Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client VPN to ISA Server Fails on Cisco 877 Router

Hi, I have a Cisco 877 Router but it drops VPN connections to my ISA Server. I have NAT Rule pointing traffic on Port 1723 to the IP address of ISA Server. The ISA sees the connections but it timesout on authentication. I've reverteed back to using Cisco 837 until I get solution for this problem. Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Davis,

You are using 213.94.226.58 for PPTP. Right? Please change things as follows:

!

no access-list 102

!

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq 1723

access-list 102 permit gre any host xxx.xxx.xxx.58

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp-data

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq smtp

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq www

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq 443

access-list 102 permit udp host 213.94.190.236 eq domain host 213.94.226.57

access-list 102 permit udp host 213.94.190.194 eq domain host 213.94.226.57

access-list 102 deny ip 10.10.10.0 0.0.0.255 any

access-list 102 permit icmp any host 213.94.226.57 echo-reply

access-list 102 permit icmp any host 213.94.226.57 time-exceeded

access-list 102 permit icmp any host 213.94.226.57 unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

!

HTH,

Toshi

10 REPLIES
New Member

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Just to clarify the VPN Client is a home user using Windows VPN connection on a Windows XP PC.

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Hi Denis,

Are you using PPTP?

Please check out this link

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

If it didn't work please post the configuration and tell us a brief of how they are connecting. I mean, your network devices.

HTH,

Toshi

New Member

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Hi Toshi,

I'm using PPTP. I'll try and build picture. I have multiple clients (laptops) on the move and they VPN to Windows Server from various location including public & private external networks 3g cards etc.

I had VPN working until I swapped from cisco 837 to Cisco 877 router. The clients establish connection and begins to authenticate and I can see the connection on server but the client connection eventually timesout with error 721.

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Danis,

Please post the router configuration. I have to make sure that you have allowed GRE.

Toshi

New Member

Re: Client VPN to ISA Server Fails on Cisco 877 Router

This is where the problems start. I've been using the Cisco SDM as it's been a few years since i did my ccna. I can post a router config but is there a way of configuring this using SDM.

Thanks,

-Denis

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Denis,

Can you access the router by using telnet?

Toshi

New Member

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Ok I've attached the running config I hope this helps.

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Davis,

You are using 213.94.226.58 for PPTP. Right? Please change things as follows:

!

no access-list 102

!

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq 1723

access-list 102 permit gre any host xxx.xxx.xxx.58

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp-data

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq smtp

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq www

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq 443

access-list 102 permit udp host 213.94.190.236 eq domain host 213.94.226.57

access-list 102 permit udp host 213.94.190.194 eq domain host 213.94.226.57

access-list 102 deny ip 10.10.10.0 0.0.0.255 any

access-list 102 permit icmp any host 213.94.226.57 echo-reply

access-list 102 permit icmp any host 213.94.226.57 time-exceeded

access-list 102 permit icmp any host 213.94.226.57 unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

!

HTH,

Toshi

New Member

Re: Client VPN to ISA Server Fails on Cisco 877 Router

Great. Will update it tomorrow once I return to office. Obvious I didn't cover all instances of the IP address. Oops. Thought it unwise to post details. Will let you know how i get on. Thanks. Denis

New Member

Re: Client VPN to ISA Server Fails on Cisco 877 Router

This worked. Managed to enter the line using the SDM. Thanks for all your help. Now I need to figure out why FTP isn't working.

259
Views
0
Helpful
10
Replies