how to configure VPN on cisco router?

[heatstreak20]

Hello, I am currently trying to configure a cisco router for my company to allow VPN sessions. The VPN is handled on the server and employees use their AD login information to VPN. I believe it won't work right now because of NAT.

With a $100 linksys router they can VPN fine, but with the cisco router they cannot. The only thing I thought might work is adding an access group 101 that allows any tcp communication on port 1723 and gre on all addresses, but this did not help.


Here is the current configuration:
Current configuration : 1531 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Shaftdrillers
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$WoI/$chsvq1pDwKPpgiKm827Xx.
!
no aaa new-model
!
resource policy
!
!
ip cef
no ip domain lookup
ip name-server 63.66.160.10
ip name-server 63.66.160.11
!
!
username admin privilege 15 password 0 admin
!
interface Ethernet0/0
description WAN
ip address 63.86.xx.203 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly max-fragments 16 max-reassemblies 64 timeout 5
half-duplex
!
interface Ethernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
full-duplex
!
router rip
network 192.168.1.0
!
ip http server
ip http authentication local
!
ip route 0.0.0.0 0.0.0.0 63.86.xx.xx
ip route 63.86.xx.0 255.255.255.0 0.0.0.0
ip route 192.168.1.0 255.255.255.0 0.0.0.0
ip route 192.168.3.0 255.255.255.0 192.168.1.254
!
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 600
ip nat translation max-entries 25000
ip nat inside source list 7 interface Ethernet0/0 overload
!
logging 192.168.1.12
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit ip any any

How can I configure the router to allow VPN and allow the user to use their AD login information to validate the VPN?



Thank you again for your help

 

[unclerico]

you want to use PPTP or IPSec??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[heatstreak20]

pptp sorry I forgot to specify

 

[heatstreak20]

My main problem here is creating a way to VPN using the active directory logon information, it has to be possible since the cheap router can do it. Can anyone point me in the right direction?


Thank you,
Derik VanPelt

 

[unclerico]

do you have a working radius server??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[StaplesMan]

Would I be correct in saying you are using "Routing and Remote access" on your server?

If this is correct then the Router is not the destination of the VPNs but the server is. So the Router simply needs to open the correct ports and point it to the server.

I also noticed that you stated port 1723 on your first post. So I will assume that's the port we need to open. If this is all correct then try this...

ip nat inside source static tcp {ip_of_server} 1723 63.86.xx.203 1723

CCNA, A+, HP Certified Professional

 

[heatstreak20]

Sorry it has taken so long to respond, I have been ill the past few days and have not been to work.

Yes we use routing and remote access on the server. I added:

ip nat inside source static tcp {ip_of_server} 1723 63.86.xx.203 1723

but it still does not work. After research I discovered that IP port 47 must foward GRE protocols, How would I achieve this?
when I tried using: inside source static gre it says invalid input detected at the g of gre

What is the correct syntax to foward port 47?


Thank you

 

[heatstreak20]

After doing some more research I have discovered its protocol 47, not port 47, but I am still unsure how to fix my problem.

I read on a forum that selecting to allow pptp takes care or protocol 47 but I am not sure if this is true or how to select to allow pptp.


Thank you once again for your help

 

[burtsbees]

router>en
router#conf t
router(config)#ip access-list exten 101
router(config-ext-nacl)#5 permit 47 any any
router(config-ext-nacl)#end
router#wr

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[StaplesMan]

At times it helps to be less secure and then to secure up. Remove the "ip access-group 101 in" on your FA0/0 and see if all works. If it works then you know there is an ACL issue that is blocking the connection. If it still does not connect then you know you need to open more ports. And more nat commands.

CCNA, A+, HP Certified Professional

 

[heatstreak20]

burtsbees, what does the 5 do in

router(config-ext-nacl)#5 permit 47 any any?

And will this enable the router to use IP protocol 47 for GRE?

 

[burtsbees]

The 5 is the sequence number, which puts that line before any other lines, since the first sequence number defaults to 10 when creating an extended acl the old-fashioned way.

Yes, it will permit protocol 47, GRE.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[heatstreak20]

Thank you burtsbees, VPN now works, changing the sequence number to 5 solved the problem.

Thank you again for your help