Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Outbound PPTP VPN connection through Cisco 2821

Avatar of Jamie_Brand
Jamie_Brand asked on
RoutersVPNInternet Protocol Security
6 Comments1 Solution1007 ViewsLast Modified:
Hi Experts,

Apologies if this topic has been covered many times before, however I need input for my particular configuration.

I am setting up a replacement for our currently ADSL connection.  We have a Cisco 2811 provided by the new ISP which comes preconfigured with no access to the device.  Because we are prohibited from touching the configuration of this device, we are using a Cisco 2821 connected to the 2811 with cat5 (Interface gig0/1).

Below is the current router configuration so far, all seems well (can browse the web etc), but I notice we cannot establish VPN connections outbound, via PPTP.  I can telnet to the VPN servers on 1723, but Windows times out at verifying username/password.

I guess this is something to do with GRE, but the config looks good to me, any ideas?
Building configuration...

Current configuration : 3701 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C2800
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
ip domain name syn.local
ip name-server 192.168.50.10
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
ip inspect name firewall pptp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
username xxxxxxxxxxxxxxxxxxxxxx
username xxxxxxxxxxxxxxxxxxxxxx
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address xxxxxxxxxxxxxxxxxxxxxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description ART
 set peer xxxxxxxxxxxxxxxxxxxxxx
 set transform-set ESP-3DES-SHA 
 match address 103
!
!
!
!
!
!
!
interface Tunnel1
 description Link to ART
 ip address 10.1.2.1 255.255.255.252
 ip mtu 1472
 keepalive 10 3
 tunnel source GigabitEthernet0/1
 tunnel destination xxxxxxxxxxxxxxxxxxxxxx
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.51.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.50.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1
 ip address 77.89.162.98 255.255.255.240
 ip access-group 102 in
 ip nat outside
 ip inspect firewall in
 ip inspect firewall out
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 10.0.0.0 255.255.255.0 10.1.2.2
ip route 192.168.1.0 255.255.255.0 192.168.50.254
ip route 192.168.48.0 255.255.240.0 192.168.50.254
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 pool synnatpool overload
ip nat inside source list 2 pool t2natpool overload
ip nat inside source route-map rmap_1 interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.50.14 77.89.162.104
!
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.51.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.54.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.56.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.59.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.246.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 101 permit ip 192.168.51.0 0.0.0.255 any
access-list 102 permit tcp 207.126.144.0 0.0.15.255 any eq smtp
access-list 102 permit tcp any any established
access-list 102 permit gre any any
access-list 102 permit icmp any any
access-list 102 permit udp any any
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
!
route-map rmap_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end
ASKER CERTIFIED SOLUTION
Avatar of Jamie_Brand
Jamie_Brand

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 6 Comments.
See Answers