Cisco 2800 Router bonded T1's and VPN questions

I just recently switched to a new ISP and a new Cisco 2800 router. Everything is working now except for my VPN. When my users try to connect, it gets to the "Verifying username and password" and stops. It errors out with 721. I'm using Wireshark on the VPN server and can see communication with the client. I can also see the clients being allowed through my firewall.

How can I be sure the router is allowing VPN communication to pass in and out? Here is my current router config:



User Access Verification

Username: f*********t
Password:
G****************g#show run
Building configuration...

Current configuration : 4099 bytes
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname G***************g
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
card type t1 0 2
logging buffered 51200 warnings
enable secret 5 $1**************************1
!
no aaa new-model
network-clock-participate wic 1
network-clock-participate wic 2
ip cef
!
!
!
!
no ip domain lookup
ip domain name G************y.local
multilink bundle-name authenticated
!
!
!
username fi*****t privilege 15 secret 5 $***********************************r.

archive
 log config
  hidekeys
!
!
controller T1 0/1/0
 framing esf
 linecode b8zs
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/2/0
 framing esf
 linecode b8zs
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
!
!
!
interface Multilink1
 ip address 216.30.193.98 255.255.255.252
 ip access-group 104 in
 ip nat outside
 ip virtual-reassembly
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 64.181.96.241 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1/0:1
 description Link 1 to WAN
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/2/0:1
 description Link 2 to WAN
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.30.193.97
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface Multilink1 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 permit tcp any any established
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_15##
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit udp host 66.109.175.210 eq domain any
access-list 104 permit udp host 216.30.255.3 eq domain any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit tcp any any eq telnet
access-list 104 permit tcp any any eq www
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   tcp any eq 5060 any eq 5060
access-list 104 deny   udp any eq 5060 any eq 5060
access-list 104 deny   tcp any eq 5061 any eq 5061
access-list 104 deny   udp any eq 5061 any eq 5061
access-list 104 deny   tcp any eq 2427 any eq 2427
access-list 104 deny   udp any eq 2427 any eq 2427
access-list 104 deny   tcp any eq 2517 any eq 2517
access-list 104 deny   udp any eq 2517 any eq 2517
access-list 104 deny   tcp any eq 1718 any eq 1718
access-list 104 deny   udp any eq 1718 any eq 1718
access-list 104 deny   tcp any eq 1719 any eq 1719
access-list 104 deny   udp any eq 1719 any eq 1719
access-list 104 deny   tcp any eq 1720 any eq 1720
access-list 104 deny   udp any eq 1720 any eq 1720
access-list 104 permit ip any any
!
!
control-plane
!
disable-eadi
!
line con 0
 login local
line aux 0
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end

G************g#
LVL 1
chawnessAsked:
Who is Participating?
 
chawnessAuthor Commented:
Yes. I just found the solution on another EE post (ID: 22684398).

By: dpk_wal:

"This is the problem, you should not have an IP address listed under aliases and added as 1-1 NAT both at the same time. Remove alias from network configuration and this would resolve current spoofing problem. I had specifically mentioned this earlier post ID: 19452790."

I removed the alias for the servers public ip from my firewall config and it worked again.

Thanks for verifying the router settings.
0
 
JFrederick29Commented:
The router config is fine.  This is PPTP VPN, right?  If so, make sure you have a static 1 to 1 NAT for the RAS server on the Firewall (dedicate a public IP to the RAS server) and make sure to allow PPTP and GRE or make sure PPTP passthrough is enabled on the Firewall.
0
 
chawnessAuthor Commented:
Yes. It all worked with the old ISP and I updated the firewall accordingly with the new ip addresses. I used wireshark on the client and it stops with "PPP LCP Configuration Request", the server never answers back and the client ends the call. I know this may be a question for another section of this site.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
JFrederick29Commented:
Yeah, well, the router configuration is fine as it is simply routing the traffic and not doing NAT.  The problem most likely resides with the Firewall or RAS server itself.  The RAS server has the Firewall as it's default gateway?
0
 
chawnessAuthor Commented:
Yes that's correct. I noticed someone else had these lines in there access list:

access-list 130 permit icmp any any
access-list 130 permit gre any any
access-list 130 permit tcp any any eq 1723

Do I need it?
0
 
JFrederick29Commented:
Nope, because you have this at the end of your list which permits everything not specifically denied.

access-list 104 permit ip any any
0
 
JFrederick29Commented:
GRE is not a TCP or UDP protocol so you can't "port forward" GRE to the RAS server which is why I asked if you had a dedicated public IP address for the RAS server.
0
 
chawnessAuthor Commented:
Yes I have a dedicated public ip for the server.
0
 
JFrederick29Commented:
And you are allowing both PPTP and GRE through the Firewall?
0
 
JFrederick29Commented:
Sure, no problem.  Glad to assist.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.