Setting up VPN from Windows XP to a Cisco router

Discussion in 'Cisco' started by rengaw03, Apr 18, 2006.

  1. rengaw03

    rengaw03 Guest

    I'm trying to set up a Cisco 877 router to function as a VPN server for
    our network so that people can connect using the VPN client built into
    Windows XP.

    I've tried following the directions at
    http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml,
    and I can connect from a Windows XP machine, but I can't reach anything
    on the internal network: I can ping the WAN address of the router, but
    not the LAN address, and not any of the servers behind the router. Is
    there something I didn't set up properly?

    If I'm asking stupid questions here, and the answer should be obvious
    to any sysadmin, there's a good reason: I'm not a sysadmin. I'm a
    programmer who knows more about networking than anyone else in the
    building.
     
    rengaw03, Apr 18, 2006
    #1
    1. Advertisements

  2. rengaw03

    Merv Guest


    post the following

    show version

    show run masking out the outside IP address

    show ip route

    show user

    show vpdn
     
    Merv, Apr 18, 2006
    #2
    1. Advertisements

  3. rengaw03

    rengaw03 Guest

    Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
    12.3(8)YI2, RELEASE SOFTWARE (fc1)
    Synched to technology version 12.3(10.3)T2
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2005 by Cisco Systems, Inc.
    Compiled Tue 14-Jun-05 18:58 by ealyon

    ROM: System Bootstrap, Version 12.3(8r)YI1, RELEASE SOFTWARE
    ROM: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
    12.3(8)YI2, RELEASE SOFTWARE (fc1)

    router uptime is 4 weeks, 6 days, 20 minutes
    System returned to ROM by power-on
    System restarted at 10:40:41 PCTime Thu Mar 16 2006
    System image file is "flash:c870-advsecurityk9-mz.123-8.YI2.bin"

    <crypto boilerplate snipped>

    Cisco 877 (MPC8272) processor (revision 0x100) with 118784K/12288K
    bytes of memory.
    Processor board ID FHK094721E3
    MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
    4 FastEthernet interfaces
    1 ATM interface
    128K bytes of non-volatile configuration memory.
    24576K bytes of processor board System flash (Intel Strataflash)

    Configuration register is 0x2102
    ww.xx.yy.zz is the first IP address in the block we got from our ISP
    ww.xx.yy.zq is the outside IP address of the router
    ww.xx.yy.zr is the outside IP address of the computer currently
    functioning as a VPN server

    !
    ! Last configuration change at 11:28:43 PDT Tue Apr 18 2006 by admin
    ! NVRAM config last updated at 14:26:22 PDT Mon Apr 3 2006 by admin
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
    !
    username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    username testclient password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    no aaa new-model
    ip subnet-zero
    no ip source-route
    ip cef
    ip dhcp excluded-address 192.168.17.1 192.168.17.34
    ip dhcp excluded-address 192.168.17.208 192.168.17.254
    !
    ip dhcp pool sdm-pool1
    import all
    network 192.168.17.0 255.255.255.0
    dns-server 192.168.17.27
    default-router 192.168.17.1
    netbios-name-server 192.168.17.27
    lease 14
    !
    !
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name our-company.com
    ip name-server 205.171.3.65
    ip name-server 205.171.2.65
    ip ssh time-out 60
    ip ssh authentication-retries 2
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.2 point-to-point
    pvc 0/32
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    no ip address
    no cdp enable
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0
    ip mroute-cache
    peer default ip address pool winvpn
    no keepalive
    ppp encrypt mppe 128 required
    ppp authentication chap ms-chap
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 192.168.17.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    !
    interface Dialer0
    ip address ww.xx.yy.zq 255.255.255.248
    ip access-group sdm_dialer0_in in
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
    ppp chap password 7 xxxxxxxxxxxxxxxxxxxxx
    !
    ip local pool winvpn 192.168.16.0 192.168.16.255
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.17.29 5003 interface Dialer0
    5003
    ip nat inside source static tcp 192.168.17.29 8001 interface Dialer0
    8001
    ip nat inside source static tcp 192.168.17.27 21 interface Dialer0 21
    ip nat inside source static tcp 192.168.17.26 8080 interface Dialer0
    8080
    ip nat inside source static tcp 192.168.17.26 810 interface Dialer0 810
    ip nat inside source static tcp 192.168.17.26 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.17.26 110 interface Dialer0 110
    ip nat inside source static tcp 192.168.17.26 510 interface Dialer0 510
    ip nat inside source static tcp 192.168.17.27 80 interface Dialer0 80
    ip nat inside source static udp 192.168.17.26 810 interface Dialer0 810
    ip nat inside source static 192.168.17.27 ww.xx.yy.zr
    !
    ip access-list extended sdm_dialer0_in
    remark SDM_ACL Category=1
    permit gre 206.63.88.0 0.0.7.255 host ww.xx.yy.zr
    permit gre host 67.185.129.168 host ww.xx.yy.zr
    permit esp any host ww.xx.yy.zr
    permit tcp 206.63.88.0 0.0.7.255 host ww.xx.yy.zr eq 1723
    permit tcp host 67.185.129.168 host ww.xx.yy.zr eq 1723
    permit udp any host ww.xx.yy.zr eq isakmp
    permit udp any host ww.xx.yy.zr eq 1701
    permit udp any host ww.xx.yy.zr eq non500-isakmp
    permit ip any host ww.xx.yy.zq
    permit udp any eq domain host ww.xx.yy.zr
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.17.0 0.0.0.255
    access-list 100 remark auto-generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip ww.xx.yy.zq 0.0.0.7 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto-generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 deny ip 192.168.17.0 0.0.0.255 any
    access-list 101 permit icmp any host ww.xx.yy.zq echo-reply
    access-list 101 permit icmp any host ww.xx.yy.zq time-exceeded
    access-list 101 permit icmp any host ww.xx.yy.zq unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    no modem enable
    transport preferred all
    transport output telnet
    line aux 0
    login local
    transport preferred all
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    end
    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    ww.0.0.0/29 is subnetted, 1 subnets
    C ww.xx.yy.zz is directly connected, Dialer0
    207.225.41.0/32 is subnetted, 1 subnets
    C 207.225.41.193 is directly connected, Dialer0
    C 192.168.17.0/24 is directly connected, Vlan1
    192.168.16.0/32 is subnetted, 1 subnets
    C 192.168.16.0 is directly connected, Virtual-Access5
    S* 0.0.0.0/0 is directly connected, Dialer0
    Line User Host(s) Idle Location
    * 2 vty 0 admin idle 00:00:00 192.168.17.34

    Interface User Mode Idle Peer Address
    Vi2 PPPoATM 00:00:07 207.225.41.193
    Vi5 testclient PPPoVPDN 00:00:28 192.168.16.0
    %No active L2F tunnels

    %No active L2TP tunnels

    PPTP Tunnel and Session Information Total tunnels 1 sessions 1

    LocID Remote Name State Remote Address Port Sessions VPDN
    Group
    29 estabd 192.168.17.64 1102 1 1


    LocID RemID TunID Intf Username State Last Chg Uniq ID
    29 49152 29 Vi5 testclient estabd 00:02:21 30
     
    rengaw03, Apr 19, 2006
    #3
  4. rengaw03

    Merv Guest

    I would suggest that you change the vpn pool aaddress range as follows
    and captilize its name so it stands out better in the configuration.

    no ip local pool winvpn 192.168.16.0 192.168.16.255

    ip local pool WINVPN 192.168.16.1 192.168.16.254

    int Virtual-Template1
    no peer default ip address pool winvpn
    peer default ip address pool WINVPN

    192.168.17.64

    Are you testing this from the LAN the Cisc0 877 is attached to or from
    elsewhere on the Internet ?
     
    Merv, Apr 19, 2006
    #4
  5. rengaw03

    rengaw03 Guest

    The "show ip route", "show user", and "show vpdn" is from the LAN, but
    my original message is from testing over the Internet.
     
    rengaw03, Apr 20, 2006
    #5
  6. rengaw03

    Merv Guest

    Need to see the output of those commands when a connection is
    established over the Internet.

    I know it is hard to be two places at once...

    If you have at fixed IP address at home, then you could the router to
    permit telnet or ssh from that address so you can see what is happening
    on the box when you bring up the PPTP tunnel
     
    Merv, Apr 20, 2006
    #6
  7. rengaw03

    rengaw03 Guest

    router#show vpdn

    %No active L2F tunnels

    %No active L2TP tunnels

    PPTP Tunnel and Session Information Total tunnels 1 sessions 1

    LocID Remote Name State Remote Address Port Sessions VPDN
    Group
    33 estabd 67.185.129.168 1040 1 1

    LocID RemID TunID Intf Username State Last Chg Uniq ID
    33 1024 33 Vi5 testclient estabd 00:00:05 34
    router#
    router#show users
    Line User Host(s) Idle Location
    * 2 vty 0 admin idle 00:00:00

    c-67-185-129-168.hsd1.wa.comcast.net

    Interface User Mode Idle Peer Address
    Vi2 PPPoATM 00:00:08 207.225.41.193
    Vi5 testclient PPPoVPDN 00:00:17 192.168.16.1

    router#show ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
    level-2
    ia - IS-IS inter area, * - candidate default, U - per-user
    static route
    o - ODR, P - periodic downloaded static route

    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    ww.0.0.0/29 is subnetted, 1 subnets
    C ww.xx.yy.zz is directly connected, Dialer0
    207.225.41.0/32 is subnetted, 1 subnets
    C 207.225.41.193 is directly connected, Dialer0
    C 192.168.17.0/24 is directly connected, Vlan1
    192.168.16.0/32 is subnetted, 1 subnets
    C 192.168.16.1 is directly connected, Virtual-Access5
    S* 0.0.0.0/0 is directly connected, Dialer0
    router#
     
    rengaw03, Apr 20, 2006
    #7
  8. rengaw03

    Merv Guest

    Do you have the Windows XP firewall enabled ?

    If so disable it to see if you can ping the LAN interface
     
    Merv, Apr 20, 2006
    #8
  9. rengaw03

    help Guest

    Hello,

    I think your access-list extended sdm_dialer0_in might be blocking your
    access. Try and add:

    permit 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255

    Regards,

    GNT
     
    help, Apr 20, 2006
    #9
  10. rengaw03

    Merv Guest

    clear logging buffer and then enable 'debug icmp"

    setup PPTP session from Internet (not from LAN)

    ping router LAN interface

    examine log to see if ICMP debug messages are seen

    post show log

    does "show int vi5" give any output ?
     
    Merv, Apr 20, 2006
    #10
  11. rengaw03

    help Guest

    Hello,

    I think your access-list extended sdm_dialer0_in might be blocking your
    access. Try and add:

    permit 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255

    Regards,

    GNT
     
    help, Apr 20, 2006
    #11
  12. rengaw03

    Merv Guest

    the remote PPTP traffic is carried inside a GRE tunnel
     
    Merv, Apr 20, 2006
    #12
  13. rengaw03

    rengaw03 Guest

    000413: Apr 20 20:06:17.551 PDT: ICMP: echo reply sent, src
    192.168.17.1, dst 192.168.16.1
    000414: Apr 20 20:06:22.606 PDT: ICMP: echo reply sent, src
    192.168.17.1, dst 192.168.16.1
    000415: Apr 20 20:06:27.609 PDT: ICMP: echo reply sent, src
    192.168.17.1, dst 192.168.16.1
    000416: Apr 20 20:06:32.631 PDT: ICMP: echo reply sent, src
    192.168.17.1, dst 192.168.16.1

    Which corresponds to four "Request timed out." messages from "ping".
    Going the other way, having the router ping 192.168.16.1, produced a
    success rate of 0%
    Virtual-Access5 is up, line protocol is up
    Hardware is Virtual Access interface
    Interface is unnumbered. Using address of FastEthernet0 (0.0.0.0)
    MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation PPP, LCP Open
    Open: CCP, IPCP
    PPPoVPDN vaccess, cloned from Virtual-Template1
    Vaccess status 0x44
    Protocol pptp, tunnel id 35, session id 35, loopback not set
    Keepalive not set
    DTR is pulsed for 5 seconds on reset
    Last input 00:00:24, output never, output hang never
    Last clearing of "show interface" counters 00:03:31
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    48 packets input, 5000 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    9 packets output, 144 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 output buffer failures, 0 output buffers swapped out
    0 carrier transitions

    Windows Firewall isn't running, and I tried setting the DMZ on my home
    NAT router to be my WinXP box: didn't fix the problem. The NAT router
    on my home system has options for VPN passthrough, and they're all
    enabled.
     
    rengaw03, Apr 21, 2006
    #13
  14. rengaw03

    Merv Guest

    so now you know that the pings are received by the router over the
    PPTP tunnel and that the router responds to them - so hte PPTP tunnel
    is functioning inbound.

    question now is are the echo replies put back into the PPTP tunnel

    so repeat the previous testing

    clear the log
    clear the counters on the vi5 interface "clear counter vi5" just before
    doing the ping test
    ping 192.168.17.1
    show int vi 5
    show log


    Post the output of the above commands
     
    Merv, Apr 21, 2006
    #14
  15. rengaw03

    Merv Guest

    Connect your Windows XP PC directly to your DSL or cable modem
     
    Merv, Apr 21, 2006
    #15
  16. rengaw03

    Merv Guest

    also for debugging enable "debug icmp" for retest
    along with "debug vpdn packet data detail"

    also post output of "show vpdn tunnel all"
     
    Merv, Apr 21, 2006
    #16
  17. rengaw03

    Merv Guest

    BTW what is the make and model of your home NAT router ?
     
    Merv, Apr 21, 2006
    #17
  18. rengaw03

    Merv Guest

    so is problem solved ?
     
    Merv, Apr 24, 2006
    #18
  19. rengaw03

    rengaw03 Guest

    Doesn't appear to be.
    router#show int vi 5
    Virtual-Access5 is up, line protocol is up
    Hardware is Virtual Access interface
    Interface is unnumbered. Using address of FastEthernet0 (0.0.0.0)
    MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation PPP, LCP Open
    Open: CCP, IPCP
    PPPoVPDN vaccess, cloned from Virtual-Template1
    Vaccess status 0x44
    Protocol pptp, tunnel id 39, session id 39, loopback not set
    Keepalive not set
    DTR is pulsed for 5 seconds on reset
    Last input 00:00:12, output never, output hang never
    Last clearing of "show interface" counters 00:00:38
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    4 packets input, 272 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 output buffer failures, 0 output buffers swapped out
    0 carrier transitions

    router#show log
    000479: Apr 24 21:40:01.749 PDT: ICMP: echo reply sent, src
    192.168.17.1, dst 192.168.16.1
    000481: Apr 24 21:40:06.939 PDT: ICMP: echo reply sent, src
    192.168.17.1, dst 192.168.16.1
    000483: Apr 24 21:40:11.966 PDT: ICMP: echo reply sent, src
    192.168.17.1, dst 192.168.16.1
    000484: Apr 24 21:40:16.964 PDT: ICMP: echo reply sent, src
    192.168.17.1, dst 192.168.16.1
     
    rengaw03, Apr 25, 2006
    #19
  20. rengaw03

    Merv Guest

    Please post the output of "debug vpdn packet data detail" and "show
    vpdn tunnel all"
     
    Merv, Apr 25, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.