Apologies if this topic has been covered many times before, however I need input for my particular configuration.
I am setting up a replacement for our currently ADSL connection. We have a Cisco 2811 provided by the new ISP which comes preconfigured with no access to the device. Because we are prohibited from touching the configuration of this device, we are using a Cisco 2821 connected to the 2811 with cat5 (Interface gig0/1).
Below is the current router configuration so far, all seems well (can browse the web etc), but I notice we cannot establish VPN connections outbound, via PPTP. I can telnet to the VPN servers on 1723, but Windows times out at verifying username/password.
I guess this is something to do with GRE, but the config looks good to me, any ideas?
Building configuration...Current configuration : 3701 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname C2800!boot-start-markerboot-end-marker!logging message-counter syslog!no aaa new-model!dot11 syslogip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!!ip cef!!ip domain name syn.localip name-server 192.168.50.10ip inspect name firewall tcpip inspect name firewall udpip inspect name firewall icmpip inspect name firewall pptpno ipv6 cef!multilink bundle-name authenticated!!!!!!!!!!!!!!!!!!!voice-card 0 no dspfarm!!!!!username xxxxxxxxxxxxxxxxxxxxxxusername xxxxxxxxxxxxxxxxxxxxxxarchive log config hidekeys! !crypto isakmp policy 1 encr 3des authentication pre-share group 2crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address xxxxxxxxxxxxxxxxxxxxxx!!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !crypto map SDM_CMAP_1 1 ipsec-isakmp description ART set peer xxxxxxxxxxxxxxxxxxxxxx set transform-set ESP-3DES-SHA match address 103!!!!!!!interface Tunnel1 description Link to ART ip address 10.1.2.1 255.255.255.252 ip mtu 1472 keepalive 10 3 tunnel source GigabitEthernet0/1 tunnel destination xxxxxxxxxxxxxxxxxxxxxx!interface GigabitEthernet0/0 no ip address duplex auto speed auto!interface GigabitEthernet0/0.1 encapsulation dot1Q 1 native ip address 192.168.51.253 255.255.255.0 ip nat inside ip virtual-reassembly!interface GigabitEthernet0/0.2 encapsulation dot1Q 2 ip address 192.168.50.253 255.255.255.0 ip nat inside ip virtual-reassembly!interface GigabitEthernet0/1 ip address 77.89.162.98 255.255.255.240 ip access-group 102 in ip nat outside ip inspect firewall in ip inspect firewall out ip virtual-reassembly duplex auto speed auto!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1ip route 10.0.0.0 255.255.255.0 10.1.2.2ip route 192.168.1.0 255.255.255.0 192.168.50.254ip route 192.168.48.0 255.255.240.0 192.168.50.254no ip http serverno ip http secure-server!!ip nat inside source list 1 pool synnatpool overloadip nat inside source list 2 pool t2natpool overloadip nat inside source route-map rmap_1 interface GigabitEthernet0/1 overloadip nat inside source static 192.168.50.14 77.89.162.104!access-list 1 permit 192.168.50.0 0.0.0.255access-list 2 permit 192.168.51.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.53.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.54.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.56.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.57.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.58.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.59.0 0.0.0.255access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.246.0 0.0.0.255access-list 101 permit ip 192.168.50.0 0.0.0.255 anyaccess-list 101 permit ip 192.168.51.0 0.0.0.255 anyaccess-list 102 permit tcp 207.126.144.0 0.0.15.255 any eq smtpaccess-list 102 permit tcp any any establishedaccess-list 102 permit gre any anyaccess-list 102 permit icmp any anyaccess-list 102 permit udp any anyaccess-list 103 permit ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255!!!!route-map rmap_1 permit 1 match ip address 101!!!!control-plane!!!!!!!!!!line con 0line aux 0line vty 0 4 login local transport input ssh!scheduler allocate 20000 1000end
did you try to remove the IP inspect and ACL 102,, then try
interface GigabitEthernet0/1
no ip access-group 102 in
no ip inspect firewall in
no ip inspect firewall out
Jamie_Brand
ASKER
Hi,
Yes I have tried this with the same result. Basically I am just looking for input as to whether there is something glaringly wrong with the configuration which would stop GRE, or if it could be something on the ISP configured 2811, to which I have no access.
I am going to try configuring a laptop with a public IP and connect it directly to the 2811 and see if I can get the same problem.
memo_tnt
ya that's a good step ...
since your configuration seems ok ..
Your help has saved me hundreds of hours of internet surfing.
fblack61
Jamie_Brand
ASKER
Tried connecting a laptop directly to the ISP device with a public IP, and I can establish VPN fine.
I'll continue troubleshooting, any advice would be welcome.
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
did you try to remove the IP inspect and ACL 102,, then try
interface GigabitEthernet0/1
no ip access-group 102 in
no ip inspect firewall in
no ip inspect firewall out