Cisco 2600 & GRE

[Billusa99]

Our setup:
Internet ---- ISP-managed-2600 ---- xx.xx.xx.194/Baystack InstantInternet400Firewall/192.168.10.1 ---- 192.168.10.28-W2K VPN Svr ---- switch ---- W2K Domain w/ AD/DNS/WINS/DHCP.

We are attempting to get a VPN working. Port 1723 is defined in port mappings in the Instant Internet400. 1723 and IP protocol 47 (GRE) are NAT'ed in the InstantInternet 400, from xx.xx.xx.197 to 192.168.10.28 of the Win2K VPN server.

I have also set up filters to allow IP 47 & port 1723 in the II400 to the external IP we will connect to:
filter eth2 allow tcp source xx.xx.xx.197:1723 dest 192.168.10.28:1723
filter eth2 allow ip source xx.xx.xx.197:47 dest 192.168.10.28:47

I can connect and authenticate via the VPN connection within our network. I can do an MS PPTPPing within the network and PPTP and GRE are passed back and forth correctly at each end. When I do that from the outside, GRE is not passed. As a result, I cannot authenticate and error out w/ 721 at username & pswd checking.

In searching this forum, I see that there are command lines for allowing GRE through, but all those posts are in the context of a 2600 being used for NAT... not the 'pass-thru' scenario we are in.

The ISP says that "they are not blocking anything" so I am stumped. Is there a command line, or something that I can specifically have them verify, to ensure the 2600 is allowing GRE through to us? Or, am I barking up the wrong tree?!

 

[BOJIKA]

May be you need
filter eth2 allow 47 source xx.xx.xx.197 dest 192.168.10.28

insted of
filter eth2 allow ip source xx.xx.xx.197:47 dest 192.168.10.28:47

 

[Billusa99]

Thanks... made no difference. Since nobody seems to have an answer if the 2600 has to be '47 GRE' enabled in my pass-thru scenario, I think I'll bypass the II40 and go directly into a 2nd NIC on the VPN server just to make sure that it's not (somehow??) being blocked by the firewall.

This thing is driving me crazy... ;-(