Jump to content

Cisco Router 877


Recommended Posts

Good day,

This is my first time in configuring Cisco Router 877 and i also don't have that much experience when it comes to NAT Firewall and ACL. The scenario is there's a Win Server 2k8 that i want to receive VPN connection from WAN but i can't happen to make it i manage to receive remote desktop connection but not VPN if you know how please send me tips or instructions thanks!

Link to comment
Share on other sites

You need to make sure the ACLs applied to the outside interface are allowing your IPSEC traffic through.

On a Cisco 800 series ISR, I believe the WAN interface is defaulted to fa0/4. So what you would need to do is something like the following:

int fa0/4

ip access-group incoming in (if you already have an ACL applied to the outside, just use that one)


ip access-list extended incoming

permit tcp any any established log

permit udp any any eq isakmp log

permit esp any any log

permit etc....other various services you require

deny ip any any log


For the static translation, it shouldnt be much different than what you did for your RDP session. You will require something like this:

**change to the IP of your win2k8 server

ip nat inside source static udp 500 interface FastEthernet0/4 500

ip nat inside source static esp interface FastEthernet0/4

After you have this running and try it out, you should be able to see hits on the ACL. Do a sh access-list incoming and you will see the matches column, which should have incremented.

Extended IP access list incoming

40 permit udp any any eq isakmp (802874 matches)

60 permit esp any any (350226931 matches)

Im pretty sure windows IPSEC will be happy with isakmp and esp, you may need AH but only try that if you have no luck with the above.

Link to comment
Share on other sites

Also, if all you are trying to do is vpn into your home network from the internet, you could scrap the idea of using the WIN2k8 box and simply IPSEC into your router using the windows IPSEC client. To do this, enter this config:

aaa authentication ppp default group radius local

ip name-server (ip of internal DNS server)

vpdn enable


vpdn-group REMOTE_USERS

! Default PPTP VPDN group


protocol pptp

virtual-template 1

username username password password

ip local pool defaultpool (make this something addressable in your network)

interface Virtual-Template1

ip unnumbered FastEthernet0/4

peer default ip address pool defaultpool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

on your outside ACL, you will need:

permit udp any any eq 1723

permit tcp any any eq 1723

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...