07-03-2008 04:54 PM - edited 03-03-2019 10:35 PM
Hi
I have a problem where I need to allow vpn connection on port 1723 on a cisco 800 series adsl router.
I have put in an acl to permit tcp on port 1723.
The statement looks like this:
permit tcp host 202.x.x.124 any eq 1723
permit tcp any host 202.x.x.124 eq 1723
However this does not solve the problem. I can ping and trace to the above ip fine, but cannot connect using my vpn.
the rest of the routers acl look like this:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 30 10
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group remoteuser
key R0bertsR3eves
dns 192.168.0.1
domain davidrookelaw.co.nz
pool clientPOOL
acl acl-SplitTunnel1
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map outsidemap_dyn 10
set transform-set 3DES-MD5
!
!
crypto map outsidemap client authentication list vpn-radius
crypto map outsidemap isakmp authorization list groupauthor
crypto map outsidemap client configuration address respond
crypto map outsidemap 65535 ipsec-isakmp dynamic outsidemap_dyn
!
!
ip access-list extended acl-SplitTunnel1
permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.0.255 172.22.100.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 remark VPN
access-list 110 permit esp any any
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any any eq non500-isakmp
access-list 110 remark VPN
access-list 110 remark Anti-Spoofing
access-list 110 remark Allow NTP
access-list 110 remark Allow services
access-list 110 remark Allow some ICMP
access-list 110 remark Allow Maclean
access-list 110 permit ip 172.22.100.0 0.0.0.255 any
access-list 110 permit udp host 202.27.184.3 eq domain any
access-list 110 remark Anti-Spoofing
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 224.0.0.0 15.255.255.255 any
access-list 110 deny icmp any any redirect
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip any host 255.255.255.255
access-list 110 remark Allow NTP
access-list 110 permit udp host 131.203.16.6 any eq ntp
access-list 110 remark Allow services
access-list 110 permit tcp any any eq smtp
access-list 110 remark Allow some ICMP
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any traceroute
access-list 110 permit icmp any any administratively-prohibited
access-list 110 remark Allow Maclean
access-list 110 permit ip host 210.54.118.202 any
access-list 110 permit ip host 202.180.113.9 any
access-list 110 deny ip any any log
access-list 120 remark Anti-Worm
access-list 120 deny tcp any any eq 445 log
access-list 120 remark Anti-Worm
access-list 120 deny tcp any any eq 135 log
access-list 120 permit tcp host 192.168.0.10 any eq smtp
access-list 120 deny tcp any any eq smtp log
access-list 120 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
Thanks
willemvw
07-03-2008 06:18 PM
Have you ran a TCPDump from src to Cisco 800, what else is in your environment.
1. Run a telnet session to the Cisco 800 form workstation
2. Then run a capture on the packets
Ex:
1. creat an ACL
2. Run tcpdump name ACL name
Ex: tcpdump testcap
07-04-2008 06:27 AM
it's not clear from where to where you need permit PPTP.
But in any case PPTP use GRE.
So you have to permit GRE also.
permit gre host 202.x.x.124 any
permit gre any host 202.x.x.124
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide