|
|
Question : Problem: VPN 721 error, router access list
|
|
I'm running Windows SBS 2003 on a Cisco 2800 series router. From inside the network I can connect my VPN without a hitch, but from outside I get a 721 authentication error. I read up on this and found out I needed to allow gre, but doing so did not help. Following is my router access list, where 123.123.123.12 is the public IP address of SBS. Any ideas?
Extended IP access list Inbound 10 permit tcp any any established (18221466 matches) 20 permit tcp any host 123.123.123.12 eq smtp (987 matches) 21 permit tcp any host 123.123.123.12 eq www (100 matches) 22 permit tcp any host 123.123.123.12 eq 143 (3 matches) 23 permit tcp any host 123.123.123.12 eq pop3 (3 matches) 24 permit tcp any host 123.123.123.12 eq 443 (3595 matches) 25 permit tcp any host 123.123.123.12 eq 691 26 permit tcp any host 123.123.123.12 eq 4125 27 permit tcp any host 123.123.123.12 eq 444 28 permit tcp any host 123.123.123.12 eq 3389 (5 matches) 30 permit icmp any any (55766 matches) 40 permit udp any any eq isakmp (24 matches) 50 permit udp any any eq non500-isakmp (5559 matches) 60 permit udp host dns.dns.dns.1 eq domain host 123.123.123.11 gt 1024 (449901 matches) 70 permit udp host dns.dns.dns.2 eq domain host 123.123.123.11 gt 1024 (53196 matches) 71 permit udp any eq domain any gt 1024 (72471 matches) 72 permit tcp any eq domain any gt 1024 80 permit tcp any host 123.123.123.11 eq 22 (12705 matches) 90 permit tcp any host 123.123.123.13 eq 500 100 permit tcp any host 123.123.123.12 eq 6001 102 permit tcp any host 123.123.123.12 eq 6002 103 permit tcp any host 123.123.123.12 eq 6003 104 permit tcp any host 123.123.123.12 eq 6004 110 permit tcp any any eq 3389 (9 matches) 120 permit tcp any any eq ftp (18 matches) 131 permit tcp any any eq 1723 (27 matches) 132 permit tcp any any eq 10000 133 permit gre any any (20 matches) 134 permit esp any any 135 permit ahp any any Extended IP access list inbound Extended IP access list nat 10 deny ip 10.10.0.0 0.0.255.255 10.10.13.0 0.0.0.255 (2899 matches) 20 permit ip 10.10.0.0 0.0.255.255 any (1033645 matches) Extended IP access list sl_def_acl 10 deny tcp any any eq telnet log 20 deny tcp any any eq www log 30 deny tcp any any eq 22 log 40 permit ip any any log
I'm also having trouble connecting Outlook from outside, but that's a lesser question at the moment.
|
Answer : Problem: VPN 721 error, router access list
|
|
Is your client configured to use PPTP or L2TP/IPSec? You have opened up GRE and TCP Port 1723 and this is correct for PPTP clients. If your clients are set to use L2TP/IPSec, you need to open:
-UDP traffic on port 1701 -UDP traffic on port 500 -GRE (you already have this) -Possibly UDP traffic on port 4500 also
Upgrade your XP clients to SP2 if you haven't already done so. If the clients are 2000, install the hotfix described in Q818043.
|
|
|
|