Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN with cisco 2611 v 12.0 iso

hello all.

I am trying to setup a win2k server as vpn server behind a cisco 2611 router to connect a satellite office to our main office.

I have found some info on how to set up access lists and such but I have hit a wall.

Currently what I have so far:

interface Ethernet0/0

description connected to EthernetLAN

ip address 192.168.208.30 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Ethernet0/1

description connected to Internet

ip address 64.217.xxx.86 255.255.255.252

ip access-group inet_inbound in (--- I added correct ???)

no ip directed-broadcast

ip nat outside

ip access-list extended inet_inbound

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

permit tcp any host 64.217.xxx.86 eq 1723

permit gre any host 64.217.xxx.86

**************************

Both examples I have show:

interface Serial0/0

description internet interface

ip address 64.217.xxx.xxx 255.255.255.252

ip access-group inet_inbound in

BUT when I try to type "interface Serial0/0" at the router config prompt, it gives me an error pointing to the 'S' in serial, so should I add the ip access-group line to my Internet 0/1 like I did above since that is my internet connection????

thanks in advance.

mattmc

1 REPLY
Cisco Employee

Re: VPN with cisco 2611 v 12.0 iso

You don't have a Serial interface in your router, so you're adding the access-list to the correct interface.

The trouble is you're trying to connect to the 64.217.xxx.86 address which is the router's address, not the address of the internal Win2K server. For a PPTP connection you will need a second IP address from your ISP, so let's assume they give you 64.217.xxx.87.

The following will send all traffic destined for 64.217.xxx.87 through to your internal Win2K server (which I've assumed is 192.168.208.1, change if necessary):

ip nat inside source static 192.168.208.1 64.217.xxx.87 extendable

Change the two lines in your access-list to reference the .87 address rather than the .86.

Then have all your VPN clients connect to the .87 address rather than .86 and you should be good to go.

131
Views
0
Helpful
1
Replies