Question : Windows VPN through Cisco 1721

I have replaced a linksys befsr41 with a Cisco 1721, the Windows VPN client to a SBS 2003 worked before with ports 1723 and 47 using both protocols on the linksys. Now the client shows verifying username and password and tries to connect using all of the protocols, but times out with error code 800. The following is the config for my 1721, I am obviously missing something but cannot quite put my finger on it. I recently added the GRE line in my ACL fa0/1_in but that had no affect. Do i need to add something in my inspect rule for the outbound for the VPN?

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ~~~~~~~~~`
enable password level 15
!

clock timezone GMT -6
clock summer-time S recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip subnet-zero
!
!
!
ip dhcp pool vlan20
network 10.10.252.0 255.255.252.0
dns-server 4.2.2.2 8.8.8.8
default-router 10.10.255.254
lease 0 2
!
!
no ip domain lookup
ip cef
ip inspect name MyInspectRule udp
ip inspect name MyInspectRule icmp
ip inspect name MyInspectRule ftp
ip inspect name MyInspectRule tftp
ip inspect name MyInspectRule smtp
ip inspect name MyInspectRule realaudio
ip inspect name MyInspectRule tcp
ip inspect name MyInspectRule http
ip ips po max-events 100
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-3176379460
subject-name cn=IOS-Self-Signed-Certificate-3176379460
revocation-check none
rsakeypair TP-self-signed-3176379460
!
crypto pki trustpoint TP-self-signed-1328200160
subject-name cn=IOS-Self-Signed-Certificate-1328200160
revocation-check none
rsakeypair TP-self-signed-1328200160
!
!
!
!
!
!
!
interface FastEthernet0
ip address a.b.c.d 255.255.255.252
ip access-group fa0/1_in in
ip nat outside
ip inspect MyInspectRule out
ip virtual-reassembly
speed auto
!
interface FastEthernet1
switchport access vlan 10
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 20
no ip address
!
interface FastEthernet4
switchport access vlan 20
no ip address
!
interface Vlan1
no ip address
no ip route-cache cef
no ip route-cache
!
interface Vlan10
description WPD_Admin
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface Vlan20
description Boater_Network
ip address 10.10.255.254 255.255.252.0
ip access-group 105 in
ip access-group 105 out
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.e permanent
no ip http server
ip http authentication aaa
no ip http secure-server
ip nat inside source route-map MyRouteMap interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.3 25 a.b.c.d 25 extendable
ip nat inside source static tcp 192.168.1.3 a.b.c.d 47 extendable
ip nat inside source static tcp 192.168.1.3 80 a.b.c.d 80 extendable
ip nat inside source static tcp 192.168.1.3 110 a.b.c.d 110 extendable
ip nat inside source static tcp 192.168.1.3 443 a.b.c.d 443 extendable
ip nat inside source static tcp 192.168.1.3 1723 a.b.c.d 1723 extendable
ip nat inside source static tcp 192.168.1.3 3389 a.b.c.d 3389 extendable
!
!
!
ip access-list extended fa0/1_in
permit icmp any host a.b.c.d echo-reply
permit icmp any host a.b.c.d time-exceeded
permit icmp any host a.b.c.d unreachable
permit gre any any
permit tcp any host a.b.c.d eq 443
permit tcp any host a.b.c.d eq www
permit tcp any host a.b.c.d eq smtp
permit tcp any host a.b.c.d eq pop3
permit tcp any host a.b.c.d eq 22
permit tcp any host a.b.c.d eq 1723
permit tcp any host a.b.c.d eq 47
permit tcp any host a.b.c.d eq 3389
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 10.10.252.0 0.0.0.255 any
!
route-map MyRouteMap permit 1
match ip address 102
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
This Device is constantly monitored by ATC.
Any attempts to alter the security of this device will lead
to immediate legal action punishable by death!

Don't mess with it!!!
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password XXXXXXXXXXXX
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh

Answer : Windows VPN through Cisco 1721

problem is that GRE is not TCP, it is IP protocol 47, and as far as I can remember, there is no option to specify protocol 47 in a static NAT. You already have permit gre any any and 1723 defined.
Remove the static tcp nat statements and do a one to one, all ports as your ACL will allow what you have defined.

no ip nat inside source static tcp 192.168.1.3 25 a.b.c.d 25 extendable
no ip nat inside source static tcp 192.168.1.3 a.b.c.d 47 extendable
no ip nat inside source static tcp 192.168.1.3 80 a.b.c.d 80 extendable
no ip nat inside source static tcp 192.168.1.3 110 a.b.c.d 110 extendable
no ip nat inside source static tcp 192.168.1.3 443 a.b.c.d 443 extendable
no ip nat inside source static tcp 192.168.1.3 1723 a.b.c.d 1723 extendable
no ip nat inside source static tcp 192.168.1.3 3389 a.b.c.d 3389 extendable

ip nat inside source static 192.168.1.3 a.b.c.d extendable

Billy

Random Solutions

asp.net - I have a problem - i cannot connect an ajax calendar extention & textbox to the where clause of a gridview datasouce..

Exchange 2003 does not work after reinstalling SMTP service on SBS 2003 Server

please check my .htaccess

How do I remove Network Neighborhood using group policy?

windows 2008 64 server

Exchange 2003 Logical Size vs Physical Size

Cisco VPN client for Windows, use both RSA SecurID soft token and hard token

Crystal Reports Xi - Sorting a CrossTab Report by a Summary Field

Is there a tool to check to see who has enabled auto-forward in outlook

Microsoft VPN not connecting on some computers