I'm trying to set up a Cisco 877 router to function as a VPN server for our network so that people can connect using the VPN client built into Windows XP.
I've tried following the directions at
formatting link
I can connect from a Windows XP machine, but I can't reach anything on the internal network: I can ping the WAN address of the router, but not the LAN address, and not any of the servers behind the router. Is there something I didn't set up properly?
If I'm asking stupid questions here, and the answer should be obvious to any sysadmin, there's a good reason: I'm not a sysadmin. I'm a programmer who knows more about networking than anyone else in the building.
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
12.3(8)YI2, RELEASE SOFTWARE (fc1) Synched to technology version 12.3(10.3)T2 Technical Support:
formatting link
(c) 1986-2005 by Cisco Systems, Inc. Compiled Tue 14-Jun-05 18:58 by ealyon
ROM: System Bootstrap, Version 12.3(8r)YI1, RELEASE SOFTWARE ROM: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
12.3(8)YI2, RELEASE SOFTWARE (fc1)
router uptime is 4 weeks, 6 days, 20 minutes System returned to ROM by power-on System restarted at 10:40:41 PCTime Thu Mar 16 2006 System image file is "flash:c870-advsecurityk9-mz.123-8.YI2.bin"
Cisco 877 (MPC8272) processor (revision 0x100) with 118784K/12288K bytes of memory. Processor board ID FHK094721E3 MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
ww.xx.yy.zz is the first IP address in the block we got from our ISP ww.xx.yy.zq is the outside IP address of the router ww.xx.yy.zr is the outside IP address of the computer currently functioning as a VPN server
! ! Last configuration change at 11:28:43 PDT Tue Apr 18 2006 by admin ! NVRAM config last updated at 14:26:22 PDT Mon Apr 3 2006 by admin ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname router ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx ! username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx username testclient password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx no aaa new-model ip subnet-zero no ip source-route ip cef ip dhcp excluded-address 192.168.17.1 192.168.17.34 ip dhcp excluded-address 192.168.17.208 192.168.17.254 ! ip dhcp pool sdm-pool1 import all network 192.168.17.0 255.255.255.0 dns-server 192.168.17.27 default-router 192.168.17.1 netbios-name-server 192.168.17.27 lease 14 ! ! ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip tcp synwait-time 10 no ip bootp server ip domain name our-company.com ip name-server 205.171.3.65 ip name-server 205.171.2.65 ip ssh time-out 60 ip ssh authentication-retries 2 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! no ftp-server write-enable ! ! ! ! ! ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.2 point-to-point pvc 0/32 encapsulation aal5snap protocol ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 no ip address no cdp enable ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 no ip address no cdp enable ! interface Virtual-Template1 ip unnumbered FastEthernet0 ip mroute-cache peer default ip address pool winvpn no keepalive ppp encrypt mppe 128 required ppp authentication chap ms-chap ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.17.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! interface Dialer0 ip address ww.xx.yy.zq 255.255.255.248 ip access-group sdm_dialer0_in in ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxxxxxxxxx ! ip local pool winvpn 192.168.16.0 192.168.16.255 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 192.168.17.29 5003 interface Dialer0
5003 ip nat inside source static tcp 192.168.17.29 8001 interface Dialer0
8001 ip nat inside source static tcp 192.168.17.27 21 interface Dialer0 21 ip nat inside source static tcp 192.168.17.26 8080 interface Dialer0
8080 ip nat inside source static tcp 192.168.17.26 810 interface Dialer0 810 ip nat inside source static tcp 192.168.17.26 25 interface Dialer0 25 ip nat inside source static tcp 192.168.17.26 110 interface Dialer0 110 ip nat inside source static tcp 192.168.17.26 510 interface Dialer0 510 ip nat inside source static tcp 192.168.17.27 80 interface Dialer0 80 ip nat inside source static udp 192.168.17.26 810 interface Dialer0 810 ip nat inside source static 192.168.17.27 ww.xx.yy.zr ! ip access-list extended sdm_dialer0_in remark SDM_ACL Category=1 permit gre 206.63.88.0 0.0.7.255 host ww.xx.yy.zr permit gre host 67.185.129.168 host ww.xx.yy.zr permit esp any host ww.xx.yy.zr permit tcp 206.63.88.0 0.0.7.255 host ww.xx.yy.zr eq 1723 permit tcp host 67.185.129.168 host ww.xx.yy.zr eq 1723 permit udp any host ww.xx.yy.zr eq isakmp permit udp any host ww.xx.yy.zr eq 1701 permit udp any host ww.xx.yy.zr eq non500-isakmp permit ip any host ww.xx.yy.zq permit udp any eq domain host ww.xx.yy.zr ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.17.0 0.0.0.255 access-list 100 remark auto-generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip ww.xx.yy.zq 0.0.0.7 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto-generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip 192.168.17.0 0.0.0.255 any access-list 101 permit icmp any host ww.xx.yy.zq echo-reply access-list 101 permit icmp any host ww.xx.yy.zq time-exceeded access-list 101 permit icmp any host ww.xx.yy.zq unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any dialer-list 1 protocol ip permit no cdp run ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local no modem enable transport preferred all transport output telnet line aux 0 login local transport preferred all transport output telnet line vty 0 4 privilege level 15 login local transport preferred all transport input telnet ssh transport output all ! end
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
ww.0.0.0/29 is subnetted, 1 subnets C ww.xx.yy.zz is directly connected, Dialer0 207.225.41.0/32 is subnetted, 1 subnets C 207.225.41.193 is directly connected, Dialer0 C 192.168.17.0/24 is directly connected, Vlan1 192.168.16.0/32 is subnetted, 1 subnets C 192.168.16.0 is directly connected, Virtual-Access5 S* 0.0.0.0/0 is directly connected, Dialer0
Need to see the output of those commands when a connection is established over the Internet.
I know it is hard to be two places at once...
If you have at fixed IP address at home, then you could the router to permit telnet or ssh from that address so you can see what is happening on the box when you bring up the PPTP tunnel
router#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
ww.0.0.0/29 is subnetted, 1 subnets C ww.xx.yy.zz is directly connected, Dialer0 207.225.41.0/32 is subnetted, 1 subnets C 207.225.41.193 is directly connected, Dialer0 C 192.168.17.0/24 is directly connected, Vlan1 192.168.16.0/32 is subnetted, 1 subnets C 192.168.16.1 is directly connected, Virtual-Access5 S* 0.0.0.0/0 is directly connected, Dialer0 router#
Which corresponds to four "Request timed out." messages from "ping". Going the other way, having the router ping 192.168.16.1, produced a success rate of 0%
Virtual-Access5 is up, line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Using address of FastEthernet0 (0.0.0.0) MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: CCP, IPCP PPPoVPDN vaccess, cloned from Virtual-Template1 Vaccess status 0x44 Protocol pptp, tunnel id 35, session id 35, loopback not set Keepalive not set DTR is pulsed for 5 seconds on reset Last input 00:00:24, output never, output hang never Last clearing of "show interface" counters 00:03:31 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 48 packets input, 5000 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 9 packets output, 144 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions
Windows Firewall isn't running, and I tried setting the DMZ on my home NAT router to be my WinXP box: didn't fix the problem. The NAT router on my home system has options for VPN passthrough, and they're all enabled.
so now you know that the pings are received by the router over the PPTP tunnel and that the router responds to them - so hte PPTP tunnel is functioning inbound.
question now is are the echo replies put back into the PPTP tunnel
so repeat the previous testing
clear the log clear the counters on the vi5 interface "clear counter vi5" just before doing the ping test ping 192.168.17.1 show int vi 5 show log
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.