Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2621 VPN Setup 1

Status
Not open for further replies.
Niall22

Niall22

IS-IT--Management
Jun 9, 2000
109
0
0
CA
Does anyone know if this is possible using a 2621 Router?<br><br>I need to set up a VPN server in a private network which is using NAT to access the Internet.&nbsp;&nbsp;I'm trying to create a static NAT translation on TCP port 1723 (port that PPTP protocol uses) which will allow me to run a VPN server in my private network but will still be accessible accross the Internet via my public IP address. This is similar to setting up an FTP server within my private network which is accessible to the Internet. I was able to accomplish that last week thanks to the people in this forum.&nbsp;&nbsp;<br><br>Currently I have set up RAS on a server, in my private network, to act as a VPN server.&nbsp;&nbsp;I can connect to it within my network so I know it works.&nbsp;&nbsp;I have configured a static NAT translation from the global IP to the private IP for TCP port 1723.&nbsp;&nbsp;I have set up my firewall to accept TCP packets on port 1723 and also for GRE packets which are IP 47 packets.&nbsp;&nbsp;No luck though.&nbsp;&nbsp;I'm attempting this so that I don't have to spend money on extra routers and IOS upgrades (IPSec) to create a VPN like Cisco recommends.&nbsp;&nbsp;If anyone can tell me how to accomplish this it would be great. If it's not possible, is there any other cheaper solution?<br><br>Thanks,<br>Niall
 
Sort by date Sort by votes
Niall,<br>What type of error messages are you receiving?&nbsp;&nbsp;Where is the data being dropped at?&nbsp;&nbsp;Which side of your firewall is it being stopped?&nbsp;&nbsp;Is there a firewall on the otherside of the connection?<br><br>If I remember rightly PPTP spawns ports and I know that some firewalls (specifically Secure Computing Sidewinder) will not allow that.&nbsp;&nbsp;&nbsp;You can try creating a direct link from the outside of the firewall to that specific server and once the connection is made tighten it down until it stops working.&nbsp;&nbsp;By creating a direct link you will create a whole in the firewall to that server bypassing all aspects of the firewall for that specific server.&nbsp;&nbsp;Without knowing what type of firewall it is hard to say the options you have.<br><br>If you have created this on your RAS server are you connecting using a direct dial-up connection to it or are you trying to connect through the your firewall.&nbsp;&nbsp;You really need to track the packet using a network analyzer and find out where it getting dropped at then you can find out what is actually causing it to drop.&nbsp;&nbsp;Best I can do with the information.&nbsp;&nbsp;Hope this helps.<br><br>Rob
 
Upvote 0 Downvote
UPDATE:<br>Thanks for your help Rob. I am trying to connect through the Internet and must pass through my firewall. (Direct Dial-up works fine but the remote sites will be using cable Internet through @Home)<br><br>I'm sorry that I forgot to mention which Firewall I'm using.&nbsp;&nbsp;It's the Cisco IOS Firewall Feature Pack running directly on the router.<br>I have tried allowing a direct path to the host through the firewall but there are still problems. I have been able to establish a connection to my RAS server using PPTP but I can not authenticate to it. I receive this error message: <br><br>Error 721: Remote PPP peer is not responding.<br><br>I don't think the problem is with the firewall(seeing how I temporarily disabled it) but more than likely it's with NAT translation. I have a static translation setup which seems to be working but not 100%.&nbsp;&nbsp;I can connect to my RAS server but can't authenticate. I recently discovered that Cisco offers a VPN Client software package for Win95/98 and Win NT 4.0. Has anyone used this before? In theory I should be able to use this Client on a remote computer and connect to my router through an IPSec tunnel which will then grant the remote computer access to the private network, is that correct?&nbsp;&nbsp;Of course I have to purchase the IPSec upgrade first for the router.<br><br>Thanks again for your help,<br>Niall<br>
 
Upvote 0 Downvote
Niall,<br>We are testing this out right now only using a Cisco PIX firewall.&nbsp;&nbsp;Actually I am working on getting the PIX configured right now and we will try it tonight and see what happens.&nbsp;&nbsp;We are having it authenticate to a tacacs+ server for authentication.&nbsp;&nbsp;But you are right in theory it should work.&nbsp;&nbsp;What version of IOS are you running on your router?&nbsp;&nbsp;I know that certain versions of the firewall feature pack are buggy.&nbsp;&nbsp;12.0.5 is one of them that is terrible.&nbsp;&nbsp;I will tell you tomorrow how it works or whether it does or not using a PIX.<br><br>Rob
 
Upvote 0 Downvote
Sounds good Rob!<br>I hope the VPN Client works for you.<br>Wouldn't you know it, I am running IOS Version 12.0(5)T1 on the router currently.<br><br>I just received an e-mail from Cisco today regarding an IOS upgrade to add the IPsec feature. They informed me I had to purchase a feature pack upgrade (FL26-P-K2=) and then another pack which adds the encryption (S26CHK2-12007XK=). The reseller that my company usually purchases from doesn't have the required upgrades. Does anyone know of any good resellers that provide lots of Cisco products? (We're located in Canada)&nbsp;&nbsp;I tried searching them out through Cisco's Web Site but I couldn't find anyone useful.<br><br>Thanks again,<br>Niall
 
Upvote 0 Downvote
Niall,<br>How old is the router?&nbsp;&nbsp;If it is less than a year old contact Cisco and alot of times they will let you download the IOS for free.&nbsp;&nbsp;Give a try worse they can say is no but they are usually pretty good.&nbsp;&nbsp;I will let you know how it goes here.<br><br>Rob
 
Upvote 0 Downvote
Rob,<br>Seriously?&nbsp;&nbsp;The router is only 1 month old.&nbsp;&nbsp;We bought it from a reseller called Insight, not directly from Cisco, so are you sure they would do that?&nbsp;&nbsp;What e-mail address would I send a request like that too?<br><br>Niall
 
Upvote 0 Downvote
Best bet call the Cisco TAC directly on the phone and tell them it is warranty work.&nbsp;&nbsp;You can get the number off the Cisco web site and explain what is going on and they should provide the download for you.&nbsp;&nbsp;One of our customers did the same thing so give it a try.<br><br>Rob
 
Upvote 0 Downvote
I had the same problem with a 1604 running V12 IOS<br>and cisco pix firewall.<br>This is what worked for me.<br>incoming filter<br><br>Allow GRE any host public.ip.address<br>Allow tcp any host public.ip.address eq 1723<br><br>outgoing filter<br><br>Allow gre private.ip.address any host<br><br>Of course if the address of the VPN client<br>is static you can change any host to its static ip<br><br>Note:<br>this only worked consistantly when it was placed at the top of the access list ( I have no clue why)
 
Upvote 0 Downvote
hello
Niall22 and sobak

Could you provide me sample config for VPN between Cisco2610 and cisco secure client. I faceing problem in my config, i have put that question in this forum (date 19feb2002) showing the output of debug crypto isakmp.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
42
quazimotto
quazimotto
tviman
  • Locked
  • Question
Same subnet on each side of a VPN 1
Replies
2
Views
47
tviman
tviman
DigitalG
  • Locked
  • Question
cisco rv180 vpn tunnel between a rv130
Replies
0
Views
35
DigitalG
DigitalG
napoleao
  • Locked
  • Question
IPSec VPN
Replies
3
Views
49
napoleao
napoleao
whatwhatwhatwhat
  • Locked
  • Question
VPN problem. Please help!
Replies
2
Views
39
ngtri
ngtri

Part and Inventory Search

Sponsor

Back
Top