jenken Posted July 17, 2009 Share Posted July 17, 2009 Good day, This is my first time in configuring Cisco Router 877 and i also don't have that much experience when it comes to NAT Firewall and ACL. The scenario is there's a Win Server 2k8 that i want to receive VPN connection from WAN but i can't happen to make it i manage to receive remote desktop connection but not VPN if you know how please send me tips or instructions thanks! Quote Link to comment Share on other sites More sharing options...
matt2k4 Posted July 23, 2009 Share Posted July 23, 2009 You need to make sure the ACLs applied to the outside interface are allowing your IPSEC traffic through. On a Cisco 800 series ISR, I believe the WAN interface is defaulted to fa0/4. So what you would need to do is something like the following: int fa0/4 ip access-group incoming in (if you already have an ACL applied to the outside, just use that one) exit ip access-list extended incoming permit tcp any any established log permit udp any any eq isakmp log permit esp any any log permit etc....other various services you require deny ip any any log exit For the static translation, it shouldnt be much different than what you did for your RDP session. You will require something like this: **change 10.0.0.1 to the IP of your win2k8 server ip nat inside source static udp 10.0.0.1 500 interface FastEthernet0/4 500 ip nat inside source static esp 10.0.0.1 interface FastEthernet0/4 After you have this running and try it out, you should be able to see hits on the ACL. Do a sh access-list incoming and you will see the matches column, which should have incremented. Extended IP access list incoming 40 permit udp any any eq isakmp (802874 matches) 60 permit esp any any (350226931 matches) Im pretty sure windows IPSEC will be happy with isakmp and esp, you may need AH but only try that if you have no luck with the above. Quote Link to comment Share on other sites More sharing options...
matt2k4 Posted July 23, 2009 Share Posted July 23, 2009 Also, if all you are trying to do is vpn into your home network from the internet, you could scrap the idea of using the WIN2k8 box and simply IPSEC into your router using the windows IPSEC client. To do this, enter this config: aaa authentication ppp default group radius local ip name-server (ip of internal DNS server) vpdn enable ! vpdn-group REMOTE_USERS ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 username username password password ip local pool defaultpool 10.0.0.2 10.0.0.100 (make this something addressable in your network) interface Virtual-Template1 ip unnumbered FastEthernet0/4 peer default ip address pool defaultpool ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2 on your outside ACL, you will need: permit udp any any eq 1723 permit tcp any any eq 1723 Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted July 23, 2009 Share Posted July 23, 2009 simply IPSEC into your router using the windows IPSEC client protocol pptp pptp is not ipsec. Quote Link to comment Share on other sites More sharing options...
matt2k4 Posted July 23, 2009 Share Posted July 23, 2009 Yep, you're right. I had IPSEC on the mind. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.