MN-700 and Cisco VPN

Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

I just got my MN-700 configured so that the DSL Modem ethernet cable is
plugged into the WAN port.. HOwever, now my Cisco VPN client connects, but
I can't do anything... When I had the DSL Modem ethernet cable plugged into
one of the LAN ports it worked OK. Do I need to configure the WAN security
to allow the CISCO VPN client to run IPSec through the WAN?

Carl
11 answers Last reply
More about cisco
  1. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    Sorry, I see lots of articles in this group on this topic... I will try to
    find the answer there.


    "Carl Hilton" <someone@microsoft.com> wrote in message
    news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >plugged into the WAN port.. HOwever, now my Cisco VPN client connects, but
    >I can't do anything... When I had the DSL Modem ethernet cable plugged into
    >one of the LAN ports it worked OK. Do I need to configure the WAN security
    >to allow the CISCO VPN client to run IPSec through the WAN?
    >
    > Carl
    >
  2. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    Well, it looks like the solution is to log into the MN-700, turn on the DMZ
    for the machine you want to use a VPN client... Do you VPN session,
    disconnect, then disable the DMZ... Not elegant but it works.


    "Carl Hilton" <someone@microsoft.com> wrote in message
    news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >plugged into the WAN port.. HOwever, now my Cisco VPN client connects, but
    >I can't do anything... When I had the DSL Modem ethernet cable plugged into
    >one of the LAN ports it worked OK. Do I need to configure the WAN security
    >to allow the CISCO VPN client to run IPSec through the WAN?
    >
    > Carl
    >
  3. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    If you can figure out which ports are needed for incoming data you can
    use persistent port forwarding instead. It is a much more secure method
    of doing the VPN as well.

    Carl Hilton wrote:

    > Well, it looks like the solution is to log into the MN-700, turn on the DMZ
    > for the machine you want to use a VPN client... Do you VPN session,
    > disconnect, then disable the DMZ... Not elegant but it works.
    >
    >
    >
    > "Carl Hilton" <someone@microsoft.com> wrote in message
    > news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >
    >>I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >>plugged into the WAN port.. HOwever, now my Cisco VPN client connects, but
    >>I can't do anything... When I had the DSL Modem ethernet cable plugged into
    >>one of the LAN ports it worked OK. Do I need to configure the WAN security
    >>to allow the CISCO VPN client to run IPSec through the WAN?
    >>
    >>Carl
    >>
    >
    >
    >

    --
    Please do not contact me directly or ask me to contact you directly for
    assistance.

    If your question is worth asking, it's worth posting.

    If it’s not worth posting you should have done a search on
    http://www.google.com/ http://www.google.com/grphp?hl=en&tab=wg&q= or
    http://news.google.com/froogle?hl=en&tab=nf&ned=us&q= before wasting our
    time.
  4. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    I have several Etherreal captures of traffic... How do I determine what is
    required? Most of the traffic appears to be between the workstation and the
    MN-700 gateway?

    OOPS, I see that once I make the VPN connection, my Network Adapter changes
    to the Cisco VPN adapter, So... capturing that traffic, what do I look for?
    There is a LOT of traffic on various ports?

    Persistant Port forwarding points back to a specific IP, but with this VPN,
    I am assigned a different IP...

    Carl


    I see ISAKMP traffic between my machine and the VPN Concentrator but then
    after the signon. All subsequent traffic is to the gateway, except for
    "Joker" <no-spam@netzero.com> wrote in message
    news:eW%23Ctv9tEHA.2956@TK2MSFTNGP12.phx.gbl...
    > If you can figure out which ports are needed for incoming data you can use
    > persistent port forwarding instead. It is a much more secure method of
    > doing the VPN as well.
    >
    > Carl Hilton wrote:
    >
    >> Well, it looks like the solution is to log into the MN-700, turn on the
    >> DMZ for the machine you want to use a VPN client... Do you VPN session,
    >> disconnect, then disable the DMZ... Not elegant but it works.
    >>
    >>
    >>
    >> "Carl Hilton" <someone@microsoft.com> wrote in message
    >> news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >>
    >>>I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >>>plugged into the WAN port.. HOwever, now my Cisco VPN client connects,
    >>>but I can't do anything... When I had the DSL Modem ethernet cable
    >>>plugged into one of the LAN ports it worked OK. Do I need to configure
    >>>the WAN security to allow the CISCO VPN client to run IPSec through the
    >>>WAN?
    >>>
    >>>Carl
    >>>
    >>
    >>
    >>
    >
    > --
    > Please do not contact me directly or ask me to contact you directly for
    > assistance.
    >
    > If your question is worth asking, it's worth posting.
    >
    > If it’s not worth posting you should have done a search on
    > http://www.google.com/ http://www.google.com/grphp?hl=en&tab=wg&q= or
    > http://news.google.com/froogle?hl=en&tab=nf&ned=us&q= before wasting our
    > time.
  5. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    which Cisco VPN version are you using? 4.0.1 works fine here for me. I
    changed the defaults on the MN-700 so that the base station address is
    192.168.1.1 and the IP range served by DHCP is 192.168.1.xxx etc.

    Also, the Cisco VPN client has an optional firewall (stateful packet
    inspection) - try unmarking it if it is checked off in your client.

    On Fri, 22 Oct 2004 06:36:11 -0400, "Carl Hilton"
    <someone@microsoft.com> wrote:

    >I have several Etherreal captures of traffic... How do I determine what is
    >required? Most of the traffic appears to be between the workstation and the
    >MN-700 gateway?
    >
    >OOPS, I see that once I make the VPN connection, my Network Adapter changes
    >to the Cisco VPN adapter, So... capturing that traffic, what do I look for?
    >There is a LOT of traffic on various ports?
    >
    >Persistant Port forwarding points back to a specific IP, but with this VPN,
    >I am assigned a different IP...
    >
    >Carl
    >
    >
    >I see ISAKMP traffic between my machine and the VPN Concentrator but then
    >after the signon. All subsequent traffic is to the gateway, except for
    >"Joker" <no-spam@netzero.com> wrote in message
    >news:eW%23Ctv9tEHA.2956@TK2MSFTNGP12.phx.gbl...
    >> If you can figure out which ports are needed for incoming data you can use
    >> persistent port forwarding instead. It is a much more secure method of
    >> doing the VPN as well.
    >>
    >> Carl Hilton wrote:
    >>
    >>> Well, it looks like the solution is to log into the MN-700, turn on the
    >>> DMZ for the machine you want to use a VPN client... Do you VPN session,
    >>> disconnect, then disable the DMZ... Not elegant but it works.
    >>>
    >>>
    >>>
    >>> "Carl Hilton" <someone@microsoft.com> wrote in message
    >>> news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >>>
    >>>>I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >>>>plugged into the WAN port.. HOwever, now my Cisco VPN client connects,
    >>>>but I can't do anything... When I had the DSL Modem ethernet cable
    >>>>plugged into one of the LAN ports it worked OK. Do I need to configure
    >>>>the WAN security to allow the CISCO VPN client to run IPSec through the
    >>>>WAN?
    >>>>
    >>>>Carl
    >>>>
    >>>
    >>>
    >>>
    >>
    >> --
    >> Please do not contact me directly or ask me to contact you directly for
    >> assistance.
    >>
    >> If your question is worth asking, it's worth posting.
    >>
    >> If it’s not worth posting you should have done a search on
    >> http://www.google.com/ http://www.google.com/grphp?hl=en&tab=wg&q= or
    >> http://news.google.com/froogle?hl=en&tab=nf&ned=us&q= before wasting our
    >> time.
    >

    --
    Barb Bowman
    Expert Zone Columnist
    http://www.microsoft.com/windowsxp/expertzone
    MS-MVP (Windows)
  6. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    I also use 4.0.1... My base station is 192.168.2.1 and DHCP Serves
    192.168.2.XXX... I do not use 192.168.1.XXX as that is in use by my ISP's
    DSL Modem which is connected to my bast station's WAN port. I HAVE turned
    off stateful firewall on the client.

    Carl


    "Barb Bowman [MVP-Windows]" <barb@nospam.com> wrote in message
    news:c0din05sdnjvip9aosd42v5ug8rpukur8t@4ax.com...
    > which Cisco VPN version are you using? 4.0.1 works fine here for me. I
    > changed the defaults on the MN-700 so that the base station address is
    > 192.168.1.1 and the IP range served by DHCP is 192.168.1.xxx etc.
    >
    > Also, the Cisco VPN client has an optional firewall (stateful packet
    > inspection) - try unmarking it if it is checked off in your client.
    >
    > On Fri, 22 Oct 2004 06:36:11 -0400, "Carl Hilton"
    > <someone@microsoft.com> wrote:
    >
    >>I have several Etherreal captures of traffic... How do I determine what is
    >>required? Most of the traffic appears to be between the workstation and
    >>the
    >>MN-700 gateway?
    >>
    >>OOPS, I see that once I make the VPN connection, my Network Adapter
    >>changes
    >>to the Cisco VPN adapter, So... capturing that traffic, what do I look
    >>for?
    >>There is a LOT of traffic on various ports?
    >>
    >>Persistant Port forwarding points back to a specific IP, but with this
    >>VPN,
    >>I am assigned a different IP...
    >>
    >>Carl
    >>
    >>
    >>I see ISAKMP traffic between my machine and the VPN Concentrator but then
    >>after the signon. All subsequent traffic is to the gateway, except for
    >>"Joker" <no-spam@netzero.com> wrote in message
    >>news:eW%23Ctv9tEHA.2956@TK2MSFTNGP12.phx.gbl...
    >>> If you can figure out which ports are needed for incoming data you can
    >>> use
    >>> persistent port forwarding instead. It is a much more secure method of
    >>> doing the VPN as well.
    >>>
    >>> Carl Hilton wrote:
    >>>
    >>>> Well, it looks like the solution is to log into the MN-700, turn on the
    >>>> DMZ for the machine you want to use a VPN client... Do you VPN session,
    >>>> disconnect, then disable the DMZ... Not elegant but it works.
    >>>>
    >>>>
    >>>>
    >>>> "Carl Hilton" <someone@microsoft.com> wrote in message
    >>>> news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >>>>
    >>>>>I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >>>>>plugged into the WAN port.. HOwever, now my Cisco VPN client connects,
    >>>>>but I can't do anything... When I had the DSL Modem ethernet cable
    >>>>>plugged into one of the LAN ports it worked OK. Do I need to configure
    >>>>>the WAN security to allow the CISCO VPN client to run IPSec through the
    >>>>>WAN?
    >>>>>
    >>>>>Carl
    >>>>>
    >>>>
    >>>>
    >>>>
    >>>
    >>> --
    >>> Please do not contact me directly or ask me to contact you directly for
    >>> assistance.
    >>>
    >>> If your question is worth asking, it's worth posting.
    >>>
    >>> If it's not worth posting you should have done a search on
    >>> http://www.google.com/ http://www.google.com/grphp?hl=en&tab=wg&q= or
    >>> http://news.google.com/froogle?hl=en&tab=nf&ned=us&q= before wasting our
    >>> time.
    >>
    >
    > --
    > Barb Bowman
    > Expert Zone Columnist
    > http://www.microsoft.com/windowsxp/expertzone
    > MS-MVP (Windows)
  7. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    You might consider setting either the DSL router into bridging mode or
    turning the MN-700 into an access point as running two routers like that
    is not a recommended situation & it will cause problems like this to happen.

    Carl Hilton wrote:

    > I also use 4.0.1... My base station is 192.168.2.1 and DHCP Serves
    > 192.168.2.XXX... I do not use 192.168.1.XXX as that is in use by my ISP's
    > DSL Modem which is connected to my bast station's WAN port. I HAVE turned
    > off stateful firewall on the client.
    >
    > Carl


    --
    Please do not contact me directly or ask me to contact you directly for
    assistance.

    If your question is worth asking, it's worth posting.

    If it’s not worth posting you should have done a search on
    http://www.google.com/ http://www.google.com/grphp?hl=en&tab=wg&q= or
    http://news.google.com/froogle?hl=en&tab=nf&ned=us&q= before wasting our
    time.
  8. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    ah ha. you have double NAT. that is the problem. your modem supplies
    private IP's to the computers behind it. you need to turn the 700 into
    an access point and turn off DHCP. either that or get your ISP gto
    turn NAT off in your modem.

    On Thu, 21 Oct 2004 20:00:10 -0400, "Carl Hilton"
    <someone@microsoft.com> wrote:

    >Well, it looks like the solution is to log into the MN-700, turn on the DMZ
    >for the machine you want to use a VPN client... Do you VPN session,
    >disconnect, then disable the DMZ... Not elegant but it works.
    >
    >
    >
    >"Carl Hilton" <someone@microsoft.com> wrote in message
    >news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >>I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >>plugged into the WAN port.. HOwever, now my Cisco VPN client connects, but
    >>I can't do anything... When I had the DSL Modem ethernet cable plugged into
    >>one of the LAN ports it worked OK. Do I need to configure the WAN security
    >>to allow the CISCO VPN client to run IPSec through the WAN?
    >>
    >> Carl
    >>
    >

    --
    Barb Bowman
    Expert Zone Columnist
    http://www.microsoft.com/windowsxp/expertzone
    MS-MVP (Windows)
  9. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    Actually, my modem supplies IPs to the 700 which supplies IP's to the
    computers... But I will see about turning off the DHCP on my modem... would
    it matter if DHCP were turned off on my 700 instead?


    "Barb Bowman [MVP-Windows]" <barb@nospam.com> wrote in message
    news:1e3jn0dksj2oh87fm5kuia23rejnrc9ech@4ax.com...
    > ah ha. you have double NAT. that is the problem. your modem supplies
    > private IP's to the computers behind it. you need to turn the 700 into
    > an access point and turn off DHCP. either that or get your ISP gto
    > turn NAT off in your modem.
    >
    > On Thu, 21 Oct 2004 20:00:10 -0400, "Carl Hilton"
    > <someone@microsoft.com> wrote:
    >
    >>Well, it looks like the solution is to log into the MN-700, turn on the
    >>DMZ
    >>for the machine you want to use a VPN client... Do you VPN session,
    >>disconnect, then disable the DMZ... Not elegant but it works.
    >>
    >>
    >>
    >>"Carl Hilton" <someone@microsoft.com> wrote in message
    >>news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >>>I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >>>plugged into the WAN port.. HOwever, now my Cisco VPN client connects,
    >>>but
    >>>I can't do anything... When I had the DSL Modem ethernet cable plugged
    >>>into
    >>>one of the LAN ports it worked OK. Do I need to configure the WAN
    >>>security
    >>>to allow the CISCO VPN client to run IPSec through the WAN?
    >>>
    >>> Carl
    >>>
    >>
    >
    > --
    > Barb Bowman
    > Expert Zone Columnist
    > http://www.microsoft.com/windowsxp/expertzone
    > MS-MVP (Windows)
  10. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    Hmmm, how about if I turn off DHCP on my modem, and enable IP PASS Through
    between the Modem to the 700? That way the 700 gets the IP address my ISP
    assigns to my modem?

    Let me try.

    Carl


    "Barb Bowman [MVP-Windows]" <barb@nospam.com> wrote in message
    news:1e3jn0dksj2oh87fm5kuia23rejnrc9ech@4ax.com...
    > ah ha. you have double NAT. that is the problem. your modem supplies
    > private IP's to the computers behind it. you need to turn the 700 into
    > an access point and turn off DHCP. either that or get your ISP gto
    > turn NAT off in your modem.
    >
    > On Thu, 21 Oct 2004 20:00:10 -0400, "Carl Hilton"
    > <someone@microsoft.com> wrote:
    >
    >>Well, it looks like the solution is to log into the MN-700, turn on the
    >>DMZ
    >>for the machine you want to use a VPN client... Do you VPN session,
    >>disconnect, then disable the DMZ... Not elegant but it works.
    >>
    >>
    >>
    >>"Carl Hilton" <someone@microsoft.com> wrote in message
    >>news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >>>I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >>>plugged into the WAN port.. HOwever, now my Cisco VPN client connects,
    >>>but
    >>>I can't do anything... When I had the DSL Modem ethernet cable plugged
    >>>into
    >>>one of the LAN ports it worked OK. Do I need to configure the WAN
    >>>security
    >>>to allow the CISCO VPN client to run IPSec through the WAN?
    >>>
    >>> Carl
    >>>
    >>
    >
    > --
    > Barb Bowman
    > Expert Zone Columnist
    > http://www.microsoft.com/windowsxp/expertzone
    > MS-MVP (Windows)
  11. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    Turning on "IP-PASS Through" on my DSL modem and pointing it at the 700
    worked. Thanks

    Carl


    "Barb Bowman [MVP-Windows]" <barb@nospam.com> wrote in message
    news:1e3jn0dksj2oh87fm5kuia23rejnrc9ech@4ax.com...
    > ah ha. you have double NAT. that is the problem. your modem supplies
    > private IP's to the computers behind it. you need to turn the 700 into
    > an access point and turn off DHCP. either that or get your ISP gto
    > turn NAT off in your modem.
    >
    > On Thu, 21 Oct 2004 20:00:10 -0400, "Carl Hilton"
    > <someone@microsoft.com> wrote:
    >
    >>Well, it looks like the solution is to log into the MN-700, turn on the
    >>DMZ
    >>for the machine you want to use a VPN client... Do you VPN session,
    >>disconnect, then disable the DMZ... Not elegant but it works.
    >>
    >>
    >>
    >>"Carl Hilton" <someone@microsoft.com> wrote in message
    >>news:O$cNhZ6tEHA.3572@tk2msftngp13.phx.gbl...
    >>>I just got my MN-700 configured so that the DSL Modem ethernet cable is
    >>>plugged into the WAN port.. HOwever, now my Cisco VPN client connects,
    >>>but
    >>>I can't do anything... When I had the DSL Modem ethernet cable plugged
    >>>into
    >>>one of the LAN ports it worked OK. Do I need to configure the WAN
    >>>security
    >>>to allow the CISCO VPN client to run IPSec through the WAN?
    >>>
    >>> Carl
    >>>
    >>
    >
    > --
    > Barb Bowman
    > Expert Zone Columnist
    > http://www.microsoft.com/windowsxp/expertzone
    > MS-MVP (Windows)
Ask a new question

Read More

Routers WAN VPN Cisco Networking