Add NAT and Protocol 47 to Cisco 2800

[zefflyn]

Brief synopsys:

Have a new server in the building, on which we've installed a VPN service. Now I'm trying to re-configure the router to forward port 1723, and allow IP Protocol 47 to allow the VPN traffic to go through.

I added the NAT with the GUI, but couldn't find where to add the protocol. I foolishly used the built-in version checker, which said there was a newer version of the GUI available, but then it failed to install and wiped out the GUI it had. So I also have to figure out how to restore the back-up it saved.

So far I can add the NAT at the command line:

configure t

ip nat inside source static tcp 10.5.10.159 1723 interface GigabitEthernet 0/0 1723

But can't find a tip for enabling IP Protocol 47.

Any tips for that, or restoring the backup config? I put the files on my tftp server, and just need to scrounge up the commands to do the restore.

Thanks.

 

[/dev/null]

copy tftp flash

You'll get the prompts for IP address of tftp server and source/destination filename.

I don't have experience doing VPN's but wouldn't you either need to enable tcp 1723 if you have ACL's? And/or NAT overload.

*edit*

Are you trying to do GRE tunneling between 2 routers? Are you trying to do vpn clients -> server?

 

[zefflyn]

The new VPN server is inside the firewall, so I'm trying to get the 2821 to pass-through that traffic.

 

[/dev/null]

If the issue is passing a packet from one port on the router to another then it could be an ACL problem. You can use the established parameter in an ACL to allow return traffic from a session back in. If it's a NAT problem, like the clients aren't getting return traffic you can try NAT with overload (PAT).

 

[mercurial]

ip proto 47 (google it, its simply GRE) does not run on top of TCP, it runs at the same layer (4). Your NAT configuration example does not address GRE since you are only forwarding traffic for an explicit IP address / TCP port combination, which would not cover GRE traffic.

You need a config that forwards all traffic headed to that IP to the VPN server, or you need a way to specifically forward all GRE traffic to the VPN server. Your IOS on the 2800 might not support the latter.