1. Home
  2. Cisco Systems
  3. Port 1723 being blocked

Port 1723 being blocked

Hi all,

My first post...so be gentle with me!

I have the below config on a 3620 router. No troubles with anything else whatsoever other than getting VPN access. I have "ip nat inside source static tcp 192.168.0.4 1723 interface Dialer0 1723" set to forward port 1723 to my VPN system.

Also have (have changed IP's): access-list 101 remark Work VPN Access access-list 101 permit ip host 123.123.123.123 any access-list 101 remark Work Access access-list 101 permit ip host 123.123.123.123 any

set which allows me VPN access from my work network. Setting allow any at the top of the ACL provides access to the VPN no problem, so I know the VPN system is working.

However when I try to VPN from any other internet connection I get the following logged:

009081: .Jun 23 13:16:29.084 London: %SEC-6-IPACCESSLOGP: list 101 denied tcp 213.123.133.193(49170) -> xxx.xxx.xxx.xxx(1723), 1 packet

despite having

access-list 101 remark VPN Access TCP access-list 101 permit tcp any eq 1723 any eq 1723 access-list 101 remark VPN Access UDP access-list 101 permit udp any eq 1723 any eq 1723

I'm guessing my ACL ordering or something is incorrect. Any help would be much appreciated.

Thanks in advance

Current configuration : 5843 bytes ! ! Last configuration change at 11:01:00 London Tue Jun 23 2009 by admin ! NVRAM config last updated at 19:21:18 London Wed Jun 17 2009 by admin ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname xxxxx-C3620 ! boot-start-marker boot system flash slot0:c3620-ik9o3s7-mz.123-22.bin boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 $1$nwOl$HPufhd.N6ZXER6uHyHkQA. enable password 7 120E5410150709 ! clock timezone London 0 clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00 aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa session-id common ip subnet-zero no ip source-route ! ! ip cef ip domain name Home ip name-server 208.67.222.222 ip name-server 208.67.220.220 ip dhcp excluded-address 192.168.0.1 192.168.0.9 ! ip dhcp pool DhcpPool1 import all network 192.168.0.0 255.255.255.0 dns-server 208.67.222.222 208.67.220.220 default-router 192.168.0.1 lease 5 ! no ip bootp server ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! username admin privilege 15 password 7 xxxxxxxxxxx ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! ! ! interface Null0 no ip unreachables ! interface Ethernet0/0 description $ETH-LAN$$FW_INSIDE$ ip address 192.168.0.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip flow ingress ip route-cache flow half-duplex ! interface ATM1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm auto-configuration no atm ilmi-keepalive no atm address-registration dsl operating-mode auto hold-queue 224 in ! interface ATM1/0.1 point-to-point no ip redirects no ip unreachables no ip proxy-arp pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip flow ingress ip inspect SDM_LOW out encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxxxxx ! ip default-gateway 192.168.0.1 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 192.168.0.4 80 interface Dialer0 80 ip nat inside source static tcp 192.168.0.4 1723 interface Dialer0

1723 ip http server ip http secure-server no ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 permanent ! ip dns server ! logging trap debugging access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 remark OSPF access-list 101 permit ospf any any access-list 101 remark GRE Access access-list 101 permit tcp any eq 47 any eq 47 access-list 101 remark VPN Access TCP access-list 101 permit tcp any eq 1723 any eq 1723 access-list 101 remark VPN Access UDP access-list 101 permit udp any eq 1723 any eq 1723 access-list 101 permit tcp any eq 135 any eq 135 access-list 101 remark SSH Access access-list 101 permit tcp any eq 22 any eq 22 access-list 101 remark HTTP Access access-list 101 permit tcp any any eq www access-list 101 remark HTTPS Access access-list 101 permit tcp any eq 443 any eq 443 access-list 101 remark VPN IKE Access access-list 101 permit udp any eq isakmp any eq isakmp access-list 101 permit udp any eq 49152 any eq 49152 access-list 101 remark Auto generated by SDM for NTP (123) access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp access-list 101 remark Auto generated by SDM for NTP (123) access-list 101 permit udp host 99.150.184.201 eq ntp any eq ntp access-list 101 remark Work VPN Access access-list 101 permit ip host 123.123.123.123 any access-list 101 remark Work Access access-list 101 permit ip host 123.123.123.123 any access-list 101 deny ip 192.168.0.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log dialer-list 1 protocol ip permit no cdp run ! ! ! ! ! banner login ^CUnathorised Access is not allowed^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 password 7 1400430C0B082F transport input telnet ssh ! scheduler allocate 4000 1000 ntp clock-period 17180127 ntp server 192.43.244.18 prefer ntp server 99.150.184.201 ! end
Reply to
Adrian
Loading thread data ...

Compare your access list to the log message. The blocked packet has a source port of 49170 and a destination port of 1723. Your ACL only allows traffic with a source port of 1723 and a destination port of

1723.

Regards, Blaz

Reply to
Blaz Zupan

Thanks Blaz,

Worked a treat. Knew it would be something simple. Guess that's what I get for being self-taught Cisco in my free time.

Thanks again

Adrian

Reply to
Adrian

Port 1723 must be PPTP, which uses more than just UDP port 1723. It also uses the GRE IP protocol. Most simplistic routers just do what it thinks you want. Cisco's tend to do exactly what you tell it.

You'll have to permit GRE through as well. Here's a Cisco tech note.

formatting link

Reply to
Doug McIntyre

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.