Announcement

Collapse
No announcement yet.

Problem configuring vpn client to the cisco router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem configuring vpn client to the cisco router

    Hi,

    im trying to configure vpn clientes to connect to the router but it doesnt work!!
    the users use the built in vpn client from microsoft and it configured to use PPTP and GRE but Im not sure.

    I also configured vpn site to site but it does work.

    here I present the router config:

    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    no service dhcp
    !
    hostname marki
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 debugging
    enable secret 5 XXXXXXXXXXXXXX
    enable password 7 XXXXXXXXXXXXXXXXXXXXX
    !
    username dorin password 7 XXXXXXXXXXXX
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    aaa authorization network default none
    aaa session-id common
    ip subnet-zero
    ip cef
    no ip dhcp conflict logging
    ip dhcp excluded-address 192.168.8.1 192.168.8.100
    !
    ip dhcp pool pool1
    network 192.168.8.0 255.255.255.0
    default-router 192.168.8.2
    dns-server 2.169.193.1 192.168.8.4 2.169.193.2
    !
    !
    ip dhcp-server 192.168.8.2
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel8
    description Tunel london Central
    ip unnumbered FastEthernet4
    ip route-cache flow
    no ip mroute-cache
    tunnel source FastEthernet4
    tunnel destination 195.176.113.218
    !
    interface Tunnel351
    description Tunel sucursal Brazil
    ip unnumbered FastEthernet4
    ip route-cache flow
    no ip mroute-cache
    tunnel source FastEthernet4
    tunnel destination 200.19.231.11
    !
    interface FastEthernet0
    no ip address
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    no ip address
    !
    interface FastEthernet3
    no ip address
    !
    interface FastEthernet4
    ip address 110.16.172.3 255.255.255.252
    ip access-group 110 in
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet4
    peer default ip address pool grupoIPclientePPTP
    no keepalive
    ppp authentication ms-chap ms-chap-v2
    !
    interface Vlan1
    ip address 192.168.8.2 255.255.255.0
    ip access-group 111 in
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    !
    ip local pool grupoIPclientePPTP 192.168.160.1 192.168.160.50
    ip default-gateway 200.xx.xx.194
    ip classless
    ip route 0.0.0.0 0.0.0.0 201.88.72.9
    ip route 192.168.0.0 255.255.0.0 Tunnel8
    ip route 192.168.1.0 255.255.255.0 Tunnel8
    ip route 192.168.5.0 255.255.255.0 Tunnel8
    ip route 192.168.8.0 255.255.255.0 Vlan1
    ip route 192.168.61.0 255.255.255.0 Tunnel351
    !
    no ip http server
    no ip http secure-server
    ip nat pool traduccion 212.16.122.3 212.16.122.3 netmask 255.255.255.252
    ip nat inside source list 100 pool traduccion overload
    ip nat inside source static tcp 192.168.8.7 25 110.16.172.3 25 extendable
    ip nat inside source static tcp 192.168.8.7 80 110.16.172.3 80 extendable
    ip nat inside source static tcp 192.168.8.7 110 110.16.172.3 110 extendable
    ip nat inside source static tcp 192.168.8.7 143 110.16.172.3 143 extendable
    ip nat inside source static tcp 192.168.8.7 5900 110.16.172.3 6007 extendable
    !
    access-list 100 permit ip 192.168.8.0 0.0.0.255 any
    access-list 110 permit ip 192.168.81.0 0.0.0.255 any
    access-list 110 permit ip host 200.69.231.161 any
    access-list 110 permit ip 194.140.64.0 0.0.31.255 any
    access-list 110 permit tcp any host 200.xx.xx.193 eq smtp
    access-list 110 permit tcp 195.76.213.240 0.0.0.15 any eq telnet
    access-list 110 permit gre host 195.76.213.250 host 200.xx.xx.193
    access-list 110 permit gre host 195.76.213.228 host 200.xx.xx.193
    access-list 110 permit gre any host 200.xx.xx.193
    access-list 110 permit tcp any host 200.xx.xx.193 eq 6007
    access-list 110 permit tcp any host 200.xx.xx.193 eq 80
    access-list 110 permit tcp any host 200.xx.xx.193 eq 443
    access-list 110 permit tcp any host 200.xx.xx.193 eq 143
    access-list 110 permit icmp any any echo-reply
    access-list 110 permit icmp any any echo
    access-list 110 permit icmp any any source-quench
    access-list 110 permit icmp any any time-exceeded
    access-list 110 deny icmp any any
    access-list 110 permit tcp any any established
    access-list 110 permit udp any any
    access-list 110 deny ip any any
    access-list 111 permit tcp 192.168.0.0 0.0.255.255 host 192.168.8.2 eq telnet
    access-list 111 permit tcp host 192.168.8.7 any
    access-list 111 permit tcp host 192.168.8.114 any
    access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq 80
    access-list 111 permit udp 192.168.0.0 0.0.255.255 any eq 53
    access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq 443
    access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq 5900
    access-list 111 permit ip host 192.168.8.102 any
    access-list 111 permit ip host 192.168.8.133 any
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any source-quench
    access-list 111 permit icmp any any time-exceeded
    access-list 111 deny icmp any any
    access-list 111 permit tcp any any established
    access-list 111 deny ip any any
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    transport preferred all
    transport output all
    line aux 0
    transport preferred all
    transport output all
    line vty 0 4
    password 7 XXXXXXXXXXX
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    end

    Any ideas why it doesnt work??

    thanks a lot !

    juan

  • #2
    Re: Problem configuring vpn client to the cisco router

    Hmm why do you have dhcp pools configured and:

    no service dhcp


    Also you have routing enabled and this:


    ip default-gateway 200.xx.xx.194 (only used if ip routing is disabled)

    What is the status of your tunnels up/down up/up etc? Build your config using babysteps. Get it to a point where you have connectivity and then start adding to it. It makes it much easier to troubleshoot then adding a bunch of ACL's etc and finding out it doesnt work.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Problem configuring vpn client to the cisco router

      ok...I need to tell you a bite more... the vpn was working fine.. the client hired me to harden the router. before adding the two Acl (110,111) the vpn worked.behind the router they dont use any fw.

      thanks

      juan

      Comment


      • #4
        Re: Problem configuring vpn client to the cisco router

        Add logging to your ACL's then have clients try and connect. Look at the logs to see whats being blocked.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Problem configuring vpn client to the cisco router

          You also need tcp port 1723 opened inbound as pptp uses tcp 1723 for the control port and the data is encapsulated via GRE.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment

          Working...
          X