835D2E64 1B5991BD 6E8E1CD1
9DA54A7B 5C3F9730 0D06092A 864886F7 0D010104 05000381 810054FA 2E03CD38
3E52BFB3 886AEC15 701CAD3D C1EA3995 46D9FC24 18EEB36D 461656A6 C3FD34C9
3C6FCD37 9A87100B 25EE8F87 70359336 01F5918E 889E6C40 405282C2 3B139CE0
1AD204A9 D8F41551 7AD2244F 935CBFBA CFAD2573 BEBBBC2E 2819FFD0 FBD50AEA
A9B4D4E2 A0EBE633 E918B4CE FD527774 732F3E8A 8A815D51 A532
quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.151 192.168.100.254
ip dhcp excluded-address 192.168.100.1 192.168.100.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.100.0 255.255.255.0
dns-server 192.168.100.200
default-router 192.168.100.1
!
!
no ip bootp server
ip domain name indevelopments.com
ip name-server 192.168.100.200
ip port-map user-protocol--2 port tcp 3283
ip port-map user-protocol--3 port udp 3283
ip port-map user-protocol--1 port udp 1723
ip port-map user-protocol--6 port tcp 47
ip port-map user-protocol--7 port udp 47
ip port-map user-protocol--4 port tcp 5900
ip port-map user-protocol--5 port udp 5900
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username root privilege 15 secret 5 $1$PDj7$ANTZiw3sdTpuLgq2CX
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 108
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 116
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 107
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-2
match access-group 117
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 106
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 105
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 104
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--1-3
match access-group 119
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 113
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any test
match class-map SDM_GRE
class-map type inspect match-all sdm-cls-sdm-pol-NATOutside
match class-map test
match access-group name test
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 114
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 115
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-isakmp-1
match access-group 109
match protocol isakmp
class-map type inspect match-all sdm-nat-pptp-1
match access-group 101
match protocol pptp
class-map type inspect match-all sdm-nat-pptp-2
match access-group 112
match protocol pptp
class-map type inspect match-all sdm-nat-pptp-3
match access-group 118
match protocol pptp
class-map type inspect match-all sdm-nat-l2tp-1
match access-group 111
match protocol l2tp
class-map type inspect match-all sdm-nat-ipsec-msft-1
match access-group 110
match protocol ipsec-msft
class-map type inspect match-all sdm-invalid-src
match access-group 100
!
!
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-pptp-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-isakmp-1
inspect
class type inspect sdm-nat-ipsec-msft-1
inspect
class type inspect sdm-cls-sdm-pol-NATOutside
inspect
class type inspect sdm-nat-l2tp-1
inspect
class type inspect sdm-nat-pptp-2
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class class-default
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--3-2
inspect
class type inspect sdm-nat-user-protocol--4-2
inspect
class type inspect sdm-nat-user-protocol--5-2
inspect
class type inspect sdm-nat-pptp-3
inspect
class type inspect sdm-nat-user-protocol--1-3
inspect
class class-default
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 70.75.X.X 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.75.X.X
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.100.200 3283 interface FastEthernet4 3283
ip nat inside source static udp 192.168.100.200 3283 interface FastEthernet4 3283
ip nat inside source static tcp 192.168.100.200 5900 interface FastEthernet4 5900
ip nat inside source static udp 192.168.100.200 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.100.200 1723 interface FastEthernet4 1723
ip nat inside source static udp 192.168.100.200 1723 interface FastEthernet4 1723
!
ip access-list extended SDM_GRE
remark SDM_ACL Category=0
permit gre any any
ip access-list extended test
remark SDM_ACL Category=128
permit ip any host 192.168.100.200
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.100.200
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.100.100
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.100.200
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.100.200
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.100.200
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.100.200
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.100.200
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.100.200
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 192.168.100.200
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip any host 192.168.100.200
access-list 111 remark SDM_ACL Category=0
access-list 111 permit ip any host 192.168.100.200
access-list 112 remark SDM_ACL Category=0
access-list 112 permit ip any host 192.168.100.200
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip any host 192.168.100.200
access-list 114 remark SDM_ACL Category=0
access-list 114 permit ip any host 192.168.100.200
access-list 115 remark SDM_ACL Category=0
access-list 115 permit ip any host 192.168.100.200
access-list 116 remark SDM_ACL Category=0
access-list 116 permit ip any host 192.168.100.200
access-list 117 remark SDM_ACL Category=0
access-list 117 permit ip any host 192.168.100.200
access-list 118 remark SDM_ACL Category=0
access-list 118 permit ip any host 192.168.100.200
access-list 119 remark SDM_ACL Category=0
access-list 119 permit ip any host 192.168.100.200
no cdp run
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
--------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i'm trying to set that up but i'm getting an error when i'm trying to setup the access list when i enter the permit commands
% Invalid input detected at '^' marker.
% Invalid input detected at '^' marker.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i'll give that a shot but am able to connect to through the external interface as ports 5300 and 3282 are the apple remote desktop ports and i am able to connect to the server remotely.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i just setup the port forwards from SDM, the entire configuration was done from SDM, so this is how SDM set it up.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i found the solution to this i had to setup a DMZ subnet on the router for the server and GRE traffic worked no problem.
The issue could be the the user's router does not have PPTP passthrough for GRE (protocol 47). In the same way you have a Windows PPTP server, could you configure an L2TP+IPSEC and see whether the remote user is having the same issue.
Most routers have VPN passthrough for IPSEC,PPTP,L2TP, but windows PPTP uses GRE which is not passed through on some routers.