Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Routing

Status
Not open for further replies.
Namekian

Namekian

IS-IT--Management
Nov 5, 2004
56
US
Hey, I was wondering if this would work for creating a VPN server through a Cisco 2621 router.
The server is a Windows 2000 Server box.
interface FastEthernet0/0
ip address 172.16.4.145 255.255.255.192
ip address 172.16.4.12 255.255.255.192 secondary
ip access-group LAN in
ip nat inside
no shut
!
!
interface FastEthernet0/1
ip address 64.45.175.xxx 255.255.255.248
ip nat outside
no shut
!
exit
!
access-list 102 172.16.0.0 0.0.255.255 any
ip nat inside source list 102 interface fastethernet0/0 overload
ip route 64.45.175.xxx 255.255.255.0 FastEthernet0/1
ip route 64.45.175.yyy 255.255.255.0 172.16.4.147
ip route 0.0.0.0 0.0.0.0 64.45.175.xxx
ip route 0.0.0.0 0.0.0.0 64.45.175.zzz
ip route 0.0.0.0 0.0.0.0 64.45.175.aaa
ip route 0.0.0.0 0.0.0.0 64.45.175.bbb
ip route 0.0.0.0 0.0.0.0 64.45.175.ccc

172.16.4.147 is the internal ip address of the VPN server and 64.45.175.xxx is the gateway. Would this set up work, or do I have to open particular ports or something?
 
Sort by date Sort by votes
I am a little confused by your access-list 102 and it appears that the only interface with an access-group is your FastEthernet0/0. Just remember that there needs to be a static mapping and an access-list that allows the client to access tcp 1723 and GRE (protocol 47) on your server.
 
Upvote 0 Downvote
The ACL 102 is pretty much useless, I just didn't delete it from the config. The LAN ACL is routing certain internal IPs to certain public IPs.
example:
permit ip host 172.16.5.3 host 64.45.175.aaa
permit ip host 172.16.5.4 host 64.45.175.aaa
permit ip host 172.16.5.5 host 64.45.175.aaa
permit ip host 172.16.5.6 host 64.45.175.aaa
permit ip host 172.16.5.7 host 64.45.175.aaa
permit ip host 172.16.5.8 host 64.45.175.aaa
permit ip host 172.16.5.9 host 64.45.175.aaa

As far as the static mapping would it go something like this:
ip nat inside static tcp 47 port ethernet0/0
access-list 101 permit tcp host 172.16.4.xxx host 64.45.175.yyy eq 1723

"ethernet0/1"
ip access-list 101 in

(I can't test it right now because I don't have access to the router at the moment)
 
Upvote 0 Downvote
ip nat inside source static tcp 172.16.4.147 1723 interface Fastethernet0/1 1723 would be one of the commands. However you must also permit GRE which might only be available on one to one mappings. Can you designate one entire public address to the VPN server?
 
Upvote 0 Downvote
Yes I believe so. It is somewhat confusing. I have 5 public address, but because of the building I only have one line, and that line is connected to another switch somewhere in the building.
 
Upvote 0 Downvote
You can take one IP and statically map it to your server. Then make sure you permit the ports I mentioned earlier. Also, if all the IP's are on the same subnet, there is no need for all your default routes.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
111
Pankaj88
Pankaj88
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
67
quazimotto
quazimotto
mikey789
  • Locked
  • Question
Can 4000-M Routing VLANs ?
Replies
0
Views
71
mikey789
mikey789
paramjotsingh
  • Locked
  • Question
InterVALN Routing in Switch 3850
Replies
4
Views
111
paramjotsingh
paramjotsingh
jmkelly
  • Locked
  • Question
Dynamic routing protocols for catalyst 3850 switches
Replies
4
Views
201
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top