Solved

Unable to RDP or VPN after vendor changed router settings

Posted on 2008-10-18
6
389 Views
Last Modified: 2012-06-21
I work with a small business that up until recently was able to VPN (TCP port 1723) into their system. I had originally configured their router to allow VPN and RDP (TCP port 3389) access. They recently got a new public IP address from a vendor and the router config was modified. Now neither VPN or RDP connections from the Internet work. I've attached the router config (changing the public IP to 1.2.3.4 to protect the innocent). I'm a bit of a Cisco novice. Could someone point me in the right direction?
Current configuration : 2132 bytes
!
version 12.4
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Company
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip name-server 24.120.224.2
ip name-server 24.120.224.3
!
username admin privilege 15 password 7 xxxxxxxxxxx
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.2.3.4 255.255.255.128
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 5.6.7.8 255.255.255.252
 ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 0.0.0.0 0.0.0.0 5.6.7.1 250
ip route 204.14.36.0 255.255.252.0 68.177.45.61
!
no ip http server
ip nat translation timeout 300
ip nat translation pptp-timeout 300
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 300
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 300
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.1.2 1723 interface FastEthernet0/1 1723
ip nat inside source route-map isp1-nat interface FastEthernet0/1 overload
ip nat inside source route-map isp2-nat interface Serial0/0/0 overload
!
access-list 10 permit 24.120.0.0 0.0.255.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 204.14.37.4 any
access-list 100 permit udp any any eq 5060
route-map isp1-nat permit 10
 match ip address 100
 match interface FastEthernet0/1
!
route-map isp2-nat permit 10
 match ip address 100
 match interface Serial0/0/0
!
!
control-plane
!
!
line con 0
 privilege level 15
 login local
line aux 0
line vty 0 4
 access-class 10 in
 privilege level 15
 login local
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:ChessKnight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 1

Expert Comment

by:yeager23
ID: 22749226
What kind of router is it?  I don't see any VPN settings in that config.  Are you using Cisco Remote Access VPN?  Have you tried rerunning the VPN Wizard through the ASDM?  
0
 

Author Comment

by:ChessKnight
ID: 22749352
Its just a low-end Cisco router. An 850. The VPN takes place on a Windows 2003 Server but the router seems to be stopping 1723 traffic since I am unable to even telnet to the public IP using that port. But there is no actual VPN at the router itself. I should have clarified that.
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 22749453
Can you post the output of
"show ip route"
please
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:ChessKnight
ID: 22749520
Here is the output of show ip route:


Gateway of last resort is 24.120.227.1 to network 0.0.0.0
 
     68.0.0.0/30 is subnetted, 1 subnets
C       68.177.45.60 is directly connected, Serial0/0/0
     24.0.0.0/25 is subnetted, 1 subnets
C       24.120.227.0 is directly connected, FastEthernet0/1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 24.120.227.1
S    204.14.36.0/22 [1/0] via 68.177.45.61

Open in new window

0
 

Author Comment

by:ChessKnight
ID: 22749522
I've also attached the router config again without changing any IPs so as to not confuse the issue:

User Access Verification
 
Username: admin
Password:
Distinctive#en
Distinctive#sh
Distinctive#show run
Building configuration...
 
Current configuration : 2132 bytes
!
version 12.4
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Distinctive
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip name-server 24.120.224.2
ip name-server 24.120.224.3
!
username admin privilege 15 password 7 10490C140C191B5A
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 24.120.227.26 255.255.255.128
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.177.45.62 255.255.255.252
 ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.120.227.1
ip route 0.0.0.0 0.0.0.0 68.177.45.61 250
ip route 204.14.36.0 255.255.252.0 68.177.45.61
!
no ip http server
ip nat translation timeout 300
ip nat translation pptp-timeout 300
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 300
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 300
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.1.2 1723 interface FastEthernet0/1 1723
ip nat inside source route-map isp1-nat interface FastEthernet0/1 overload
ip nat inside source route-map isp2-nat interface Serial0/0/0 overload
!
access-list 10 permit 24.120.0.0 0.0.255.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 204.14.37.4 any
access-list 100 permit udp any any eq 5060
route-map isp1-nat permit 10
 match ip address 100
 match interface FastEthernet0/1
!
route-map isp2-nat permit 10
 match ip address 100
 match interface Serial0/0/0
!
!
control-plane
!
!
line con 0
 privilege level 15
 login local
line aux 0
line vty 0 4
 access-class 10 in
 privilege level 15
 login local
!
scheduler max-task-time 5000
end

Open in new window

0
 

Accepted Solution

by:
ChessKnight earned 0 total points
ID: 22805941
I just got an email telling me to address this question. Anyone have any ideas?
0

Featured Post

Prevent Ransomware with Total Security Suite

With recent ransomware attacks topping the headlines, it might seem like there'e no hope in the battle against these advanced threats. Learn more about how WatchGuard's Total Security Suite can effectively prevent ransomware attacks including Petya 2.0 and WannaCry!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question