Hi,
We are having problems getting VPN Pass Through to work on a Cisco 828 SDSL Router.
The Windows Server 2003 SBS is configured to allow VPN connections. On our old ADSL (Draytek ADSL modem) the system works perfectly and forwarding port 1723 allows people to login to the VPN and use the network remotely.
Purchased new SDSL line and Cisco 828 SDSL Router. Configured port 1723 and GRE (see config below).
When a client tries to connect it verifies username and password and then returns Error 721 - No response from server (suggesting that GRE is not being handled correctly)
All clients are Windows XP Pro with all service packs and patches.
Have read various posts and comments about this error, but all the suggestions state forward 1723 and enable GRE, which has been done.
Does GRE need to be enabled on the out-going access list? Which I assume is access-list 1
I have a reasonable understanding of networking and routing but this is the first Cisco router I have had to work with.
Any suggestions or help are gratefully received.
===================================================
Network Diagram
===================================================
Internet
|
| (83.X.Y.Z)
CISCO 828 SDSL Router
| (192.168.1.1)
|
| (192.168.1.2)
Windows Server 2003 SBS
| (192.168.32.10)
|
Switch
| | |
Local network / workstations
===================================================
CISCO 828 Router Config
===================================================
Current configuration : 2470 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname i-83-X-Y-Z
!
boot-start-marker
boot system flash c828-oy6-mz.123-11.T3.bin
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxxx
no aaa new-model
ip subnet-zero
!
!
ip cef
ip domain name myisp.net
ip name-server 194.X.Y.Z
ip name-server 194.X.Y.Z
ip inspect udp idle-time 180
ip inspect tcp idle-time 7500
ip inspect name f2s sip
ip inspect name f2s ftp
ip inspect name f2s icmp
ip inspect name f2s tcp
ip inspect name f2s udp
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
ip address negotiated
ip access-group 150 in
ip accounting output-packets
ip nat outside
ip inspect f2s out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxx password 7 xxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.2 443 83.X.Y.Z 443 extendable
ip nat inside source static udp 192.168.1.2 443 83.X.Y.Z 443 extendable
ip nat inside source static tcp 192.168.1.2 1723 83.X.Y.Z 1723 extendable
ip nat inside source static udp 192.168.1.2 1723 83.X.Y.Z 1723 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 150 permit tcp any host 83.X.Y.Z eq 443
access-list 150 permit udp any host 83.X.Y.Z eq 443
access-list 150 permit tcp any host 83.X.Y.Z eq 1723
access-list 150 permit udp any host 83.X.Y.Z eq 1723
access-list 150 permit gre any host 83.X.Y.Z
access-list 150 deny ip any any
snmp-server enable traps tty
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 120 0
transport preferred none
transport output none
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 xxxxxxxxxxxxxxxx
login
length 0
transport preferred none
transport input telnet
transport output none
!
scheduler max-task-time 5000
end
We are having problems getting VPN Pass Through to work on a Cisco 828 SDSL Router.
The Windows Server 2003 SBS is configured to allow VPN connections. On our old ADSL (Draytek ADSL modem) the system works perfectly and forwarding port 1723 allows people to login to the VPN and use the network remotely.
Purchased new SDSL line and Cisco 828 SDSL Router. Configured port 1723 and GRE (see config below).
When a client tries to connect it verifies username and password and then returns Error 721 - No response from server (suggesting that GRE is not being handled correctly)
All clients are Windows XP Pro with all service packs and patches.
Have read various posts and comments about this error, but all the suggestions state forward 1723 and enable GRE, which has been done.
Does GRE need to be enabled on the out-going access list? Which I assume is access-list 1
I have a reasonable understanding of networking and routing but this is the first Cisco router I have had to work with.
Any suggestions or help are gratefully received.
===================================================
Network Diagram
===================================================
Internet
|
| (83.X.Y.Z)
CISCO 828 SDSL Router
| (192.168.1.1)
|
| (192.168.1.2)
Windows Server 2003 SBS
| (192.168.32.10)
|
Switch
| | |
Local network / workstations
===================================================
CISCO 828 Router Config
===================================================
Current configuration : 2470 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname i-83-X-Y-Z
!
boot-start-marker
boot system flash c828-oy6-mz.123-11.T3.bin
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxxx
no aaa new-model
ip subnet-zero
!
!
ip cef
ip domain name myisp.net
ip name-server 194.X.Y.Z
ip name-server 194.X.Y.Z
ip inspect udp idle-time 180
ip inspect tcp idle-time 7500
ip inspect name f2s sip
ip inspect name f2s ftp
ip inspect name f2s icmp
ip inspect name f2s tcp
ip inspect name f2s udp
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
ip address negotiated
ip access-group 150 in
ip accounting output-packets
ip nat outside
ip inspect f2s out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxx password 7 xxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.2 443 83.X.Y.Z 443 extendable
ip nat inside source static udp 192.168.1.2 443 83.X.Y.Z 443 extendable
ip nat inside source static tcp 192.168.1.2 1723 83.X.Y.Z 1723 extendable
ip nat inside source static udp 192.168.1.2 1723 83.X.Y.Z 1723 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 150 permit tcp any host 83.X.Y.Z eq 443
access-list 150 permit udp any host 83.X.Y.Z eq 443
access-list 150 permit tcp any host 83.X.Y.Z eq 1723
access-list 150 permit udp any host 83.X.Y.Z eq 1723
access-list 150 permit gre any host 83.X.Y.Z
access-list 150 deny ip any any
snmp-server enable traps tty
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 120 0
transport preferred none
transport output none
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 xxxxxxxxxxxxxxxx
login
length 0
transport preferred none
transport input telnet
transport output none
!
scheduler max-task-time 5000
end