Announcement

Collapse
No announcement yet.

Cisco router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco router

    Hi

    Does anyone know if the Cisco 861 come with GRE protocol enabled.

    I am tring to set up a vpn from a windows WorkGroup (No AD or DC).
    I am using RRAS in 2008 R2. I am attemptin to connect , I do recieve a successfull vpn Link in the event viewer; but it fails to make the vpn connection. It complains about Gre blocked by firewall. I checked Both the client and server and the firewall is off but they rulles to allow the protocall to pass.

    Any advice would greatly appreaciated.

    Thank You

    Csaad72

  • #2
    Re: Cisco router

    You need to allow pptp (tcp port 1723) and Protocol 47 GRE inbound on the outside.

    access-list 100 permit tcp any eq 1723 any
    access-list 100 permit tcp any any eq 1723
    access-list 100 permit gre any any


    Are you running CBAC or ZBFW on the router?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco router

      I believe niether, but i am not sure . This was managed by another company and they won't look at because they don't believe it is on their side. I do have acces to the router and am able to make changes.

      Please advise me on where to look for these mode

      Thank You

      Comment


      • #4
        Re: Cisco router

        Please post a sanitized config so I can take a look.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco router

          ip nat inside source static tcp 192.168.0.7 1723 x.x.x.x 1723 route-map RMAP_NAT extendable
          ip nat inside source static 192.168.0.8 x.x.x.x route-map RMAP_NAT extendable
          ip nat inside source static 192.168.0.9 x.x.x.x route-map RMAP_NAT extendable
          ip route 0.0.0.0 0.0.0.0 206.47.180.161 permanent
          !
          access-list 100 remark LOCAL_NAT
          access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.3
          access-list 100 deny ip host 192.168.0.3 192.168.0.0 0.0.0.255
          access-list 100 permit ip 192.168.0.0 0.0.0.255 any
          access-list 101 remark INSIDE_OUT
          access-list 101 deny ip host 255.255.255.255 any
          access-list 101 deny ip 127.0.0.0 0.255.255.255 any
          access-list 101 permit ip any any
          access-list 102 remark OUTSIDE_IN
          access-list 102 permit ip any host x.x.x.x
          access-list 102 permit ip any host x.x.x.x
          access-list 102 permit udp any any eq bootps
          access-list 102 permit udp any any eq bootpc
          access-list 102 permit udp any any eq domain
          access-list 102 permit gre any any
          access-list 102 permit esp any any
          access-list 102 permit ahp any any
          access-list 102 permit udp any any eq isakmp
          access-list 102 permit udp any any eq non500-isakmp
          access-list 102 permit tcp any any eq 22
          access-list 102 permit tcp any any eq 1723
          access-list 102 permit icmp any any
          access-list 102 permit udp x.x.x.x x.x.x.x any
          access-list 102 permit udp x.x.x.x x.x.x.x any
          access-list 102 permit udp any x.x.x.x 0.0.0.63
          access-list 102 permit udp any x.x.x.x.0 0.0.0.63
          access-list 102 deny ip any any


          Thanks for you help.

          Comment


          • #6
            Re: Cisco router

            You have GRE and PPTP allowed through the router so that config looks fine. I would have a look at the server and client again.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Cisco router

              Thank You. I will take a look at it again.
              The thing is when I attempt to connect from my client,, I see a allert about a vpn was established ok but could not create a vpn connection (error log was on RRAS server)

              It register the ip address of the public ip of the client. So it is making through and it complaing about a gre protocol. This why I assumed it might the setting on the router.

              If you have any ideas, please let me know.

              Comment


              • #8
                Re: Cisco router

                I would check the firewall on the server
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment

                Working...
                X