Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NT VPN errors 721, 619 with 2600s with IOS firewall

2620 in one location, 2621 in 2nd location. Both locations have own NT domains. If 1723 and gre are allowed through IOS firewall on each router, would VPN traffic be blocked for some reason, due to IOS config, for clients on 1st LAN to reach 2nd LAN server? But not blocked if VPN from home PC?

NT RAS Error 721 (Computer not responding) when client on 1st NT domain ---> 1st 2621 ---> 2620 2nd location ----> 2nd NT domain server.

No problem when VPN from home PC ----> 2620 or 2621 ----> 1st LAN server or 2nd LAN server.

Thanks,

Joan Resnick Ehrlich

4 REPLIES
New Member

Re: NT VPN errors 721, 619 with 2600s with IOS firewall

Make sure both routers have 12.1.4T above version to support PPTP pass PAT feature.

More details see following URL:

http://www.cisco.com/warp/customer/471/pptp_pat.html

Best Regards,

New Member

Re: NT VPN errors 721, 619 with 2600s with IOS firewall

Ok, thanks, read the link. Bear with me, don't quite understand some things. We've got 12.0.7(T). We're using static mappings for the servers -- each server has its private IP mapped to a public IP. We do have a NAT Pool configured, but for clients only.

For each server, the access list permits 1723 and 47. The Cisco TAC tech who hepled us configure the 12.0.7(T) firewall said all we needed to do to MS VPN into NT Server was open 1723 and 47.

I *can* with 12.0.7(T) establish an MS VPN session into any NT server (logon, authenticate, browse network) from my home, which has its own NT 4.0 LAN with 192.168.1.x network going through a Linksys cable router doing PAT.

So, path is my W2K PC on my NT LAN ---> my Linksys ----> Office 2621 ----> Office NT Server. This works.

Are you saying that to MS VPN *through two Cisco 2600 routers* requires the later release? That is, to go from client PC ----> 2620/21 ----> 2620/21 -----> NT Server creates the problem? Because the VPN has to pass through both Cisco routers and somehow can't? Even though both have 1723 and gre open?

One more thing. The 1723 statement in the access list is "permit tcp any eq 1723" -- Notice that the word "host" is missing, as in "permit tcp any host . Is that a problem?

Thanks,

Joan

New Member

Re: NT VPN errors 721, 619 with 2600s with IOS firewall

Hi Joan,

The problem is not in the Server end. Because it is doing atatic NAT translation.

When you in your home, linksys router support PPTP pass through feature, so althroug linksys doing PAT for your client PC, it has no problem.

When you are in the office, the router is doing PAT for your client PC, so it need 12.1.4 T above version to support "PPTP over PAT" feature. (same as linksys's PPTP pass through).

12.0.7T is a very old version, does not support PPTP pass through at that moment. After you uprading to even 12.1.5T10 , it will be fine as well.

And also please open TCP 1723 and GRE in your access-list as well, then it will be working fine.

Best Regards,

New Member

Re: NT VPN errors 721, 619 with 2600s with IOS firewall

Ok, thanks again.

No need to reply.

Joan

116
Views
0
Helpful
4
Replies
CreatePlease to create content