03-15-2010 06:01 AM - last edited on 03-25-2019 10:48 PM by ciscomoderator
I have a UC540 as the router and a SBS 08 domain behind it which handles DHCP and VPN. The problem I am having is even though I have opened the VPN ports for VPN in the UC540 to forward to the server, it is not connecting. If I start a connection inside the LAN - it works fine everytime. Is there something special I need to do with the 540 to properly forward 1723 to a VPN host on its data VLAN?
all my other rules are working fine:
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address x.x.x.x 255.255.255.240
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.10.254 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.10.254 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.10.254 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.254 997 interface FastEthernet0/0 997
ip nat inside source static tcp 192.168.10.254 1723 interface FastEthernet0/0 1723
ip nat inside source static udp 192.168.10.254 500 interface FastEthernet0/0 500
ip nat inside source static udp 192.168.10.254 43 interface FastEthernet0/0 43
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!
03-15-2010 06:04 AM
#
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host x.x.x.x eq 43 log
access-list 104 permit udp any host x.x.x.x eq isakmp log
access-list 104 permit tcp any host x.x.x.x eq 1723 log
access-list 104 permit tcp any host x.x.x.x eq 997 log
access-list 104 permit tcp any host x.x.x.x eq smtp log
access-list 104 permit tcp any host x.x.x.x eq 443 log
access-list 104 permit tcp any host x.x.x.x eq www log
access-list 104 permit udp any host x.x.x.x eq non500-isakmp
access-list 104 permit esp any host x.x.x.x
access-list 104 permit ahp any host x.x.x.x
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any
03-15-2010 11:22 AM
What are the logs showing you? And what's you ACL 1 set to
03-15-2010 02:30 PM
Try adding a NAT statement to forward NAT'd isakmp port 4500:
ip nat inside source static udp 192.168.10.254 4500 interface FastEthernet0/0 4500.
Also, are the clients using microsoft VPN clients? If so, you might need to also forward the GRE protocol to your inside SBS.
03-15-2010 04:07 PM
How do I open GRE from the UC540 to 192.168.10.254?
What logs should I enable to troubleshoot this issue?
03-15-2010 04:13 PM
When I turn on term mon and then try to connect I get this:
UC540#term mon
UC540#
013851: Mar 15 23:09:22.388: %SEC-6-IPACCESSLOGP: list 104 permitted tcp (MY OUTSIDE IP)(54650) -> (MY INSIDE WAN IP)(443), 1 packet
013852: Mar 15 23:09:40.416: %SEC-6-IPACCESSLOGP: list 104 permitted udp (MY OUTSIDE IP)(500) -> (MY INSIDE WAN IP)(500), 3 packets
013853: Mar 15 23:10:40.416: %SEC-6-IPACCESSLOGP: list 104 permitted udp (MY OUTSIDE IP)(1701) -> (MY INSIDE WAN IP)(1701), 5 packets
but connection still fails. Inside the LAN it works fine.
03-15-2010 04:52 PM
To open up GRE try adding this statement:
access-list 104 permit gre any any
Make sure it's not at the bottom of your access-list below the deny any any statement or it won't be applied.
Also, have a VPN client try and connect then do a sh access-list command to see what rules are being matched.
03-16-2010 08:43 AM
Thank you that was it, once I added the GRE statement to 104 its working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide