Problems with VPN Passthrough on 2600 Router

Unanswered Question
Nov 23rd, 2009

Hi,

We have an SBS server on a test network that accepts VPN connections internally. However, remote users are unable to VPN in through our 2600 Router.

The SBS server is on an internal IP which is NATted on the 2600 to an external IP.

The inbound access-list has been updated to permit VPN traffic to pass through (I think):

permit tcp any host xxx.xxx.xxx.135 eq 1723

permit gre any host xxx.xxx.xxx.135

(I'll lock the VPN source IPs down once I have this worked out)

When you create a VPN connection from a remote Windows client, it appears to find the IP ok, requests the username and password but fails to authenticate and connect. So something isn't getting through?

I can see that IOS contains commands for creating tunnels between fixed locations but I assume that I can ignore these when just creating a simple VPN in to a Windows server?

Any thoughts appreciated.

Thanks,

Keith  

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 11/23/2009 - 16:47

keithglanville wrote:

Hi,

We have an SBS server on a test network that accepts VPN connections internally. However, remote users are unable to VPN in through our 2600 Router.

The SBS server is on an internal IP which is NATted on the 2600 to an external IP.

The inbound access-list has been updated to permit VPN traffic to pass through (I think):

permit tcp any host xxx.xxx.xxx.135 eq 1723

permit gre any host xxx.xxx.xxx.135

(I'll lock the VPN source IPs down once I have this worked out)

When you create a VPN connection from a remote Windows client, it appears to find the IP ok, requests the username and password but fails to authenticate and connect. So something isn't getting through?

I can see that IOS contains commands for creating tunnels between fixed locations but I assume that I can ignore these when just creating a simple VPN in to a Windows server?

Any thoughts appreciated.

Thanks,

Keith  

Keith

Have a look at this document which covers how to allow PPTP through an IOS router -

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

Jon

keithglanville Tue, 11/24/2009 - 06:11

Thanks Jon

I am having trouble extracting the bits I need out of this document as our setup is different. For example, there is no cisco at the house end and there are several locations/clients. Also, FastEthernet0/0 has several addresses assigned to it - only one of which is used by the SBS server network - I can't key in anything that might take down the routing or access to/from the other subnets.

The config extract below allows me to get as far as remotely authenticating on the SBS but then nothing.There is only one NAT address setup for the external VPN address 90.4.123.235, so should I also setup PAT to allow multiple VPN clients to connect?

Any assistance is much appreciated.

Keith

======================

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
ip subnet-zero
ip cef
!

!
interface FastEthernet0/0
ip address 10.1.1.200 255.255.255.0 secondary
ip address 192.168.1.200 255.255.0.0 secondary
ip address 90.4.123.254 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Serial0/0
description Connection to Line
ip address 92.253.158.54 255.255.255.252
ip broadcast-address 92.253.158.55
ip access-group inboundfilter in
ip access-group outboundfilter2 out
ip nat outside
encapsulation ppp
no fair-queue
!
router igrp 1
redistribute connected
network 92.0.0.0
network 90.0.0.0
!
.....

ip nat inside source static 192.168.1.10 90.4.123.235

ip access-list extended inboundfilter

.....
permit tcp any host 90.4.123.235 eq 1723

permit gre any host 90.4.123.235

ip access-list extended outboundfilter2

.....
permit udp any any
permit tcp any any
permit gre any any

Actions

This Discussion