General discussion

Locked

Cisco VPN settings

By psmithersvt ·
I am trying to pass a Windows XP client VPN connection through a 1720 Cisco router to a Windows Server 2000 host. I have permitted port 1723 through the GRE47 protocol but I am not sure of the correct syntax. I receive error 769 "Destination unreachable" Can someone tell me how to correctly open the Cisco for Microsoft VPN traffic?

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

A Beginning Shot at an Answer

by ToolMan2010 In reply to Cisco VPN settings

It may not be the most complete answer:

Something you may already know -
Port numbers that tunnels use:
1. PPTP VPN uses TCP Port 1723, IP Protocol 47 (GRE)
2. L2TP: UDP Port 1701
3. IPSec: UDP Port 500, Pass IP protocol 50 and 51
Note: 47 is a protocol number and not TCP port. The protocol name is GRE.
The following example is a simple PPTP access list:

access-list 110 permit tcp any host x.x.x.x eq 1723
access-list 110 permit gre any host x.x.x.x

The first line opens port 1723 and the second line opens for the gre protocol.
This access list would then be applied to the interface where the XP client
is connected to the router. You can make this more secure by being more specific
and changing the 'any' to the IP address of the XP client or changing it to the
network reference where the XP client is.


Example of very specific access list.

access-list 110 permit tcp host z.z.z.z host x.x.x.x eq 1723
access-list 110 permit gre host z.z.z.z host x.x.x.x

This is just the tunnel access part of the changes that you would need to add. Also remember to construct your access-lists so that you don't deny all traffic when you apply it to the interface. You can apply it to an interface with the following lines:

Router(config)#interface Ethernet 1
Router(config-if)#ip access-group 110 out

Collapse -

Very Good Resolution

by wmcmillin In reply to A Beginning Shot at an An ...

But don't forget the other side! The same protocols and ports will have to be opened on the server side and applied to the interface coming in. With that done, you should be good to go!

Collapse -

That did the trick!

by psmithersvt In reply to A Beginning Shot at an An ...

Thanks for the example. My mistake was to enter the protocol as "GRE47" Almost doesn't count. I'm working fine with the correct line in place. Thanks

Back to IT Employment Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums