Pass VPN (Port 1732/Gre) thru Cisco 1600 to VPN Server Help!?

[Burninator]

Hi there,


I have the following dilemma. I have a cisco 1600 interfacing with a leased line, it's running NAT. It's there as it must be used to connect to the CSU/DSU. I also have a ISA server with VPN capabilities on the inside. My client have a remote office that are connecting over the internet to the ISA/VPN server through this router, and I cannot figure out how to do it.


INTERNET--->CISCO 1600--->ISA/VPN SERVER--->LAN

The IP address of the ISA Server is 192.168.1.2, 192.168.1.1 being the internal router interface. The router is also the internet gateway used by the ISA/VPN server. I have forwarded (static route)port 1732 to the ISA/VPN server, but cannot figure out how to configure the GRE to allow the tunnel into the ISA/VPN server. I am stumped. Is it done using static route statements...or through access-lists? I have no idea how to do that.

If I use the VPN dialer built into Windows XP connect to the router IP (outside), it say connecting then verifying username and password. then it will disconnect saying the VPN server did not respond.

If anyone can assist me in getting this to work I would appreciate it. I am new to cisco routing so if you can deal with me as a newbie!!

After this I am going to get some training for Cisco products.

Thanks
Jason

 

[routerman]

I think the problem you are running into is caused by the NAT, from the Internet your GRE tunnel should point at a valid outside address, you then NAT this to the internal address of the server.

Probably better if you post your 1600 config after removing the outside address and passwords!

 

[Burninator]

Here it is, its a pretty simple setup. Hope you can educate me!!!

Thanks
Jason

Using 1127 out of 7506 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ***************
!
enable secret **********
enable password *************
!
ip subnet-zero
!
!
!
interface Ethernet0
description Connected to internal LAN
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0
description Connected to Internet
ip address ***.***.***.190 255.255.255.252
no ip directed-broadcast
ip nat outside
no fair-queue
!
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static tcp 192.168.1.2 1723 ***.***.***.190 1723 extendable
ip nat inside source static tcp 192.168.1.2 25 ***.***.***.190 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 7 permit ***.***.***.9
access-list 7 permit ***.***.***.11
access-list 7 permit ***.***.***.26
access-list 121 permit tcp any host ***.***.***.190 eq 1723 log
snmp-server community **********
!
end

 

[Burninator]

Any thoughts? Also how would I allow all the usual internet traffic to flow?


Thanks
Jason

 

[routerman]

Jason,

I think the problem is caused by the fact that the address used in your static translation is also used by the dynamic translation as well.

To explain in a bit more detail,

ip nat inside source list 1 interface Serial0 overload
This commmand specifies that any internal address is translated to the outside interface address, this is OK, its known as Port address translation (PAT).

ip nat inside source static tcp 192.168.1.2 1723 ***.***.***.190 1723 extendable
ip nat inside source static tcp 192.168.1.2 25 ***.***.***.190 25 extendable
These 2 commands attempt to map the interface address and port combination to the required internal addresses, but the outside address is also part of your PAT address range. I dont think you need the extendable keyword either.

I think you'll have to extend the IP range on the outside interface, using a 255.255.255.248 mask, and use one of the unallocated addresses in this range in your static translation commands. You'll have to agree this with your ISP first.

The internet traffic shouldn't be affected by this.