Solved: Client VPN to ISA Server Fails on Cisco 877 Router

denisoregan · ‎05-06-2009

Hi, I have a Cisco 877 Router but it drops VPN connections to my ISA Server. I have NAT Rule pointing traffic on Port 1723 to the IP address of ISA Server. The ISA sees the connections but it timesout on authentication. I've reverteed back to using Cisco 837 until I get solution for this problem. Any help would be appreciated.

Thotsaphon Lueangwattanaphong · ‎05-06-2009

Davis,

You are using 213.94.226.58 for PPTP. Right? Please change things as follows:

!

no access-list 102

!

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq 1723

access-list 102 permit gre any host xxx.xxx.xxx.58

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp-data

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq smtp

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq www

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq 443

access-list 102 permit udp host 213.94.190.236 eq domain host 213.94.226.57

access-list 102 permit udp host 213.94.190.194 eq domain host 213.94.226.57

access-list 102 deny ip 10.10.10.0 0.0.0.255 any

access-list 102 permit icmp any host 213.94.226.57 echo-reply

access-list 102 permit icmp any host 213.94.226.57 time-exceeded

access-list 102 permit icmp any host 213.94.226.57 unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

!

HTH,

Toshi

View solution in original post

denisoregan · ‎05-06-2009

Just to clarify the VPN Client is a home user using Windows VPN connection on a Windows XP PC.

Thotsaphon Lueangwattanaphong · ‎05-06-2009

Hi Denis,

Are you using PPTP?

Please check out this link

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

If it didn't work please post the configuration and tell us a brief of how they are connecting. I mean, your network devices.

HTH,

Toshi

denisoregan · ‎05-06-2009

Hi Toshi,

I'm using PPTP. I'll try and build picture. I have multiple clients (laptops) on the move and they VPN to Windows Server from various location including public & private external networks 3g cards etc.

I had VPN working until I swapped from cisco 837 to Cisco 877 router. The clients establish connection and begins to authenticate and I can see the connection on server but the client connection eventually timesout with error 721.

Thotsaphon Lueangwattanaphong · ‎05-06-2009

Danis,

Please post the router configuration. I have to make sure that you have allowed GRE.

Toshi

denisoregan · ‎05-06-2009

This is where the problems start. I've been using the Cisco SDM as it's been a few years since i did my ccna. I can post a router config but is there a way of configuring this using SDM.

Thanks,

-Denis

Thotsaphon Lueangwattanaphong · ‎05-06-2009

Denis,

Can you access the router by using telnet?

Toshi

denisoregan · ‎05-06-2009

Ok I've attached the running config I hope this helps.

Thotsaphon Lueangwattanaphong · ‎05-06-2009

Davis,

You are using 213.94.226.58 for PPTP. Right? Please change things as follows:

!

no access-list 102

!

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq 1723

access-list 102 permit gre any host xxx.xxx.xxx.58

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp

access-list 102 permit tcp any host xxx.xxx.xxx.58 eq ftp-data

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq smtp

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq www

access-list 102 permit tcp any host xxx.xxx.xxx.57 eq 443

access-list 102 permit udp host 213.94.190.236 eq domain host 213.94.226.57

access-list 102 permit udp host 213.94.190.194 eq domain host 213.94.226.57

access-list 102 deny ip 10.10.10.0 0.0.0.255 any

access-list 102 permit icmp any host 213.94.226.57 echo-reply

access-list 102 permit icmp any host 213.94.226.57 time-exceeded

access-list 102 permit icmp any host 213.94.226.57 unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

!

HTH,

Toshi

denisoregan · ‎05-06-2009

Great. Will update it tomorrow once I return to office. Obvious I didn't cover all instances of the IP address. Oops. Thought it unwise to post details. Will let you know how i get on. Thanks. Denis

denisoregan · ‎05-07-2009

This worked. Managed to enter the line using the SDM. Thanks for all your help. Now I need to figure out why FTP isn't working.