Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
4
Replies

NT VPN errors 721, 619 with 2600s with IOS firewall

jresnickehrlich
Level 1
Level 1

‎08-10-2002 11:50 AM - edited ‎02-21-2020 11:59 AM

2620 in one location, 2621 in 2nd location. Both locations have own NT domains. If 1723 and gre are allowed through IOS firewall on each router, would VPN traffic be blocked for some reason, due to IOS config, for clients on 1st LAN to reach 2nd LAN server? But not blocked if VPN from home PC?

NT RAS Error 721 (Computer not responding) when client on 1st NT domain ---> 1st 2621 ---> 2620 2nd location ----> 2nd NT domain server.

No problem when VPN from home PC ----> 2620 or 2621 ----> 1st LAN server or 2nd LAN server.

Thanks,

Joan Resnick Ehrlich

Labels:
0 Helpful
4 Replies 4

paqiu
Level 1
Level 1

‎08-10-2002 06:33 PM

Make sure both routers have 12.1.4T above version to support PPTP pass PAT feature.

More details see following URL:

http://www.cisco.com/warp/customer/471/pptp_pat.html

Best Regards,

0 Helpful

jresnickehrlich
Level 1
Level 1

‎08-11-2002 11:00 AM

Ok, thanks, read the link. Bear with me, don't quite understand some things. We've got 12.0.7(T). We're using static mappings for the servers -- each server has its private IP mapped to a public IP. We do have a NAT Pool configured, but for clients only.

For each server, the access list permits 1723 and 47. The Cisco TAC tech who hepled us configure the 12.0.7(T) firewall said all we needed to do to MS VPN into NT Server was open 1723 and 47.

I *can* with 12.0.7(T) establish an MS VPN session into any NT server (logon, authenticate, browse network) from my home, which has its own NT 4.0 LAN with 192.168.1.x network going through a Linksys cable router doing PAT.

So, path is my W2K PC on my NT LAN ---> my Linksys ----> Office 2621 ----> Office NT Server. This works.

Are you saying that to MS VPN *through two Cisco 2600 routers* requires the later release? That is, to go from client PC ----> 2620/21 ----> 2620/21 -----> NT Server creates the problem? Because the VPN has to pass through both Cisco routers and somehow can't? Even though both have 1723 and gre open?

One more thing. The 1723 statement in the access list is "permit tcp any eq 1723" -- Notice that the word "host" is missing, as in "permit tcp any host . Is that a problem?

Thanks,

Joan

0 Helpful

paqiu
Level 1
Level 1
In response to jresnickehrlich

‎08-11-2002 04:39 PM

Hi Joan,

The problem is not in the Server end. Because it is doing atatic NAT translation.

When you in your home, linksys router support PPTP pass through feature, so althroug linksys doing PAT for your client PC, it has no problem.

When you are in the office, the router is doing PAT for your client PC, so it need 12.1.4 T above version to support "PPTP over PAT" feature. (same as linksys's PPTP pass through).

12.0.7T is a very old version, does not support PPTP pass through at that moment. After you uprading to even 12.1.5T10 , it will be fine as well.

And also please open TCP 1723 and GRE in your access-list as well, then it will be working fine.

Best Regards,

0 Helpful

jresnickehrlich
Level 1
Level 1
In response to paqiu

‎08-11-2002 04:47 PM

Ok, thanks again.

No need to reply.

Joan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents