chawness
asked on
Cisco 2800 Router bonded T1's and VPN questions
I just recently switched to a new ISP and a new Cisco 2800 router. Everything is working now except for my VPN. When my users try to connect, it gets to the "Verifying username and password" and stops. It errors out with 721. I'm using Wireshark on the VPN server and can see communication with the client. I can also see the clients being allowed through my firewall.
How can I be sure the router is allowing VPN communication to pass in and out? Here is my current router config:
User Access Verification
Username: f*********t
Password:
G****************g#show run
Building configuration...
Current configuration : 4099 bytes
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname G***************g
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
card type t1 0 2
logging buffered 51200 warnings
enable secret 5 $1************************ **1
!
no aaa new-model
network-clock-participate wic 1
network-clock-participate wic 2
ip cef
!
!
!
!
no ip domain lookup
ip domain name G************y.local
multilink bundle-name authenticated
!
!
!
username fi*****t privilege 15 secret 5 $************************* ********** r.
archive
log config
hidekeys
!
!
controller T1 0/1/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 1 timeslots 1-24
!
controller T1 0/2/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 1 timeslots 1-24
!
!
!
!
interface Multilink1
ip address 216.30.193.98 255.255.255.252
ip access-group 104 in
ip nat outside
ip virtual-reassembly
ppp multilink
ppp multilink group 1
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-F E 0$
ip address 64.181.96.241 255.255.255.248
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1/0:1
description Link 1 to WAN
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/2/0:1
description Link 2 to WAN
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.30.193.97
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface Multilink1 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 permit tcp any any established
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_15# #
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit udp host 66.109.175.210 eq domain any
access-list 104 permit udp host 216.30.255.3 eq domain any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit tcp any any eq telnet
access-list 104 permit tcp any any eq www
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny tcp any eq 5060 any eq 5060
access-list 104 deny udp any eq 5060 any eq 5060
access-list 104 deny tcp any eq 5061 any eq 5061
access-list 104 deny udp any eq 5061 any eq 5061
access-list 104 deny tcp any eq 2427 any eq 2427
access-list 104 deny udp any eq 2427 any eq 2427
access-list 104 deny tcp any eq 2517 any eq 2517
access-list 104 deny udp any eq 2517 any eq 2517
access-list 104 deny tcp any eq 1718 any eq 1718
access-list 104 deny udp any eq 1718 any eq 1718
access-list 104 deny tcp any eq 1719 any eq 1719
access-list 104 deny udp any eq 1719 any eq 1719
access-list 104 deny tcp any eq 1720 any eq 1720
access-list 104 deny udp any eq 1720 any eq 1720
access-list 104 permit ip any any
!
!
control-plane
!
disable-eadi
!
line con 0
login local
line aux 0
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end
G************g#
How can I be sure the router is allowing VPN communication to pass in and out? Here is my current router config:
User Access Verification
Username: f*********t
Password:
G****************g#show run
Building configuration...
Current configuration : 4099 bytes
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname G***************g
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
card type t1 0 2
logging buffered 51200 warnings
enable secret 5 $1************************
!
no aaa new-model
network-clock-participate wic 1
network-clock-participate wic 2
ip cef
!
!
!
!
no ip domain lookup
ip domain name G************y.local
multilink bundle-name authenticated
!
!
!
username fi*****t privilege 15 secret 5 $*************************
archive
log config
hidekeys
!
!
controller T1 0/1/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 1 timeslots 1-24
!
controller T1 0/2/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 1 timeslots 1-24
!
!
!
!
interface Multilink1
ip address 216.30.193.98 255.255.255.252
ip access-group 104 in
ip nat outside
ip virtual-reassembly
ppp multilink
ppp multilink group 1
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 64.181.96.241 255.255.255.248
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1/0:1
description Link 1 to WAN
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/2/0:1
description Link 2 to WAN
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.30.193.97
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface Multilink1 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 permit tcp any any established
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_15#
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit udp host 66.109.175.210 eq domain any
access-list 104 permit udp host 216.30.255.3 eq domain any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit tcp any any eq telnet
access-list 104 permit tcp any any eq www
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny tcp any eq 5060 any eq 5060
access-list 104 deny udp any eq 5060 any eq 5060
access-list 104 deny tcp any eq 5061 any eq 5061
access-list 104 deny udp any eq 5061 any eq 5061
access-list 104 deny tcp any eq 2427 any eq 2427
access-list 104 deny udp any eq 2427 any eq 2427
access-list 104 deny tcp any eq 2517 any eq 2517
access-list 104 deny udp any eq 2517 any eq 2517
access-list 104 deny tcp any eq 1718 any eq 1718
access-list 104 deny udp any eq 1718 any eq 1718
access-list 104 deny tcp any eq 1719 any eq 1719
access-list 104 deny udp any eq 1719 any eq 1719
access-list 104 deny tcp any eq 1720 any eq 1720
access-list 104 deny udp any eq 1720 any eq 1720
access-list 104 permit ip any any
!
!
control-plane
!
disable-eadi
!
line con 0
login local
line aux 0
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end
G************g#
The router config is fine. This is PPTP VPN, right? If so, make sure you have a static 1 to 1 NAT for the RAS server on the Firewall (dedicate a public IP to the RAS server) and make sure to allow PPTP and GRE or make sure PPTP passthrough is enabled on the Firewall.
ASKER
Yes. It all worked with the old ISP and I updated the firewall accordingly with the new ip addresses. I used wireshark on the client and it stops with "PPP LCP Configuration Request", the server never answers back and the client ends the call. I know this may be a question for another section of this site.
Yeah, well, the router configuration is fine as it is simply routing the traffic and not doing NAT. The problem most likely resides with the Firewall or RAS server itself. The RAS server has the Firewall as it's default gateway?
ASKER
Yes that's correct. I noticed someone else had these lines in there access list:
access-list 130 permit icmp any any
access-list 130 permit gre any any
access-list 130 permit tcp any any eq 1723
Do I need it?
access-list 130 permit icmp any any
access-list 130 permit gre any any
access-list 130 permit tcp any any eq 1723
Do I need it?
Nope, because you have this at the end of your list which permits everything not specifically denied.
access-list 104 permit ip any any
access-list 104 permit ip any any
GRE is not a TCP or UDP protocol so you can't "port forward" GRE to the RAS server which is why I asked if you had a dedicated public IP address for the RAS server.
ASKER
Yes I have a dedicated public ip for the server.
And you are allowing both PPTP and GRE through the Firewall?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sure, no problem. Glad to assist.