- Aaaaaaarrrrrggggg
- Oct 4, 2004
-
ha, ha, ha, og me ekam
|
I looked through the thread and didn't find an exact answer to my question, but I could've missed it in the 17 pages, so if I did, sorry!
I'm trying to connect to my home network via vpn. I've tried two ways - Windows 2003 Remote Access Server with the Windows VPN client, and using my Cisco router (SOHO 91, 12.3(2)XC) as the endpoint with the Cisco VPN client (4.7).
First, the Windows route. The ACLs and NAT I'm using are here:
code:ip nat inside source static tcp 192.168.7.13 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.7.13 1723 interface Ethernet1 1723
ip access-list extended inlist
permit udp any eq bootps any eq bootpc
permit tcp any any eq 1723 log
permit tcp any any eq 3389
evaluate tmplist
deny tcp any any log
ip access-list extended outlist
deny tcp any any range 135 139 log
deny tcp any any eq 445 log
permit ip any any reflect tmplist
192.168.7.13 is the RRAS server. Now, I'm able to make this connection internally, so I know the RRAS server's working fine. The problems appear when I try from the outside. The client connects, attempts to authenticate, and then fails with what appears to be a timeout. I'm almost certain I'm missing an ACL in there, but I have no idea what or where.
The second means - the Cisco route - works internally if I use the same above commands, and the following interface commands:
code:interface Ethernet0
ip address 192.168.7.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group inlist in
ip access-group outlist out
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
crypto map dynmap
It works internally by moving the crypto line on Eth1 (internet) to Eth0 (internal). I also remove the ACL for 1723 and the NAT for 1723. Problem is, from the outside, I can't even make a connection. Again, I'm sure I'm missing something obvious, but I don't know what.
Sorry for the long post - I can provide more of the config if it helps. I'd honestly be happy with any means, I just want to figure out where I'm going wrong after being so close. Any help would be appreciated!
Edit: Ok - I got the Windows way working - I apparently needed a second NIC on the server. If anyone wouldn't mind explaining what I'm doing wrong on the Cisco side, I'd appreciate it, though. I can include any config pieces that I'm missing - just tell me what you need.
Aaaaaaarrrrrggggg fucked around with this message at 18:01 on Oct 16, 2007
|
#
¿
Oct 16, 2007 03:38
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
¿
Apr 26, 2024 21:28
|
|
- Aaaaaaarrrrrggggg
- Oct 4, 2004
-
ha, ha, ha, og me ekam
|
Tremblay posted:
Can you post this fw policy:
ip inspect myfw
I assume you mean me - here's the list:
code:ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
|
#
¿
Oct 16, 2007 23:33
|
|