Rapidskies
Golden Member
I have a customer looking to pass thru a vpn connection from a home user to a pc at the main site behind a Cisco 1720 Router w/ IOS ver 12.2. The router is NATing and I believe I need to forward traffic on ports 1723 & 47 (GRE) to the inside ip 192.168.1.225, but it isn't working. The outside pc never tries to establish a connection using WindowsXP (get an error of no answer), though I do see some traffic accross access-list 101 for port 1723. Any ideas? Here is the current config:
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname Router
!
boot system flash 1:aaa1383.bin
no logging buffered
logging rate-limit console 10 except errors
no logging console
enable password scantron
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip domain-lookup
!
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall cuseeme
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall smtp
ip inspect name Firewall streamworks
ip inspect name Firewall vdolive
ip inspect name Firewall sqlnet
ip inspect name Firewall tftp
ip inspect name Firewall http
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source Ethernet0
tunnel destination x.x.x.37
!
interface Tunnel1
description Connected to Browns Missouri
ip address 192.168.13.1 255.255.255.0
tunnel source Ethernet0
tunnel destination x.x.x.134
!
interface Ethernet0
ip address x.x.x.98 255.255.255.252
ip access-group 101 in
ip nat outside
ip inspect Firewall out
full-duplex
!
interface FastEthernet0
ip address 192.168.1.98 255.255.255.0
ip nat inside
speed auto
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.225 47 interface Ethernet0 47
ip nat inside source static tcp 192.168.1.225 1723 interface Ethernet0 1723
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.97
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 Tunnel1
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any eq smtp any
access-list 101 permit tcp any eq pop3 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit tcp any host x.x.x.98 eq 47
access-list 101 permit tcp any host x.x.x.98 eq 1723
access-list 101 permit udp any host x.x.x.98 eq 1701
access-list 101 permit gre any any
!
!
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname Router
!
boot system flash 1:aaa1383.bin
no logging buffered
logging rate-limit console 10 except errors
no logging console
enable password scantron
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip domain-lookup
!
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall cuseeme
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall smtp
ip inspect name Firewall streamworks
ip inspect name Firewall vdolive
ip inspect name Firewall sqlnet
ip inspect name Firewall tftp
ip inspect name Firewall http
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source Ethernet0
tunnel destination x.x.x.37
!
interface Tunnel1
description Connected to Browns Missouri
ip address 192.168.13.1 255.255.255.0
tunnel source Ethernet0
tunnel destination x.x.x.134
!
interface Ethernet0
ip address x.x.x.98 255.255.255.252
ip access-group 101 in
ip nat outside
ip inspect Firewall out
full-duplex
!
interface FastEthernet0
ip address 192.168.1.98 255.255.255.0
ip nat inside
speed auto
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.225 47 interface Ethernet0 47
ip nat inside source static tcp 192.168.1.225 1723 interface Ethernet0 1723
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.97
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 Tunnel1
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any eq smtp any
access-list 101 permit tcp any eq pop3 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit tcp any host x.x.x.98 eq 47
access-list 101 permit tcp any host x.x.x.98 eq 1723
access-list 101 permit udp any host x.x.x.98 eq 1701
access-list 101 permit gre any any
!
!
