I am having some trouble with an 871w. Currently I have no firewall configured, I am using NAT. The router is connected to a residential cable modem. The issue I am having is that a client of mine is unable to connect to his work VPN from a PC behind the 871. I try to connect to my work VPN (windows as the client software) and I am able to create a connection but the dialog box will not pass the "Verifying Username and Password" portion. If I connect directly to the modem bypassing the router I have no trouble loging into the VPN. The router is blocking something. I assume it must have somthing to do with NAT. Any ideas?
I think you are correct about GRE being the issue. The router is running advipservicesk9 12.4. I do not have access to the router currently so I cannot check the translation tables. I set up my lab 2621xm which doesn't have the same issue as the 871 and added an ACL that blocks GRE inbound and experienced the same behavior as when I try to connect through the 871. So, since there isn't an ACL on the 871 that is blocking GRE, how would I go about telling it to pass? I am not going to be back onsite until wednesday. I do have remote access to the router but I don't know how I could test this without calling the client up and asking them to connect... they aren't at the location anyway.
If the router has no ACLs, there's no reason it will be blocking the traffic. But, if its doing PAT, please look at the link that halijenn posted.
If you want to see if the traffic is passing through the router, one way to do it is:
access-list 199 permit tcp host x.x.x.x host x.x.x.x eq 1723 access-list 199 permit gre host x.x.x.x host x.x.x.x access-list 199 permit ip any any
You can enable the above ACL inbound on the inside interface of the router. You can modify the list to check if the traffic is passing through the router and exiting the outside interface, and to see if its coming back as well. Just change x.x.x.x with the IPs in question.
The link provided shows that the only configuration on the remote router ("Router Light", equivalent to my 871) in regards to ACLs is NAT. The document goes on to show that I would need to do static mapping on the router connected to the VPN server, not the client router. I may not be understanding the doeument correctly but it seems to me that there really is nothing configured on the client side router other than NAT/PAT which is exacly what I have going on now.
I know it isn't anything wrong with the server side router, as it can be connected to by simply bypassing the 871 and going directly into the modem. So it has to be NAT that is somehow preventing PPTP from functioning. I will try the debugging methods mentioned. I wish I had an 871 here at home with me to test with!
I am still having trouble connecting to the VPN server. I have tried the ACL and noticed that while I am connecting to the VPN GRE packets are passing, I am not seeing any thing on port 1723. I am still not able to connect thorugh the router to the VPN server. Below is my config, please if anyone can see why I wouldn't be able to connect to the server let me know. Could it have something to do with CHAP? It isn't the ISP or the remote side as they work when the router is bypassed.
no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 ip dhcp excluded-address 192.168.1.100 ip dhcp excluded-address 192.168.1.254 ip dhcp excluded-address 192.168.20.1 192.168.20.200 ip dhcp excluded-address 192.168.10.1 192.168.10.200 ! ip dhcp pool VLAN20_DHCP network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 192.168.20.1 domain-name warburton ! ip dhcp pool VLAN10_DHCP network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 192.168.10.1 domain-name domain ! ! ip cef ip domain name domain ip name-server 22.214.171.124 no ipv6 cef ! multilink bundle-name authenticated
! ! ! archive log config hidekeys ! ! ! ! ! interface FastEthernet0 switchport mode trunk ! interface FastEthernet1 shutdown ! interface FastEthernet2 shutdown ! interface FastEthernet3 shutdown ! interface FastEthernet4 ip address dhcp ip access-group 100 in ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan10 ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip http server ip http secure-server ! ! ip dns server ip nat inside source static tcp 192.168.20.23 41795 interface FastEthernet4 41809 ip nat inside source list NAT_ADDRESSES interface FastEthernet4 overload ip nat inside source static tcp 192.168.20.2 41795 interface FastEthernet4 41795 ip nat inside source static tcp 192.168.20.50 41795 interface FastEthernet4 41800 ip nat inside source static tcp 192.168.20.10 41795 interface FastEthernet4 41802 ip nat inside source static tcp 192.168.20.11 41795 interface FastEthernet4 41803 ip nat inside source static tcp 192.168.20.12 41795 interface FastEthernet4 41804 ip nat inside source static tcp 192.168.20.13 41795 interface FastEthernet4 41805 ip nat inside source static tcp 192.168.20.20 41795 interface FastEthernet4 41806 ip nat inside source static tcp 192.168.20.21 41795 interface FastEthernet4 41807 ip nat inside source static tcp 192.168.20.22 41795 interface FastEthernet4 41808 ip nat inside source static tcp 192.168.20.30 41795 interface FastEthernet4 41810 ip nat inside source static tcp 192.168.20.31 41795 interface FastEthernet4 41811 ip nat inside source static tcp 192.168.20.32 41795 interface FastEthernet4 41812 ip nat inside source static tcp 192.168.20.33 41795 interface FastEthernet4 41813 ip nat inside source static tcp 192.168.20.34 41795 interface FastEthernet4 41814 ! ip access-list standard NAT_ADDRESSES permit 192.168.1.0 0.0.0.255 permit 192.168.10.0 0.0.0.255 ! access-list 100 permit ip any any ! ! ! !
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :