VPN Question

[neutec]

Hello Everyone,
I have a Cisco 2514 running 12.1 IOS. I would like to run a vpn server behind my router. Im using NAT and was wondering if I can router all VPN request to the VPN server behind the router? If I use the "ip nat source static" command to pass all request. Would this work if I knew the ports VPN usings?

Any help would be appreciated.
Thanks

 

[computerhighguy]

Yes you can do that depending on your configuration. It is no different than terminating a VPN tunnel on a firewall that is behind a router. If you are going to be terminating on a Windows Server using PPTP, you can easily find the ports on Microsoft's knowledge base. There are only a couple. Any other device you will need to look up the ports needed on their website.

 

[NukeEm]

What was the outcome on this

I have a 3600 and need a similar job dooing
Im having problems with TCP ID 47 (gre) pasthrough

Derek

 

[neutec]

Depending on what VPN endpoint your using you will need to open the approtiate ports. I was using Windows2003 as my VPN endpoint so I needed to open port 1723. The command I used was
ip nat inside source static tcp 192.168.1.3 1723 66.191.17.217 1723

All traffic this allowed to pass thought and is redirected to my VPN server. Im allowing all traffic from the inside out so I didnt need to add any further rules.
good luck

 

[NukeEm]

Arrrr this makes cense

We are trying to get the ID 47(gre) to work, sorted the port 1723 as this causes the hang at "authenticating password"

Once we add the firewall rules then we start having the gre prob,

Its posible that i need a ios update

Derek (Thanks)

 

[neutec]

Ive had problems with GRE sometimes when using NAT. When I setup a Cisco PIX 506 firewall I had a client on the lan that needed to coonect out to a VPN. He was able to get out but when the GRE came back I was not able to use nat. I had to use a Static route to his workstation and that fixed my problem. You can try to setup a static route and just open gre and 1723 and you should be fine. Hope that helps

 

[tschafer]

What I need is help configuring a Cisco 2514 IOS 12.1.
I need to open ports tcp 50 and UDP 500 for VPN access to an internal sonic firewall.
An help would be greatly appreciated.
TIA,
Ted Schafer

 

[neutec]

Use:
ip nat inside source static tcp 192.168.1.3 50 66.191.17.217 50

and

ip nat inside source static UDP 192.168.1.3 500 66.191.17.217 50

You will need to change the ips to match your setup. 192.168.1.3 would be the inside ip of your sonic firewall and 66.191.17.217 would be changed to your outside IP address.
That command will NAT all incoming traffic from your outside ip on port 50 to an internal ip address, only opening the two ports.
Hope that help

 

[chicocouk]

This command
ip nat inside source static UDP 192.168.1.3 500 66.191.17.217 50

Should actually read
ip nat inside source static UDP 192.168.1.3 500 66.191.17.217 500

(Typo, missing "0" on the end of the line)

But I doubt this will work. It's very unlikely you need to forward tcp port 50, if you're talking about an IpSec vpn then you need to forward PROTOCOL NUMBER 50, which is ESP, not tcp port number 50.