|
Question : CISCO VPN PROBLEM WITH GRE
|
|
Dear All
I have a client with the following network setup LAN--->CISCO 1751 RTR---->ISP
What I'm trying to do is setup a VPN connection from a PC on the LAN to another companies corporate network. I have to use the MS VPN Client and PPTP to connect but am having difficulty when trying to establish the connection.
I'm recieving an MS Error 800: stating the GRE protocol is either not enabled or functioning on the firewall/router sitting between my PC and the ISP.
I've had a look around and seen various suggestions on how to resolve this issue. As far as I can see I need to enable some form of PPTP Passthrough on the Cisco 1751 router which I've tried by adding a static NAT allowing protocol 1723 to pass through to a local client IP address. This hasn't worked howver and I'm now totally stuck.
Please find attached the current Cisco 1751 config: Building configuration...
Current configuration : 5119 bytes ! ! No configuration change since last restart ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname xxxxx ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret xxxxx ! username xxxxx password 0 xxxxx aaa new-model ! ! aaa authentication login default local aaa authorization network default local aaa session-id common ip subnet-zero ! ! ! ! ip domain name xxxxx ip cef ip audit notify log ip audit po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable no scripting tcl init no scripting tcl encdir ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 5 authentication pre-share group 2 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 20 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group VPNgroup key xxxxx dns 192.168.16.2 domain xxxxx pool VPNpool crypto isakmp profile VPNclient match identity group VPNgroup client authentication list default isakmp authorization list default client configuration address respond ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set strong set isakmp-profile VPNclient ! ! crypto map xxxxxmap 1 ipsec-isakmp dynamic dynmap ! ! ! ! interface ATM0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/0.1 point-to-point description "Physical ADSL Connection" pvc 0/38 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0/0 ip address 192.168.16.3 255.255.255.0 no ip redirects no ip unreachables ip nat inside no ip mroute-cache speed auto ! interface Dialer1 description "Logical ADSL Connection" mtu 4470 bandwidth 2048 ip address PUBLIC_IP 255.255.255.248 ip access-group 130 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation ppp no ip mroute-cache dialer pool 1 dialer-group 1 ppp authentication pap callin ppp chap hostname xxxxx ppp chap password 0 door0103 ppp pap sent-username xxxxx crypto map xxxxxmap ! ip local pool VPNpool 192.168.99.1 192.168.99.10 ip nat pool global x.x.x.33 x.x.x.34 netmask 255.255.255.248 ip nat inside source list 101 interface Dialer1 overload ip nat inside source static tcp 192.168.16.2 25 x.x.x.38 25 extendable ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 192.168.17.0 255.255.255.0 192.168.16.254 no ip http server no ip http secure-server ! ! ! logging history debugging logging trap errors logging origin-id hostname logging x.x.x.x access-list 101 remark "Define Nat Traffic" access-list 101 deny ip 192.168.16.0 0.0.0.255 192.168.99.0 0.0.0.255 access-list 101 permit ip 192.168.16.0 0.0.0.255 any access-list 110 remark "Inbound ACL" access-list 110 permit icmp any any access-list 110 permit ip x.x.x.x 0.0.0.7 any access-list 110 permit esp any host x.x.x.38 access-list 110 permit udp any host x.x.x.38 eq isakmp access-list 110 permit ip 192.168.99.0 0.0.0.255 any access-list 110 permit tcp any host x.x.x..38 eq smtp access-list 110 permit udp any any gt 1024 access-list 110 permit tcp any any gt 1024 access-list 110 permit esp any host x.x.x.34 access-list 110 permit udp any host x.x.x.34 eq isakmp access-list 110 permit tcp any any eq 22 access-list 110 permit ip host x.x.x.x any access-list 110 permit tcp host x.x.x.x any eq 123 access-list 110 permit udp host x.x.x.x any eq ntp access-list 120 remark "Outbound Traffic" access-list 120 permit icmp any any access-list 120 permit ip host 192.168.16.2 any access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq www access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq 443 access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq ftp-data access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq ftp access-list 130 remark "Inbound ACL" access-list 130 permit icmp any any access-list 130 permit esp any host x.x.x.34 access-list 130 permit udp any host x.x.x.34 eq isakmp access-list 130 permit ip 192.168.99.0 0.0.0.255 192.168.16.0 0.0.0.255 access-list 130 permit tcp any host x.x.x.38 eq smtp access-list 130 permit udp any any gt 1024 access-list 130 permit tcp any any gt 1024 access-list 130 permit udp any host x.x.x.x eq ntp access-list 130 permit tcp any host x.x.x.x eq 123 access-list 130 permit tcp x.x.x.x 0.0.0.15 host x.x.x.x.34 eq 22 ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 logging synchronous ! no scheduler allocate sntp server 192.168.16.2 sntp broadcast client sntp multicast client ntp source FastEthernet0/0 ntp server 192.168.16.2 ! end
Router#
|
Answer : CISCO VPN PROBLEM WITH GRE
|
|
In your inbound access-list, you need to permit GRE. User either:
access-list 130 permit gre any any
or
access-list permit gre host any
|
|
|