UC540 and VPN - port forward not working

Unanswered Question
Mar 15th, 2010

I have a UC540 as the router and a SBS 08 domain behind it which handles DHCP and VPN.  The problem I am having is even though I have opened the VPN ports for VPN in the UC540 to forward to the server, it is not connecting.  If I start a connection inside the LAN - it works fine everytime.  Is there something special I need to do with the 540 to properly forward 1723 to a VPN host on its data VLAN?

all my other rules are working fine:

!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address x.x.x.x 255.255.255.240
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.10.254 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.10.254 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.10.254 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.254 997 interface FastEthernet0/0 997
ip nat inside source static tcp 192.168.10.254 1723 interface FastEthernet0/0 1723
ip nat inside source static udp 192.168.10.254 500 interface FastEthernet0/0 500
ip nat inside source static udp 192.168.10.254 43 interface FastEthernet0/0 43
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnconrick Mon, 03/15/2010 - 06:04

#
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host x.x.x.x eq 43 log
access-list 104 permit udp any host x.x.x.x eq isakmp log
access-list 104 permit tcp any host x.x.x.x eq 1723 log
access-list 104 permit tcp any host x.x.x.x eq 997 log
access-list 104 permit tcp any host x.x.x.x eq smtp log
access-list 104 permit tcp any host x.x.x.x eq 443 log
access-list 104 permit tcp any host x.x.x.x eq www log
access-list 104 permit udp any host x.x.x.x eq non500-isakmp
access-list 104 permit esp any host x.x.x.x
access-list 104 permit ahp any host x.x.x.x
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip any any

dprzywara Mon, 03/15/2010 - 14:30

Try adding a NAT statement to forward NAT'd isakmp port 4500:

ip nat inside source static udp 192.168.10.254 4500 interface  FastEthernet0/0 4500.

Also, are the clients using microsoft VPN clients?  If so, you might need to also forward the GRE protocol to your inside SBS.

johnconrick Mon, 03/15/2010 - 16:07

How do I open GRE from the UC540 to 192.168.10.254?

What logs should I enable to troubleshoot this issue?

johnconrick Mon, 03/15/2010 - 16:13

When I turn on term mon and then try to connect I get this:

UC540#term mon

UC540#

013851: Mar 15 23:09:22.388: %SEC-6-IPACCESSLOGP: list 104 permitted tcp (MY OUTSIDE IP)(54650) -> (MY INSIDE WAN IP)(443), 1 packet

013852: Mar 15 23:09:40.416: %SEC-6-IPACCESSLOGP: list 104 permitted udp (MY OUTSIDE IP)(500) -> (MY INSIDE WAN IP)(500), 3 packets

013853: Mar 15 23:10:40.416: %SEC-6-IPACCESSLOGP: list 104 permitted udp (MY OUTSIDE IP)(1701) -> (MY INSIDE WAN IP)(1701), 5 packets

but connection still fails.  Inside the LAN it works fine.

dprzywara Mon, 03/15/2010 - 16:52

To open up GRE try adding this statement:

access-list 104 permit gre any any

Make sure it's not at the bottom of your access-list below the deny any any statement or it won't be applied.

Also, have a VPN client try and connect then do a sh access-list command to see what rules are being matched.

johnconrick Tue, 03/16/2010 - 08:43

Thank you that was it, once I added the GRE statement to 104 its working fine.

Actions

This Discussion