VPN Connectivity Issue from Behind 1720 Router

[STF26]

Hello Everyone!!! We have a customer that is having an issue with connecting to one of their customers from behind their 1720 series router with the Firewall Feature Set. Their customer is running a Cisco PIX 506e and they have a Windows 2000 server providing RADIUS authentiction with IAS. When our customer tries to connect to the PIX the tunnell forms however when they try to authenticate to the RADIUS server the connection fails. (Using Cisco 4.0.5 Client) The system admin on other side indicates that he see neither a failure or a success in the IAS logs. He also told me that they have NAT traversal enabled on the PIX. I think that there is something that needs to be changed on the 1721 however I am not sure where to start. The 1720 allows PPTP and L2TP to pass < FYI.

 

[JOAMON]

Would need to see the config to be of any help.

 

[STF26]

Building configuration...

Current configuration : 5054 bytes
!
version 12.2
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname
!
logging buffered 4096 notifications
logging console warnings
enable password

memory-size iomem 25
clock timezone EST -5
ip subnet-zero
no ip domain-lookup
ip domain-name
ip name-server 12.127.16.67
ip name-server 12.127.17.71
ip dhcp ping packets 0
!
ip inspect name * tcp
ip inspect name * udp
ip inspect name * tftp
ip inspect name * ftp
ip audit notify log
ip audit po max-events 100
ip audit name * attack action alarm drop reset
ip cef
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
modemcap entry usrmodem:MSC=&FS0=1&C1&D3&H1&R2&B1
!
cns event-service server
!
!
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip inspect * in
ip route-cache flow
speed 100
full-duplex
no cdp enable
!
interface Serial0
bandwidth 1544
ip address *
ip access-group infilter in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip nat outside
ip audit * in
encapsulation ppp
ip route-cache flow
fair-queue
service-module t1 timeslots 1-24
no cdp enable
!
interface Virtual-Template1
ip unnumbered FastEthernet0
no keepalive
peer default ip address pool test
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
ip local pool test 192.168.1.214 192.168.1.218
ip nat translation timeout 30
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static 192.168.1.1 *
ip nat inside source static 192.168.1.45 *
ip nat inside source static 192.168.1.48 *
ip nat inside source static 192.168.1.50 *
ip nat inside source static 192.168.1.53 *
ip nat inside source static 192.168.1.55 *
ip nat inside source static 192.168.1.72 *
ip nat inside source static 192.168.1.17 *
ip nat inside source static 192.168.1.160 *
ip nat inside source static 192.168.1.110 *
ip nat inside source static 192.168.1.82 *
ip nat inside source static 192.168.1.156 *
ip nat inside source static 192.168.1.206 *
ip nat inside source static 192.168.1.141 *
ip nat inside source static 192.168.1.66 *
ip nat inside source static 192.168.1.87 *
ip nat inside source static 192.168.1.122 *
ip nat inside source static 192.168.1.103 *
ip nat inside source static 192.168.1.152 *
ip nat inside source static 192.168.1.108 *
ip nat inside source static 192.168.1.242 *
ip nat inside source static 192.168.1.202 *
ip nat inside source static 192.168.1.56 *
ip nat inside source static 192.168.1.121 *
ip nat inside source static 192.168.1.63 *
ip nat inside source static 192.168.1.33 *
ip nat inside source static 192.168.1.154 *
ip nat inside source static 192.168.1.167 *
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.0.0 255.255.0.0 192.168.1.30
no ip http server
!
!
ip access-list extended infilter
permit tcp 12.161.232.0 0.0.0.127 host 12.119.104.82 eq telnet
permit tcp any host * eq smtp
permit tcp any host * eq 443
permit tcp any host * eq 443
permit tcp any host * eq 3320
permit tcp any host * eq 5631
permit udp any host * eq 5632
deny tcp any host * eq 3389
deny tcp any host * eq 3389
deny tcp any host * eq 3389
permit tcp any * 0.0.0.255 eq 3389
permit esp any any
permit ahp any any
permit gre any any
permit tcp any any eq 1723
permit icmp any host * echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any administratively-prohibited
permit icmp any any packet-too-big
permit icmp any any unreachable
permit udp any host * eq ntp
permit udp host * eq domain host *
deny ip any any
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.255.255.255
no cdp run
!
line con 0
exec-timeout 15 0
line aux 0
login local
modem InOut
modem autoconfigure type usrmodem
transport input all
autoselect during-login
autoselect ppp
speed 115200
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password *
login
!
no scheduler allocate
sntp server *
sntp server *
sntp server *
ntp server *
end

 

[JOAMON]

The following item on the serial may be causing a problem. I have had issues with it before. Try removing it and test. If that does not work then I would suggest enabling terminal monitor and use the appropriate debug commands and watch for errors. It is probably something in the firewall that is killing it. You could also use a syslog server to capture the router output. There is a good free tool available from:

http://www.kiwisyslog.com/index.php

 

[JOAMON]

interface Serial0
no ip unreachables

Sorry forgot to post this. no ip unreachables may be a slight problem.

 

[STF26]

After all this troubleshooting here is the fix:

When reviewing the logging we determined that the 1720 was reporting back a IP conflict. I turns out that the IT manager had given the person who was using the VPN client a linksys wrt54g to use a switch not realizing that it uses the 192.168.1.1 address by default. Once we removed the WRT54g the VPN started to work.