Question : Windows VPN through Cisco 1721

I have replaced a linksys befsr41 with a Cisco 1721, the Windows VPN client to a SBS 2003 worked before with ports 1723 and 47 using both protocols on the linksys. Now the client shows verifying username and password and tries to connect using all of the protocols, but times out with error code 800. The following is the config for my 1721, I am obviously missing something but cannot quite put my finger on it. I recently added the GRE line in my ACL fa0/1_in but that had no affect. Do i need to add something in my inspect rule for the outbound for the VPN?

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ~~~~~~~~~~~~~~~~~~~~~~~`
enable password level 15
!
~~~~~~~~~~~~~~
clock timezone GMT -6
clock summer-time S recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip subnet-zero
!
!
!
ip dhcp pool vlan20
   network 10.10.252.0 255.255.252.0
   dns-server 4.2.2.2 8.8.8.8
   default-router 10.10.255.254
   lease 0 2
!
!
no ip domain lookup
ip cef
ip inspect name MyInspectRule udp
ip inspect name MyInspectRule icmp
ip inspect name MyInspectRule ftp
ip inspect name MyInspectRule tftp
ip inspect name MyInspectRule smtp
ip inspect name MyInspectRule realaudio
ip inspect name MyInspectRule tcp
ip inspect name MyInspectRule http
ip ips po max-events 100
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-3176379460
 subject-name cn=IOS-Self-Signed-Certificate-3176379460
 revocation-check none
 rsakeypair TP-self-signed-3176379460
!
crypto pki trustpoint TP-self-signed-1328200160
 subject-name cn=IOS-Self-Signed-Certificate-1328200160
 revocation-check none
 rsakeypair TP-self-signed-1328200160
!
!
!
!
!
!
!
interface FastEthernet0
 ip address a.b.c.d 255.255.255.252
 ip access-group fa0/1_in in
 ip nat outside
 ip inspect MyInspectRule out
 ip virtual-reassembly
 speed auto
!
interface FastEthernet1
 switchport access vlan 10
 no ip address
!
interface FastEthernet2
 switchport access vlan 20
 no ip address
!
interface FastEthernet3
 switchport access vlan 20
 no ip address
!
interface FastEthernet4
 switchport access vlan 20
 no ip address
!
interface Vlan1
 no ip address
 no ip route-cache cef
 no ip route-cache
!
interface Vlan10
 description WPD_Admin
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
!
interface Vlan20
 description Boater_Network
 ip address 10.10.255.254 255.255.252.0
 ip access-group 105 in
 ip access-group 105 out
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.e permanent
no ip http server
ip http authentication aaa
no ip http secure-server
ip nat inside source route-map MyRouteMap interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.3 25 a.b.c.d 25 extendable
ip nat inside source static tcp 192.168.1.3 a.b.c.d 47 extendable
ip nat inside source static tcp 192.168.1.3 80 a.b.c.d 80 extendable
ip nat inside source static tcp 192.168.1.3 110 a.b.c.d 110 extendable
ip nat inside source static tcp 192.168.1.3 443 a.b.c.d 443 extendable
ip nat inside source static tcp 192.168.1.3 1723 a.b.c.d 1723 extendable
ip nat inside source static tcp 192.168.1.3 3389 a.b.c.d 3389 extendable
!
!
!
ip access-list extended fa0/1_in
 permit icmp any host a.b.c.d echo-reply
 permit icmp any host a.b.c.d time-exceeded
 permit icmp any host a.b.c.d unreachable
 permit gre any any
 permit tcp any host a.b.c.d eq 443
 permit tcp any host a.b.c.d eq www
 permit tcp any host a.b.c.d eq smtp
 permit tcp any host a.b.c.d eq pop3
 permit tcp any host a.b.c.d eq 22
 permit tcp any host a.b.c.d eq 1723
 permit tcp any host a.b.c.d eq 47
 permit tcp any host a.b.c.d eq 3389
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 10.10.252.0 0.0.0.255 any
!
route-map MyRouteMap permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
This Device is constantly monitored by ATC.
Any attempts to alter the security of this device will lead
to immediate legal action punishable by death!

Don't mess with it!!!
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password XXXXXXXXXXXX
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh

Answer : Windows VPN through Cisco 1721

problem is that GRE is not TCP, it is IP protocol 47, and as far as I can remember, there is no option to specify protocol 47 in a static NAT. You already have permit gre any any and 1723 defined.
Remove the static tcp nat statements and do a one to one, all ports as your ACL will allow what you have defined.


no ip nat inside source static tcp 192.168.1.3 25 a.b.c.d 25 extendable
no ip nat inside source static tcp 192.168.1.3 a.b.c.d 47 extendable
no ip nat inside source static tcp 192.168.1.3 80 a.b.c.d 80 extendable
no ip nat inside source static tcp 192.168.1.3 110 a.b.c.d 110 extendable
no ip nat inside source static tcp 192.168.1.3 443 a.b.c.d 443 extendable
no ip nat inside source static tcp 192.168.1.3 1723 a.b.c.d 1723 extendable
no ip nat inside source static tcp 192.168.1.3 3389 a.b.c.d 3389 extendable

ip nat inside source static 192.168.1.3 a.b.c.d extendable


Billy