Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1910
Views
0
Helpful
7
Replies

UC540 and VPN - port forward not working

johnconrick
Level 1
Level 1

‎03-15-2010 06:01 AM - last edited on ‎03-25-2019 10:48 PM by Community Manager

I have a UC540 as the router and a SBS 08 domain behind it which handles DHCP and VPN.  The problem I am having is even though I have opened the VPN ports for VPN in the UC540 to forward to the server, it is not connecting.  If I start a connection inside the LAN - it works fine everytime.  Is there something special I need to do with the 540 to properly forward 1723 to a VPN host on its data VLAN?

all my other rules are working fine:

!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address x.x.x.x 255.255.255.240
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.10.254 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.10.254 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.10.254 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.254 997 interface FastEthernet0/0 997
ip nat inside source static tcp 192.168.10.254 1723 interface FastEthernet0/0 1723
ip nat inside source static udp 192.168.10.254 500 interface FastEthernet0/0 500
ip nat inside source static udp 192.168.10.254 43 interface FastEthernet0/0 43
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!

Labels:
0 Helpful
7 Replies 7

johnconrick
Level 1
Level 1

‎03-15-2010 06:04 AM

#
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host x.x.x.x eq 43 log
access-list 104 permit udp any host x.x.x.x eq isakmp log
access-list 104 permit tcp any host x.x.x.x eq 1723 log
access-list 104 permit tcp any host x.x.x.x eq 997 log
access-list 104 permit tcp any host x.x.x.x eq smtp log
access-list 104 permit tcp any host x.x.x.x eq 443 log
access-list 104 permit tcp any host x.x.x.x eq www log
access-list 104 permit udp any host x.x.x.x eq non500-isakmp
access-list 104 permit esp any host x.x.x.x
access-list 104 permit ahp any host x.x.x.x
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip any any

0 Helpful

bjames
Level 5
Level 5
In response to johnconrick

‎03-15-2010 11:22 AM

What are the logs showing you? And what's you ACL 1 set to

0 Helpful

dprzywara
Level 4
Level 4

‎03-15-2010 02:30 PM

Try adding a NAT statement to forward NAT'd isakmp port 4500:

ip nat inside source static udp 192.168.10.254 4500 interface  FastEthernet0/0 4500.

Also, are the clients using microsoft VPN clients?  If so, you might need to also forward the GRE protocol to your inside SBS.

0 Helpful

johnconrick
Level 1
Level 1

‎03-15-2010 04:07 PM

How do I open GRE from the UC540 to 192.168.10.254?

What logs should I enable to troubleshoot this issue?

0 Helpful

johnconrick
Level 1
Level 1
In response to johnconrick

‎03-15-2010 04:13 PM

When I turn on term mon and then try to connect I get this:

UC540#term mon

UC540#

013851: Mar 15 23:09:22.388: %SEC-6-IPACCESSLOGP: list 104 permitted tcp (MY OUTSIDE IP)(54650) -> (MY INSIDE WAN IP)(443), 1 packet

013852: Mar 15 23:09:40.416: %SEC-6-IPACCESSLOGP: list 104 permitted udp (MY OUTSIDE IP)(500) -> (MY INSIDE WAN IP)(500), 3 packets

013853: Mar 15 23:10:40.416: %SEC-6-IPACCESSLOGP: list 104 permitted udp (MY OUTSIDE IP)(1701) -> (MY INSIDE WAN IP)(1701), 5 packets

but connection still fails.  Inside the LAN it works fine.

0 Helpful

dprzywara
Level 4
Level 4
In response to johnconrick

‎03-15-2010 04:52 PM

To open up GRE try adding this statement:

access-list 104 permit gre any any

Make sure it's not at the bottom of your access-list below the deny any any statement or it won't be applied.

Also, have a VPN client try and connect then do a sh access-list command to see what rules are being matched.

0 Helpful

johnconrick
Level 1
Level 1
In response to dprzywara

‎03-16-2010 08:43 AM

Thank you that was it, once I added the GRE statement to 104 its working fine.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents