Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
 
  • Post
  • Reply
Aaaaaaarrrrrggggg
Oct 4, 2004

ha, ha, ha, og me ekam
I looked through the thread and didn't find an exact answer to my question, but I could've missed it in the 17 pages, so if I did, sorry!

I'm trying to connect to my home network via vpn. I've tried two ways - Windows 2003 Remote Access Server with the Windows VPN client, and using my Cisco router (SOHO 91, 12.3(2)XC) as the endpoint with the Cisco VPN client (4.7).

First, the Windows route. The ACLs and NAT I'm using are here:

code:
ip nat inside source static tcp 192.168.7.13 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.7.13 1723 interface Ethernet1 1723

ip access-list extended inlist
 permit udp any eq bootps any eq bootpc
 permit tcp any any eq 1723 log
 permit tcp any any eq 3389
 evaluate tmplist
 deny   tcp any any log
ip access-list extended outlist
 deny   tcp any any range 135 139 log
 deny   tcp any any eq 445 log
 permit ip any any reflect tmplist
192.168.7.13 is the RRAS server. Now, I'm able to make this connection internally, so I know the RRAS server's working fine. The problems appear when I try from the outside. The client connects, attempts to authenticate, and then fails with what appears to be a timeout. I'm almost certain I'm missing an ACL in there, but I have no idea what or where.

The second means - the Cisco route - works internally if I use the same above commands, and the following interface commands:

code:
interface Ethernet0
 ip address 192.168.7.1 255.255.255.0
 ip nat inside
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 ip address dhcp client-id Ethernet1
 ip access-group inlist in
 ip access-group outlist out
 ip nat outside
 ip inspect myfw out
 duplex auto
 no cdp enable
 crypto map dynmap
It works internally by moving the crypto line on Eth1 (internet) to Eth0 (internal). I also remove the ACL for 1723 and the NAT for 1723. Problem is, from the outside, I can't even make a connection. Again, I'm sure I'm missing something obvious, but I don't know what.

Sorry for the long post - I can provide more of the config if it helps. I'd honestly be happy with any means, I just want to figure out where I'm going wrong after being so close. Any help would be appreciated!

Edit: Ok - I got the Windows way working - I apparently needed a second NIC on the server. If anyone wouldn't mind explaining what I'm doing wrong on the Cisco side, I'd appreciate it, though. I can include any config pieces that I'm missing - just tell me what you need.

Aaaaaaarrrrrggggg fucked around with this message at 18:01 on Oct 16, 2007

* # ¿ Oct 16, 2007 03:38
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 26, 2024 21:28
  • Quote
Aaaaaaarrrrrggggg
Oct 4, 2004

ha, ha, ha, og me ekam

Tremblay posted:

Can you post this fw policy:

ip inspect myfw

I assume you mean me - here's the list:

code:
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600

* # ¿ Oct 16, 2007 23:33
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)