|
Question : CISCO VPN PROBLEM WITH GRE
|
|
Dear All
I have a client with the following network setup LAN--->CISCO 1751 RTR---->ISP
What I'm trying to do is setup a VPN connection from a PC on the LAN to another companies corporate network. I have to use the MS VPN Client and PPTP to connect but am having difficulty when trying to establish the connection.
I'm recieving an MS Error 800: stating the GRE protocol is either not enabled or functioning on the firewall/router sitting between my PC and the ISP.
I've had a look around and seen various suggestions on how to resolve this issue. As far as I can see I need to enable some form of PPTP Passthrough on the Cisco 1751 router which I've tried by adding a static NAT allowing protocol 1723 to pass through to a local client IP address. This hasn't worked howver and I'm now totally stuck.
Please find attached the current Cisco 1751 config:
Building configuration...
Current configuration : 5119 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret xxxxx
!
username xxxxx password 0 xxxxx
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
!
!
!
!
ip domain name xxxxx
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNgroup
key xxxxx
dns 192.168.16.2
domain xxxxx
pool VPNpool
crypto isakmp profile VPNclient
match identity group VPNgroup
client authentication list default
isakmp authorization list default
client configuration address respond
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set strong
set isakmp-profile VPNclient
!
!
crypto map xxxxxmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
description "Physical ADSL Connection"
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
ip address 192.168.16.3 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
no ip mroute-cache
speed auto
!
interface Dialer1
description "Logical ADSL Connection"
mtu 4470
bandwidth 2048
ip address PUBLIC_IP 255.255.255.248
ip access-group 130 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname xxxxx
ppp chap password 0 door0103
ppp pap sent-username xxxxx
crypto map xxxxxmap
!
ip local pool VPNpool 192.168.99.1 192.168.99.10
ip nat pool global x.x.x.33 x.x.x.34 netmask 255.255.255.248
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.16.2 25 x.x.x.38 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.17.0 255.255.255.0 192.168.16.254
no ip http server
no ip http secure-server
!
!
!
logging history debugging
logging trap errors
logging origin-id hostname
logging x.x.x.x
access-list 101 remark "Define Nat Traffic"
access-list 101 deny ip 192.168.16.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 110 remark "Inbound ACL"
access-list 110 permit icmp any any
access-list 110 permit ip x.x.x.x 0.0.0.7 any
access-list 110 permit esp any host x.x.x.38
access-list 110 permit udp any host x.x.x.38 eq isakmp
access-list 110 permit ip 192.168.99.0 0.0.0.255 any
access-list 110 permit tcp any host x.x.x..38 eq smtp
access-list 110 permit udp any any gt 1024
access-list 110 permit tcp any any gt 1024
access-list 110 permit esp any host x.x.x.34
access-list 110 permit udp any host x.x.x.34 eq isakmp
access-list 110 permit tcp any any eq 22
access-list 110 permit ip host x.x.x.x any
access-list 110 permit tcp host x.x.x.x any eq 123
access-list 110 permit udp host x.x.x.x any eq ntp
access-list 120 remark "Outbound Traffic"
access-list 120 permit icmp any any
access-list 120 permit ip host 192.168.16.2 any
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq www
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq 443
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq ftp-data
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq ftp
access-list 130 remark "Inbound ACL"
access-list 130 permit icmp any any
access-list 130 permit esp any host x.x.x.34
access-list 130 permit udp any host x.x.x.34 eq isakmp
access-list 130 permit ip 192.168.99.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 130 permit tcp any host x.x.x.38 eq smtp
access-list 130 permit udp any any gt 1024
access-list 130 permit tcp any any gt 1024
access-list 130 permit udp any host x.x.x.x eq ntp
access-list 130 permit tcp any host x.x.x.x eq 123
access-list 130 permit tcp x.x.x.x 0.0.0.15 host x.x.x.x.34 eq 22
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
logging synchronous
!
no scheduler allocate
sntp server 192.168.16.2
sntp broadcast client
sntp multicast client
ntp source FastEthernet0/0
ntp server 192.168.16.2
!
end
Router#
|
Answer : CISCO VPN PROBLEM WITH GRE
|
|
In your inbound access-list, you need to permit GRE. User either:
access-list 130 permit gre any any
or
access-list permit gre host any
|
|
|
|
