Client VPN to ISA Server Fails on Cisco 877 Router

Answered Question
May 6th, 2009

Hi, I have a Cisco 877 Router but it drops VPN connections to my ISA Server. I have NAT Rule pointing traffic on Port 1723 to the IP address of ISA Server. The ISA sees the connections but it timesout on authentication. I've reverteed back to using Cisco 837 until I get solution for this problem. Any help would be appreciated.

Correct Answer by thotsaphon about 7 years 9 months ago

Davis,

You are using 213.94.226.58 for PPTP. Right? Please change things as follows:


!

no access-list 102

!

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq 1723

access-list 102 permit gre any host xxx.xxx.xxx.58

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp-data

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq smtp

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq www

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq 443

access-list 102 permit udp host 213.94.190.236 eq domain host 213.94.226.57

access-list 102 permit udp host 213.94.190.194 eq domain host 213.94.226.57

access-list 102 deny ip 10.10.10.0 0.0.0.255 any

access-list 102 permit icmp any host 213.94.226.57 echo-reply

access-list 102 permit icmp any host 213.94.226.57 time-exceeded

access-list 102 permit icmp any host 213.94.226.57 unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

!




HTH,

Toshi

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
denisoregan Wed, 05/06/2009 - 02:55

Just to clarify the VPN Client is a home user using Windows VPN connection on a Windows XP PC.

denisoregan Wed, 05/06/2009 - 07:15

Hi Toshi,

I'm using PPTP. I'll try and build picture. I have multiple clients (laptops) on the move and they VPN to Windows Server from various location including public & private external networks 3g cards etc.

I had VPN working until I swapped from cisco 837 to Cisco 877 router. The clients establish connection and begins to authenticate and I can see the connection on server but the client connection eventually timesout with error 721.

thotsaphon Wed, 05/06/2009 - 07:22

Danis,

Please post the router configuration. I have to make sure that you have allowed GRE.


Toshi

denisoregan Wed, 05/06/2009 - 07:45

This is where the problems start. I've been using the Cisco SDM as it's been a few years since i did my ccna. I can post a router config but is there a way of configuring this using SDM.



Thanks,

-Denis

Correct Answer
thotsaphon Wed, 05/06/2009 - 10:08

Davis,

You are using 213.94.226.58 for PPTP. Right? Please change things as follows:


!

no access-list 102

!

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq 1723

access-list 102 permit gre any host xxx.xxx.xxx.58

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp-data

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq smtp

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq www

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq 443

access-list 102 permit udp host 213.94.190.236 eq domain host 213.94.226.57

access-list 102 permit udp host 213.94.190.194 eq domain host 213.94.226.57

access-list 102 deny ip 10.10.10.0 0.0.0.255 any

access-list 102 permit icmp any host 213.94.226.57 echo-reply

access-list 102 permit icmp any host 213.94.226.57 time-exceeded

access-list 102 permit icmp any host 213.94.226.57 unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

!




HTH,

Toshi

denisoregan Wed, 05/06/2009 - 12:32

Great. Will update it tomorrow once I return to office. Obvious I didn't cover all instances of the IP address. Oops. Thought it unwise to post details. Will let you know how i get on. Thanks. Denis

denisoregan Thu, 05/07/2009 - 01:16

This worked. Managed to enter the line using the SDM. Thanks for all your help. Now I need to figure out why FTP isn't working.

Actions

This Discussion