Some "off-the-cuff" comments. 1) I don't know all the ports that you should have open. 2) In ACL 124 you are permitting gre to your Ethernet interface address - which in turn is NATed by port to several inside hosts. You are not being specific enough about which box is the vpn server. Can you allocate a single outside address to the W2K vpn box? 3) Not sure if you need to permit gre on ACL 135. 4) It's great if you can replicate this in a lab. Then you can create a simple case without ACLs and CBAC. Prove that it works. Then start to add security. Your choice whether or not you want to do this with a production network. 5) Best not to post real ip addresses. Hope that you have strong passwords on your PC Anywhere Clients.
> -----Original Message----- > From: Steve Collins [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 29, 2003 11:47 AM > To: [EMAIL PROTECTED] > Subject: Windows VPN through Cisco 2611 HELP!!! [7:69788] > > > I am having trouble tring to connect to our corp lan. I have > a windows 2000 > vpn server and have verified that it works internally. The > problem I face > is setup on the cisco 2611. How do allow gre port 47 to pass > through the > router. I believe this is the issue. The Cisco IOS Release > is 12.1(5)T9. > When I try to connect from the outside world I get an error > message of: > Error 721: The remote computer is not responding. This is > after it checks > the password. Any help would be much appreciated. Thanks > > Here is my current configuration. > > Current configuration : 6236 bytes > ! > version 12.1 > no service single-slot-reload-enable > service timestamps debug uptime > service timestamps log uptime > service password-encryption > ! > hostname sea-r0 > ! > logging rate-limit console 10 except errors > enable secret XXXXXXXXXXXXXXXXXXXXXXX > ! > memory-size iomem 15 > ip subnet-zero > ! > ! > no ip finger > ip domain-name Company.com > ! > ip inspect name x5fw ftp timeout 3600 > ip inspect name x5fw http timeout 3600 > ip inspect name x5fw realaudio timeout 3600 > ip inspect name x5fw smtp timeout 3600 > ip inspect name x5fw udp timeout 3600 > ip inspect name x5fw tcp timeout 3600 > ip audit notify log > ip audit po max-events 100 > ! > ! > ! > interface Ethernet0/0 > ip address 216.100.100.130 255.255.255.0 > ip access-group 124 in > ip nat outside > full-duplex > ! > interface Serial0/0 > ip address 192.168.10.1 255.255.255.252 > ip nat inside > ip inspect x5fw in > ! > interface Ethernet0/1 > description Company LAN > ip address 192.168.1.254 255.255.255.0 > ip access-group 135 in > ip nat inside > ip inspect x5fw in > full-duplex > ! > interface Serial0/1 > no ip address > shutdown > ! > ip nat pool overld 216.100.100.130 216.100.100.130 prefix-length 24 > ip nat inside source list 5 pool overld overload > ip nat inside source static udp 192.168.4.127 5632 interface > Ethernet0/0 5640 > ip nat inside source static tcp 192.168.1.180 1723 interface > Ethernet0/0 1723 > ip nat inside source static tcp 192.168.1.180 47 interface > Ethernet0/0 47 > ip nat inside source static tcp 192.168.4.127 5631 interface > Ethernet0/0 5639 > ip nat inside source static udp 192.168.4.126 5632 interface > Ethernet0/0 5638 > ip nat inside source static tcp 192.168.4.126 5631 interface > Ethernet0/0 5637 > ip nat inside source static udp 192.168.4.125 5632 interface > Ethernet0/0 5636 > ip nat inside source static tcp 192.168.4.125 5631 interface > Ethernet0/0 5635 > ip nat inside source static tcp 192.168.1.36 3389 interface > Ethernet0/0 3389 > ip nat inside source static tcp 192.168.1.171 25 interface > Ethernet0/0 25 > ip nat inside source static tcp 192.168.1.171 80 interface > Ethernet0/0 80 > ip nat inside source static tcp 192.168.1.171 443 interface > Ethernet0/0 443 > ip nat inside source static tcp 192.168.1.150 5631 interface > Ethernet0/0 5631 > ip nat inside source static udp 192.168.1.150 5632 interface > Ethernet0/0 5632 > ip nat inside source static tcp 192.168.1.125 5631 interface > Ethernet0/0 5633 > ip nat inside source static udp 192.168.1.125 5632 interface > Ethernet0/0 5634 > ip nat inside source static 192.168.1.36 216.100.100.133 > ip nat inside source static 192.168.1.200 216.100.100.131 > ip nat inside source static 192.168.1.202 216.100.100.132 > ip classless > ip route 0.0.0.0 0.0.0.0 216.100.100.129 > ip route 192.168.4.0 255.255.255.0 Serial0/0 > no ip http server > ! > access-list 5 permit 192.168.1.0 0.0.0.255 > access-list 5 permit 192.168.4.0 0.0.0.255 > access-list 5 permit 192.168.10.0 0.0.0.255 > access-list 124 permit tcp any host 216.100.100.130 eq telnet > access-list 124 permit tcp any host 216.100.100.130 eq 24 > access-list 124 permit tcp any host 216.100.100.130 eq 1723 > access-list 124 permit tcp any host 216.100.100.130 eq www > access-list 124 permit tcp any host 216.100.100.130 eq 443 > access-list 124 permit tcp any host 216.100.100.130 eq 5000 > access-list 124 permit tcp any host 216.100.100.130 eq smtp > access-list 124 permit tcp any host 216.100.100.130 eq 5631 > access-list 124 permit udp any host 216.100.100.130 eq 5632 > access-list 124 permit tcp any host 216.100.100.130 eq 5633 > access-list 124 permit udp any host 216.100.100.130 eq 5634 > access-list 124 permit tcp any host 216.100.100.130 eq 5635 > access-list 124 permit udp any host 216.100.100.130 eq 5636 > access-list 124 permit tcp any host 216.100.100.130 eq 5637 > access-list 124 permit udp any host 216.100.100.130 eq 5638 > access-list 124 permit tcp any host 216.100.100.130 eq 5639 > access-list 124 permit udp any host 216.100.100.130 eq 5640 > access-list 124 permit tcp any host 216.100.100.130 eq 3389 > access-list 124 permit icmp any host 216.100.100.130 > access-list 124 permit tcp any host 216.100.100.131 eq ftp > access-list 124 permit tcp any host 216.100.100.131 eq telnet > access-list 124 permit tcp any host 216.100.100.131 eq www > access-list 124 permit tcp any host 216.100.100.131 eq smtp > access-list 124 permit tcp any host 216.100.100.131 eq 443 > access-list 124 permit tcp any host 216.100.100.131 eq 389 > access-list 124 permit tcp any host 216.100.100.131 eq 8000 > access-list 124 permit tcp any host 216.100.100.131 eq 3389 > access-list 124 permit tcp any host 216.100.100.132 eq ftp > access-list 124 permit tcp any host 216.100.100.132 eq telnet > access-list 124 permit tcp any host 216.100.100.132 eq www > access-list 124 permit tcp any host 216.100.100.132 eq smtp > access-list 124 permit tcp any host 216.100.100.132 eq 443 > access-list 124 permit tcp any host 216.100.100.132 eq 389 > access-list 124 permit tcp any host 216.100.100.132 eq 8000 > access-list 124 permit tcp any host 216.100.100.133 eq www > access-list 124 permit tcp any host 216.100.100.133 eq 443 > access-list 124 permit tcp any host 216.100.100.133 eq 8080 > access-list 124 permit gre any host 216.100.100.130 > access-list 124 deny ip any any > access-list 135 permit tcp 192.168.1.0 0.0.0.255 any > access-list 135 permit udp 192.168.1.0 0.0.0.255 any > access-list 135 permit icmp 192.168.1.0 0.0.0.255 any > access-list 135 deny ip any any > access-list 137 permit tcp 192.168.4.0 0.0.0.255 any > access-list 137 permit udp 192.168.4.0 0.0.0.255 any > access-list 137 permit icmp 192.168.4.0 0.0.0.255 any > access-list 137 permit tcp 192.168.10.0 0.0.0.255 any > access-list 137 permit udp 192.168.10.0 0.0.0.255 any > access-list 137 permit icmp 192.168.10.0 0.0.0.255 any > access-list 137 deny ip any any > access-list 155 permit ip 192.168.2.0 0.0.0.255 any > access-list 157 permit icmp any any > banner motd ^C > WARNING: This is a company computer system with access restricted > to those with proper authorization. Authorized parties > are restricted to those functions which have been > assigned to perform work related duties. Any unauthorized > access attempt will be investigated and prosecuted to the > full extent of the law. > If you are not an authorized user, disconnect now. > ^C > ! > line con 0 > transport input none > line 33 64 > line aux 0 > line vty 0 4 > password XXXXXXXXXXXXXXXXXXXXXXXXX > login > ! > end Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69818&t=69788 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
