Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up Win 2000 VPN behind router question?

Status
Not open for further replies.
mattmc97

mattmc97

IS-IT--Management
Dec 4, 2003
51
US
I am trying to set up VPN between our two offices so our remote office can connect into our network.
I have a cisco 2611 router with ver 12.0T IOS and Win 2k Server at home office and have win 2000 clients at my remote site.

I have done some work with our cisco router in converting all our public ip addresses to now private addresses, but that is about the extent besides setting up the W32time server (NTP?) to get the time.

Anyway, here is my question. I am trying to set up the Win 2k server to be the VPN server as described at ms-mvps.com and that is all set up. I am not sure on how exactly to punch the hole in the router for pass through. I have found two examples but they don't really describe which way is correct.

On a website I read :

NOTE: If VPN traffic is traveling through a router or firewall, configure the router or firewall to pass PPTP (TCP Port 1723 and IP Protocol ID 47 [GRE - Generic Routing Encapsulation]) or L2TP over IPSec (UDP Port 500 and IP Protocol ID 50 [Encapsulating Security Payload]) traffic to and from the VPN server.

So if that is the case, would my command on the router be like with HTTP?:
example:
ip nat inside source static tcp 192.168.208.1 1723 64.217.xxx.xxx 1723 extendable
ip nat inside source static gre 192.168.208.1 64.217.xxx.xxx extendable

or

should it be:
access-list 110 permit tcp any host 64.217.xxx.xxx eq 1723
access-list 110 permit gre any host 64.217.xxx.xxx
?

My outside IP address is the 64.217.xxx.xxx and my vpn server is the 192.168.208.1

Also, one other quick question, do the access-list #s (110) have any significance, because I have seen a range of them???

Thanks in advance for the help

mattmc
 
Sort by date Sort by votes
You need both, with "ip nat inside..." you are nattig your internal IP address on the server to a public IP address.
The access list is where you punch the holes in your router, now an access list (extended) can have any number from 100 to 199 but you can only apply one access list to an interface per direction.

Now you still need to define where the natting is going to come from and where it is going to be applied, ie:

interface Ethernet0/0
ip address 10.10.10.250 255.255.255.248
no ip directed-broadcast
ip nat inside
!
interface Serial0/0
bandwidth 768
ip address XXX.XXX.XXX.58 255.255.255.252
no ip directed-broadcast
ip nat outside

And you still need to apply the access list to an interface:

interface Serial0/0
bandwidth 768
ip address XXX.XXX.XXX.58 255.255.255.252
no ip directed-broadcast
ip nat outside
ip access-group 110 in

Hope it helps!
 
Upvote 0 Downvote
OK I think I am understanding some now. That helps quite a bit.

Next question,

If I want to only permit this one site to VPN do I change the any to the router wan address of the remote site??

example:

From:
access-list 110 permit tcp any host 64.217.xxx.xxx eq 1723

TO:
access-list 110 permit tcp 64.222.xxx.34 64.217.xxx.xxx eq 1723

(where 64.222.xxx.34 is remote's public IP address and 64.217.xxx.xxx is our location's public IP address)

??

If I have three users who want to connect from home with DSL, can I just make three seperate access lists or how can I limit (by IP?) only certain users who can attempt a VPN?

It will not be a huge number trying to VPN, just this one remote office everyday, and then probably the owner or possibly maybe two or three other users periodically.

thanks is advance!

mattmc
 
Upvote 0 Downvote
Ok mate... Sorry I haven't replied sooner but I have tons of workload on my back...

Let me get this straight... If I understand right you are ending the VPN tunnel at the Win2K server, correct? If that is the case, all you need is your static NAT translation and you also need to open TCP port 1723 and IP protocol 47.

Let's say I have VPN server 10.10.10.2 which is statically translated to 99.99.99.98 In that case the configuration would be:

interface Ethernet0/0
ip address 10.10.10.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/0
bandwidth 768
ip address 99.99.99.98 255.255.255.252
no ip directed-broadcast
ip nat outside
ip access-group 110 in


ip nat inside source static tcp 10.10.10.2 1723 99.99.99.98 1723 extendable
ip nat inside source static gre 10.10.10.2 99.99.99.98 extendable

access-list 110 permit tcp host 64.222.xxx.34 host 99.99.99.98 eq 1723
access-list 110 permit 47 host 64.222.xxx.34 host 99.99.99.98

Hope this clears your thoughts...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
1K
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
786
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
658
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
664
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
648
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top