05-06-2009 02:49 AM
Hi, I have a Cisco 877 Router but it drops VPN connections to my ISA Server. I have NAT Rule pointing traffic on Port 1723 to the IP address of ISA Server. The ISA sees the connections but it timesout on authentication. I've reverteed back to using Cisco 837 until I get solution for this problem. Any help would be appreciated.
Solved! Go to Solution.
05-06-2009 10:08 AM
Davis,
You are using 213.94.226.58 for PPTP. Right? Please change things as follows:
!
no access-list 102
!
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host xxx.xxx.xxx.58 eq 1723
access-list 102 permit gre any host xxx.xxx.xxx.58
access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp
access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp-data
access-list 102 permit tcp any host xxx.xxx.xxx.57 eq smtp
access-list 102 permit tcp any host xxx.xxx.xxx.57 eq www
access-list 102 permit tcp any host xxx.xxx.xxx.57 eq 443
access-list 102 permit udp host 213.94.190.236 eq domain host 213.94.226.57
access-list 102 permit udp host 213.94.190.194 eq domain host 213.94.226.57
access-list 102 deny ip 10.10.10.0 0.0.0.255 any
access-list 102 permit icmp any host 213.94.226.57 echo-reply
access-list 102 permit icmp any host 213.94.226.57 time-exceeded
access-list 102 permit icmp any host 213.94.226.57 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
!
HTH,
Toshi
05-06-2009 02:55 AM
Just to clarify the VPN Client is a home user using Windows VPN connection on a Windows XP PC.
05-06-2009 06:44 AM
Hi Denis,
Are you using PPTP?
Please check out this link
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
If it didn't work please post the configuration and tell us a brief of how they are connecting. I mean, your network devices.
HTH,
Toshi
05-06-2009 07:15 AM
Hi Toshi,
I'm using PPTP. I'll try and build picture. I have multiple clients (laptops) on the move and they VPN to Windows Server from various location including public & private external networks 3g cards etc.
I had VPN working until I swapped from cisco 837 to Cisco 877 router. The clients establish connection and begins to authenticate and I can see the connection on server but the client connection eventually timesout with error 721.
05-06-2009 07:22 AM
Danis,
Please post the router configuration. I have to make sure that you have allowed GRE.
Toshi
05-06-2009 07:45 AM
This is where the problems start. I've been using the Cisco SDM as it's been a few years since i did my ccna. I can post a router config but is there a way of configuring this using SDM.
Thanks,
-Denis
05-06-2009 07:54 AM
Denis,
Can you access the router by using telnet?
Toshi
05-06-2009 08:13 AM
Ok I've attached the running config I hope this helps.
05-06-2009 10:08 AM
Davis,
You are using 213.94.226.58 for PPTP. Right? Please change things as follows:
!
no access-list 102
!
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host xxx.xxx.xxx.58 eq 1723
access-list 102 permit gre any host xxx.xxx.xxx.58
access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp
access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp-data
access-list 102 permit tcp any host xxx.xxx.xxx.57 eq smtp
access-list 102 permit tcp any host xxx.xxx.xxx.57 eq www
access-list 102 permit tcp any host xxx.xxx.xxx.57 eq 443
access-list 102 permit udp host 213.94.190.236 eq domain host 213.94.226.57
access-list 102 permit udp host 213.94.190.194 eq domain host 213.94.226.57
access-list 102 deny ip 10.10.10.0 0.0.0.255 any
access-list 102 permit icmp any host 213.94.226.57 echo-reply
access-list 102 permit icmp any host 213.94.226.57 time-exceeded
access-list 102 permit icmp any host 213.94.226.57 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
!
HTH,
Toshi
05-06-2009 12:32 PM
Great. Will update it tomorrow once I return to office. Obvious I didn't cover all instances of the IP address. Oops. Thought it unwise to post details. Will let you know how i get on. Thanks. Denis
05-07-2009 01:16 AM
This worked. Managed to enter the line using the SDM. Thanks for all your help. Now I need to figure out why FTP isn't working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide