asked on
Outbound PPTP VPN connection through Cisco 2821
Hi Experts,
Apologies if this topic has been covered many times before, however I need input for my particular configuration.
I am setting up a replacement for our currently ADSL connection. We have a Cisco 2811 provided by the new ISP which comes preconfigured with no access to the device. Because we are prohibited from touching the configuration of this device, we are using a Cisco 2821 connected to the 2811 with cat5 (Interface gig0/1).
Below is the current router configuration so far, all seems well (can browse the web etc), but I notice we cannot establish VPN connections outbound, via PPTP. I can telnet to the VPN servers on 1723, but Windows times out at verifying username/password.
I guess this is something to do with GRE, but the config looks good to me, any ideas?
Apologies if this topic has been covered many times before, however I need input for my particular configuration.
I am setting up a replacement for our currently ADSL connection. We have a Cisco 2811 provided by the new ISP which comes preconfigured with no access to the device. Because we are prohibited from touching the configuration of this device, we are using a Cisco 2821 connected to the 2811 with cat5 (Interface gig0/1).
Below is the current router configuration so far, all seems well (can browse the web etc), but I notice we cannot establish VPN connections outbound, via PPTP. I can telnet to the VPN servers on 1723, but Windows times out at verifying username/password.
I guess this is something to do with GRE, but the config looks good to me, any ideas?
Building configuration...
Current configuration : 3701 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C2800
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
ip domain name syn.local
ip name-server 192.168.50.10
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
ip inspect name firewall pptp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
username xxxxxxxxxxxxxxxxxxxxxx
username xxxxxxxxxxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address xxxxxxxxxxxxxxxxxxxxxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description ART
set peer xxxxxxxxxxxxxxxxxxxxxx
set transform-set ESP-3DES-SHA
match address 103
!
!
!
!
!
!
!
interface Tunnel1
description Link to ART
ip address 10.1.2.1 255.255.255.252
ip mtu 1472
keepalive 10 3
tunnel source GigabitEthernet0/1
tunnel destination xxxxxxxxxxxxxxxxxxxxxx
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.51.253 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.50.253 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1
ip address 77.89.162.98 255.255.255.240
ip access-group 102 in
ip nat outside
ip inspect firewall in
ip inspect firewall out
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 10.0.0.0 255.255.255.0 10.1.2.2
ip route 192.168.1.0 255.255.255.0 192.168.50.254
ip route 192.168.48.0 255.255.240.0 192.168.50.254
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 pool synnatpool overload
ip nat inside source list 2 pool t2natpool overload
ip nat inside source route-map rmap_1 interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.50.14 77.89.162.104
!
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.51.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.54.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.56.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.59.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.246.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 101 permit ip 192.168.51.0 0.0.0.255 any
access-list 102 permit tcp 207.126.144.0 0.0.15.255 any eq smtp
access-list 102 permit tcp any any established
access-list 102 permit gre any any
access-list 102 permit icmp any any
access-list 102 permit udp any any
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
!
route-map rmap_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end
RoutersVPNInternet Protocol Security
Last Comment
Jamie_Brand
ASKER
Hi,
Yes I have tried this with the same result. Basically I am just looking for input as to whether there is something glaringly wrong with the configuration which would stop GRE, or if it could be something on the ISP configured 2811, to which I have no access.
I am going to try configuring a laptop with a public IP and connect it directly to the 2811 and see if I can get the same problem.
Yes I have tried this with the same result. Basically I am just looking for input as to whether there is something glaringly wrong with the configuration which would stop GRE, or if it could be something on the ISP configured 2811, to which I have no access.
I am going to try configuring a laptop with a public IP and connect it directly to the 2811 and see if I can get the same problem.
ya that's a good step ...
since your configuration seems ok ..
since your configuration seems ok ..
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
Tried connecting a laptop directly to the ISP device with a public IP, and I can establish VPN fine.
I'll continue troubleshooting, any advice would be welcome.
I'll continue troubleshooting, any advice would be welcome.
It appears that I have run into the same problem.
Were you ever able to solve this issue?
Were you ever able to solve this issue?
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
did you try to remove the IP inspect and ACL 102,, then try
interface GigabitEthernet0/1
no ip access-group 102 in
no ip inspect firewall in
no ip inspect firewall out