|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Guest
|
 Posted: Tue Apr 18, 2006 11:28 pm Post subject: Setting up VPN from Windows XP to a Cisco router |
 |
|
I'm trying to set up a Cisco 877 router to function as a VPN server for
our network so that people can connect using the VPN client built into
Windows XP.
I've tried following the directions at
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml,
and I can connect from a Windows XP machine, but I can't reach anything
on the internal network: I can ping the WAN address of the router, but
not the LAN address, and not any of the servers behind the router. Is
there something I didn't set up properly?
If I'm asking stupid questions here, and the answer should be obvious
to any sysadmin, there's a good reason: I'm not a sysadmin. I'm a
programmer who knows more about networking than anyone else in the
building.
--
Mark Wagner |
|
| Back to top |
|
 |
|
|
Merv
Guest
|
| Posted: Tue Apr 18, 2006 11:52 pm Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
| Quote: | I'm trying to set up a Cisco 877 router to function as a VPN server for
our network so that people can connect using the VPN client built into
Windows XP.
|
post the following
show version
show run masking out the outside IP address
show ip route
show user
show vpdn |
|
| Back to top |
|
|
Guest
|
| Posted: Wed Apr 19, 2006 11:03 pm Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
Merv wrote:
| Quote: | I'm trying to set up a Cisco 877 router to function as a VPN server for
our network so that people can connect using the VPN client built into
Windows XP.
post the following
show version
|
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
12.3(8)YI2, RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(10.3)T2
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 14-Jun-05 18:58 by ealyon
ROM: System Bootstrap, Version 12.3(8r)YI1, RELEASE SOFTWARE
ROM: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
12.3(8)YI2, RELEASE SOFTWARE (fc1)
router uptime is 4 weeks, 6 days, 20 minutes
System returned to ROM by power-on
System restarted at 10:40:41 PCTime Thu Mar 16 2006
System image file is "flash:c870-advsecurityk9-mz.123-8.YI2.bin"
<crypto boilerplate snipped>
Cisco 877 (MPC8272) processor (revision 0x100) with 118784K/12288K
bytes of memory.
Processor board ID FHK094721E3
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
| Quote: | show run masking out the outside IP address
ww.xx.yy.zz is the first IP address in the block we got from our ISP |
ww.xx.yy.zq is the outside IP address of the router
ww.xx.yy.zr is the outside IP address of the computer currently
functioning as a VPN server
!
! Last configuration change at 11:28:43 PDT Tue Apr 18 2006 by admin
! NVRAM config last updated at 14:26:22 PDT Mon Apr 3 2006 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username testclient password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 192.168.17.1 192.168.17.34
ip dhcp excluded-address 192.168.17.208 192.168.17.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.17.0 255.255.255.0
dns-server 192.168.17.27
default-router 192.168.17.1
netbios-name-server 192.168.17.27
lease 14
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name our-company.com
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
no ftp-server write-enable
!
!
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.2 point-to-point
pvc 0/32
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Virtual-Template1
ip unnumbered FastEthernet0
ip mroute-cache
peer default ip address pool winvpn
no keepalive
ppp encrypt mppe 128 required
ppp authentication chap ms-chap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.17.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Dialer0
ip address ww.xx.yy.zq 255.255.255.248
ip access-group sdm_dialer0_in in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxx
!
ip local pool winvpn 192.168.16.0 192.168.16.255
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.17.29 5003 interface Dialer0
5003
ip nat inside source static tcp 192.168.17.29 8001 interface Dialer0
8001
ip nat inside source static tcp 192.168.17.27 21 interface Dialer0 21
ip nat inside source static tcp 192.168.17.26 8080 interface Dialer0
8080
ip nat inside source static tcp 192.168.17.26 810 interface Dialer0 810
ip nat inside source static tcp 192.168.17.26 25 interface Dialer0 25
ip nat inside source static tcp 192.168.17.26 110 interface Dialer0 110
ip nat inside source static tcp 192.168.17.26 510 interface Dialer0 510
ip nat inside source static tcp 192.168.17.27 80 interface Dialer0 80
ip nat inside source static udp 192.168.17.26 810 interface Dialer0 810
ip nat inside source static 192.168.17.27 ww.xx.yy.zr
!
ip access-list extended sdm_dialer0_in
remark SDM_ACL Category=1
permit gre 206.63.88.0 0.0.7.255 host ww.xx.yy.zr
permit gre host 67.185.129.168 host ww.xx.yy.zr
permit esp any host ww.xx.yy.zr
permit tcp 206.63.88.0 0.0.7.255 host ww.xx.yy.zr eq 1723
permit tcp host 67.185.129.168 host ww.xx.yy.zr eq 1723
permit udp any host ww.xx.yy.zr eq isakmp
permit udp any host ww.xx.yy.zr eq 1701
permit udp any host ww.xx.yy.zr eq non500-isakmp
permit ip any host ww.xx.yy.zq
permit udp any eq domain host ww.xx.yy.zr
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.17.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall
configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip ww.xx.yy.zq 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall
configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.17.0 0.0.0.255 any
access-list 101 permit icmp any host ww.xx.yy.zq echo-reply
access-list 101 permit icmp any host ww.xx.yy.zq time-exceeded
access-list 101 permit icmp any host ww.xx.yy.zq unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
end
| Quote: | show ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0 |
ww.0.0.0/29 is subnetted, 1 subnets
C ww.xx.yy.zz is directly connected, Dialer0
207.225.41.0/32 is subnetted, 1 subnets
C 207.225.41.193 is directly connected, Dialer0
C 192.168.17.0/24 is directly connected, Vlan1
192.168.16.0/32 is subnetted, 1 subnets
C 192.168.16.0 is directly connected, Virtual-Access5
S* 0.0.0.0/0 is directly connected, Dialer0
Line User Host(s) Idle Location
* 2 vty 0 admin idle 00:00:00 192.168.17.34
Interface User Mode Idle Peer Address
Vi2 PPPoATM 00:00:07 207.225.41.193
Vi5 testclient PPPoVPDN 00:00:28 192.168.16.0
%No active L2F tunnels
%No active L2TP tunnels
PPTP Tunnel and Session Information Total tunnels 1 sessions 1
LocID Remote Name State Remote Address Port Sessions VPDN
Group
29 estabd 192.168.17.64 1102 1 1
LocID RemID TunID Intf Username State Last Chg Uniq ID
29 49152 29 Vi5 testclient estabd 00:02:21 30 |
|
| Back to top |
|
|
Merv
Guest
|
| Posted: Thu Apr 20, 2006 2:59 am Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
I would suggest that you change the vpn pool aaddress range as follows
and captilize its name so it stands out better in the configuration.
no ip local pool winvpn 192.168.16.0 192.168.16.255
ip local pool WINVPN 192.168.16.1 192.168.16.254
int Virtual-Template1
no peer default ip address pool winvpn
peer default ip address pool WINVPN
| Quote: | From the "show vpdn" output the remote IP address is a LAN address of
192.168.17.64 |
Are you testing this from the LAN the Cisc0 877 is attached to or from
elsewhere on the Internet ? |
|
| Back to top |
|
|
Guest
|
| Posted: Thu Apr 20, 2006 3:24 am Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
Merv wrote:
| Quote: | I would suggest that you change the vpn pool aaddress range as follows
and captilize its name so it stands out better in the configuration.
no ip local pool winvpn 192.168.16.0 192.168.16.255
ip local pool WINVPN 192.168.16.1 192.168.16.254
int Virtual-Template1
no peer default ip address pool winvpn
peer default ip address pool WINVPN
|
Done.
| Quote: | From the "show vpdn" output the remote IP address is a LAN address of
192.168.17.64
Are you testing this from the LAN the Cisc0 877 is attached to or from
elsewhere on the Internet ?
|
The "show ip route", "show user", and "show vpdn" is from the LAN, but
my original message is from testing over the Internet.
--
Mark Wagner |
|
| Back to top |
|
|
Merv
Guest
|
| Posted: Thu Apr 20, 2006 3:38 am Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
Need to see the output of those commands when a connection is
established over the Internet.
I know it is hard to be two places at once...
If you have at fixed IP address at home, then you could the router to
permit telnet or ssh from that address so you can see what is happening
on the box when you bring up the PPTP tunnel |
|
| Back to top |
|
|
Guest
|
| Posted: Thu Apr 20, 2006 6:20 am Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
Merv wrote:
| Quote: | Need to see the output of those commands when a connection is
established over the Internet.
I know it is hard to be two places at once...
If you have at fixed IP address at home, then you could the router to
permit telnet or ssh from that address so you can see what is happening
on the box when you bring up the PPTP tunnel
From home:
|
router#show vpdn
%No active L2F tunnels
%No active L2TP tunnels
PPTP Tunnel and Session Information Total tunnels 1 sessions 1
LocID Remote Name State Remote Address Port Sessions VPDN
Group
33 estabd 67.185.129.168 1040 1 1
LocID RemID TunID Intf Username State Last Chg Uniq ID
33 1024 33 Vi5 testclient estabd 00:00:05 34
router#
router#show users
Line User Host(s) Idle Location
* 2 vty 0 admin idle 00:00:00
c-67-185-129-168.hsd1.wa.comcast.net
Interface User Mode Idle Peer Address
Vi2 PPPoATM 00:00:08 207.225.41.193
Vi5 testclient PPPoVPDN 00:00:17 192.168.16.1
router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
ww.0.0.0/29 is subnetted, 1 subnets
C ww.xx.yy.zz is directly connected, Dialer0
207.225.41.0/32 is subnetted, 1 subnets
C 207.225.41.193 is directly connected, Dialer0
C 192.168.17.0/24 is directly connected, Vlan1
192.168.16.0/32 is subnetted, 1 subnets
C 192.168.16.1 is directly connected, Virtual-Access5
S* 0.0.0.0/0 is directly connected, Dialer0
router#
--
Mark Wagner |
|
| Back to top |
|
|
|
|
Merv
Guest
|
| Posted: Thu Apr 20, 2006 1:44 pm Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
Do you have the Windows XP firewall enabled ?
If so disable it to see if you can ping the LAN interface |
|
| Back to top |
|
|
help@globalnettechs.com
Guest
|
| Posted: Thu Apr 20, 2006 7:45 pm Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
Hello,
I think your access-list extended sdm_dialer0_in might be blocking your
access. Try and add:
permit 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
Regards,
GNT |
|
| Back to top |
|
|
Merv
Guest
|
| Posted: Thu Apr 20, 2006 8:16 pm Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
clear logging buffer and then enable 'debug icmp"
setup PPTP session from Internet (not from LAN)
ping router LAN interface
examine log to see if ICMP debug messages are seen
post show log
does "show int vi5" give any output ? |
|
| Back to top |
|
|
help@globalnettechs.com
Guest
|
| Posted: Thu Apr 20, 2006 8:37 pm Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
Hello,
I think your access-list extended sdm_dialer0_in might be blocking your
access. Try and add:
permit 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
Regards,
GNT |
|
| Back to top |
|
|
Merv
Guest
|
| Posted: Thu Apr 20, 2006 8:41 pm Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
| the remote PPTP traffic is carried inside a GRE tunnel |
|
| Back to top |
|
|
Guest
|
| Posted: Fri Apr 21, 2006 7:34 am Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
Merv wrote:
| Quote: | clear logging buffer and then enable 'debug icmp"
setup PPTP session from Internet (not from LAN)
ping router LAN interface
examine log to see if ICMP debug messages are seen
|
000413: Apr 20 20:06:17.551 PDT: ICMP: echo reply sent, src
192.168.17.1, dst 192.168.16.1
000414: Apr 20 20:06:22.606 PDT: ICMP: echo reply sent, src
192.168.17.1, dst 192.168.16.1
000415: Apr 20 20:06:27.609 PDT: ICMP: echo reply sent, src
192.168.17.1, dst 192.168.16.1
000416: Apr 20 20:06:32.631 PDT: ICMP: echo reply sent, src
192.168.17.1, dst 192.168.16.1
Which corresponds to four "Request timed out." messages from "ping".
Going the other way, having the router ping 192.168.16.1, produced a
success rate of 0%
| Quote: | does "show int vi5" give any output ?
|
Virtual-Access5 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0 (0.0.0.0)
MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: CCP, IPCP
PPPoVPDN vaccess, cloned from Virtual-Template1
Vaccess status 0x44
Protocol pptp, tunnel id 35, session id 35, loopback not set
Keepalive not set
DTR is pulsed for 5 seconds on reset
Last input 00:00:24, output never, output hang never
Last clearing of "show interface" counters 00:03:31
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
48 packets input, 5000 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9 packets output, 144 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Windows Firewall isn't running, and I tried setting the DMZ on my home
NAT router to be my WinXP box: didn't fix the problem. The NAT router
on my home system has options for VPN passthrough, and they're all
enabled.
--
Mark Wagner |
|
| Back to top |
|
|
Merv
Guest
|
| Posted: Fri Apr 21, 2006 11:55 am Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
so now you know that the pings are received by the router over the
PPTP tunnel and that the router responds to them - so hte PPTP tunnel
is functioning inbound.
question now is are the echo replies put back into the PPTP tunnel
so repeat the previous testing
clear the log
clear the counters on the vi5 interface "clear counter vi5" just before
doing the ping test
ping 192.168.17.1
show int vi 5
show log
Post the output of the above commands |
|
| Back to top |
|
|
|
|
Merv
Guest
|
| Posted: Fri Apr 21, 2006 1:26 pm Post subject: Re: Setting up VPN from Windows XP to a Cisco router |
|
|
| Connect your Windows XP PC directly to your DSL or cable modem |
|
| Back to top |
|
|
|
|
