Cisco router 2811 config

[morinookuni8919]

Hello Everyone, I have a Cisco 2811 router that I am currently trying to configure. The layout of my network: As of right now I have a Charter (ISP) internet going to their modem (Dynamic IP), which connects to my 2811 router (router on a stick config), which then connects to a Cisco 2960 switch.

This is what I am trying to do: I am trying to get my Cisco RV325 router to act as my VPN router. Its IP address is 192.168.2.9. It connects into the Cisco 2960 Switch. I told the 2811 router to allow port 1723 to any address but that did not work. I am not familiar with getting the router to forward PPTP traffic so I do not know where to start. I do not want the 2811 router to be my VPN router, which is why I got the RV325 router doing it. I am able to do the VPN locally on the network but not remotely. I don't know how much of a difference that makes.

IP address:
ISP address is dynamic
2811 router is 192.168.2.1 192.168.3.1 192.168.4.1
RV325 router is 192.168.2.9


Layout of network:

ISP MODEM > CISCO 2811 ROUTER > Cisco 2960 switch (Houses all devices on network, Including RV325 VPN router)

Here is my 2811 router configuration below:

Router_A#show run
Building configuration...

Current configuration : 2511 bytes
!
! Last configuration change at 04:17:28 UTC Mon Dec 18 2017
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_A
!
boot-start-marker
boot-end-marker
!
!
enable password **********
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
no network-clock-participate wic 0
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.4.15 192.168.4.254
ip dhcp excluded-address 192.168.2.2 192.168.2.99
!
ip dhcp pool Main
network 192.168.2.0 255.255.255.0
dns-server 192.168.2.1 71.10.216.1 71.10.216.2 192.168.2.4
default-router 192.168.2.1
!
ip dhcp pool FBI 2
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 71.10.216.1 71.10.216.2 192.168.4.1
!
ip dhcp pool Cameras
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.3.1 71.210.16.1 71.210.16.2
!
!
!
ip domain name rtp.cisco.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FTX1212A4A1
username ******** password 0 **************
!
redundancy
!
!
controller T1 0/0/0
!
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
!
!
!
interface FastEthernet0/0 (ISP IP address)
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
--More--
*Dec 18 04:17:28.387: %SYS-5-CONFIG_I: Configured from console duplex auto
speed auto
!
interface FastEthernet0/1.1 (Vlan 1)
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.3 (Vlan 3)
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.5 (Vlan 5)
encapsulation dot1Q 5
ip address 192.168.4.1 255.255.255.240
ip nat inside
ip virtual-reassembly in
!
router rip
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit 23 0.0.0.0 255.255.255.0 any
access-list 101 permit tcp any eq 1723 any
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password **********
transport input ssh
!
scheduler allocate 20000 1000
end

Router_A#

 

[bill001g]

You need to add a static nat mapping for port 1723. The GRE tunnel should pass through because of the ALG function in the router but I forget if you actually have to turn anything on.

 

[jfreggie2]

ip nat inside source static tcp 192.168.2.9 1723 interface FastEthernet0/0 1723

This allows incomming connections on port 1723 to your router to forward those requests to 192.168.2.9 IP address.

 

[morinookuni8919]

Bill001g, will I be able to apply a natural route to my outside interface? My outside interface is dynamic from the isp. I should pay for a static address but have no major need as of right now.

 

[morinookuni8919]

Jfreggie2 thank you, I will apply this to my router when I get home.

 

[morinookuni8919]

jfreggie I did the command you suggested. It did give me the ability to log in to my VPN locally but remotely still no dice. I went to "canyouseemenow.org" and it could not see port 1723 open, it error out with "connection timed out". Ideas?

 

[morinookuni8919]

ip nat inside source static tcp 192.168.2.9 1723 interface FastEthernet0/0 1723

This allows incomming connections on port 1723 to your router to forward those requests to 192.168.2.9 IP address.

I did the command you suggested. It did give me the ability to log in to my VPN locally but remotely still no dice. I went to "canyouseemenow.org" and it could not see port 1723 open, it error out with "connection timed out". Ideas?

 

[bill001g]

You might see the packet on a DEBUG IP NAT

Otherwise apply a inbound access list on the outside interface with PERMIT ANY ANY LOG

Another thought is to pass it the connection between the modem/router through your switch and use the port monitor command to allow you capture the actual traffic.

 

[morinookuni8919]

Bill001g, I did a debug ip nat and it says turned on. I also did a show IP NAT translations command and I do see this "TCP Inside global address 192.168.2.9:1723 Outside local (-----) and outside global (------)

That tells me it does see the 1723 just not being pushed to the outside.
I also have SPAN enabled and running wireshark capturing all my traffic, I also have alienvault ossim running with the SPAN to capture my traffic. I do see the 1723 floating around when connected to the VPN

 

[bill001g]

These are hard since it can be the end client causing the issue also. Your should also see nat pptp ALG messages as it sets up the GRE.

Even if the pptp does not work you should see the three way handshake on tcp 1723.

 

[morinookuni8919]

This is what I am seeing:
Pro Inside global Inside local Outside local Outside global
tcp ------------- 192.168.2.5:52580 ------- ------
tcp ------------- 192.168.2.9:1723 --- ---
tcp ------------- 192.168.2.9:3382 ------------- ------------- 918
tcp ------------- 192.168.2.9:3389 ------------- -------------


I edited the other IP addresses out but the second line shows 1723.

Here is the Show IP NAT Statistics command:
Router_A#show ip nat statistics
Total active translations: 374 (0 static, 374 dynamic; 373 extended)
Peak translations: 892, occurred 15:48:22 ago
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1, FastEthernet0/1.1, FastEthernet0/1.3, FastEthernet0/1.5
Hits: 15630313 Misses: 0
CEF Translated packets: 15598063, CEF Punted packets: 32252
Expired translations: 28968
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 101 interface FastEthernet0/0 refcount 324

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

IS there any other commands that I can do that will show the transmissions or anyothers that may help here?

 

[bill001g]

You might see it with debug ip packet but it produces a lot of output and I am not sure if it actually sees nat traffic.

This is why it is simpler so use the switch to watch the traffic going into the router and out of the router with wireshark

 

[morinookuni8919]

You might see it with debug ip packet but it produces a lot of output and I am not sure if it actually sees nat traffic.

This is why it is simpler so use the switch to watch the traffic going into the router and out of the router with wireshark

Fair enough that makes sense. I will hop on my workstation when I get home and run Wireshark for a while to see what I get. I will produce alot of traffic because I got video on my network (security cameras) and it produces eh idk 30k in 20 seconds lmao. I will post the results afterwhile. Thank you for all the help I appreciate it

I forgot to mention the I am using the same device for both remote and local VPN, using my cell phone with basic VPN.i had it worked once before without the 2811 in place and right now it works locally just fine.

 

[morinookuni8919]

Okay so sorry for the late reply, its Xmas and all. I have been trying and trying to find commands to type in and haven't had much luck. I am posting what my running config is so far. I have enabled SSH because I wanted to make sure I could get something to work. When I scan my IP on MXtoolbox it tells me the port 1723 is "Filtered" instead of "refused". not really sure what the "Filtered" part means. Any ideas guys? I am completely stuck, again I can get on the PPTP vpn from the local network that goes to my Cisco RV325 router (192.168.2.9) and can ping the router from my 2811 router, I just dunno where else to look.

hostname Router_A
!
boot-start-marker
boot-end-marker
!
!
enable password -------
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
no network-clock-participate wic 0
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.4.15 192.168.4.254
ip dhcp excluded-address 192.168.2.2 192.168.2.99
!
ip dhcp pool Main
network 192.168.2.0 255.255.255.0
dns-server 192.168.2.1 71.10.216.1 71.10.216.2 192.168.2.4
default-router 192.168.2.1
!
ip dhcp pool FBI 2
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 71.10.216.1 71.10.216.2 192.168.4.1
!
ip dhcp pool Cameras
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.3.1 71.210.16.1 71.210.16.2
!
!
!
ip domain name rtp.cisco.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FTX1212A4A1
username ------ password 0 ---------
!
redundancy
!
!
controller T1 0/0/0
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
ip address 192.168.4.1 255.255.255.240
ip nat inside
ip virtual-reassembly in
!
router rip
network 75.0.0.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.2.9 1723 interface FastEthernet0/0 1723
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit 23 0.0.0.0 255.255.255.0 any
access-list 101 permit icmp any any
access-list 101 permit gre any any
access-list 101 permit tcp any eq 1723 any
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password --------
transport input ssh
!
scheduler allocate 20000 1000
end

Router_A#

 

[morinookuni8919]

this is what the show ip nat translations command looks like:

Pro Inside global Inside local Outside local Outside global
tcp Public IP:1723 192.168.2.9:1723 64.20.227.138:51619 64.20.227.138:51619
tcp Public IP:1723 192.168.2.9:1723 --- ---

it will only get these two for 1723, the first one seems like its attempting a connection but then the second line just drops the packet and never connects. The port never shows as open either. Does this mean the problem is with the router configuration or with something else?

 

[morinookuni8919]

I thought I would revisit this. The person I picked for the best answer had the right commands I needed to inout. I managed to solve the issue by using a ddns point to my public IP and reconfigure the routes in my rv325 vpn.