# CISCO VPN client through NAT

## MrBlack

Hi, I'd like to run Cisco VPN Client on a Windows XP machine in my home network. While i can access the internet on the XP machine (http, ftp ...) I can't use the Cisco VPN Client on it.

Should I enter something in my iptables script ? 

Thank you

----------

## AlterEgo

Are you sure you're not bothered by the (default) Windows XP firewall?

That's what kills my VPN connection in a similar setup.

----------

## MrBlack

No, ICF is not enabled on the XP machine.

----------

## Satao

Try opening L2TP port udp/1701

----------

## MrBlack

I have added following lines in /etc/services:

l2f	1701/tcp	l2f

l2f	1701/udp	l2f

l2tp	1701/tcp	l2tp

l2tp	1701/udp	l2tp

Still, no luck  :Sad: 

----------

## MrBlack

I have added following lines in /etc/services:

l2f	1701/tcp	l2f

l2f	1701/udp	l2f

l2tp	1701/tcp	l2tp

l2tp	1701/udp	l2tp

Still, no luck  :Sad: 

----------

## MrBlack

I have following rules now:

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "7" > /proc/sys/net/ipv4/ip_dynaddr

# Initialize all the chains by flushing them

iptables --flush

iptables -t nat --flush

iptables -t mangle --flush

# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT

# The default for FORWARD is DROP (REJECT is not a valid policy)

iptables -P INPUT ACCEPT

iptables -F INPUT

iptables -P OUTPUT ACCEPT

iptables -F OUTPUT

iptables -P FORWARD DROP

iptables -F FORWARD

iptables -t nat -F

# Allow all connections OUT and only existing and related ones IN

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

iptables -A FORWARD -j LOG --log-prefix "IPTABLES "

# Enable masquerading functionality on $EXTIF

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

iptables -t nat -A POSTROUTING -o $EXTIF -j LOG --log-prefix "IPTABLES "

# Enable Cisco VPN client through NAT interface

iptables -I INPUT -p udp --dport 500 -j ACCEPT

iptables -I OUTPUT -p udp --sport 500 -m state --state ESTABLISHED -j ACCEPT

iptables -I INPUT -p udp --dport 10000 -j ACCEPT

iptables -I OUTPUT -p udp --sport 10000 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i $EXTIF -p 50 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p 50 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i $EXTIF -p 50 -mstate --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p 50 -mstate --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i $EXTIF -p 51 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p 51 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i $EXTIF -p 51 -mstate --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p 51 -mstate --state ESTABLISHED -j ACCEPT

Unfortunatly, it still isn't working ... anybody who knows what's going on ?

Thx

----------

## Xanadu

Have you enabled gre tunnels in your kernel?  I'm moving my company over to the Cisco client and away from the WINNT VPN, so I'm using that Cisco client now on my XP laptop.  I can VPN into work from my laptop at home no problem.  I have gre tunnels enabled in my kernel, since I needed that with the old VPN (winnt based).  I needed no special iptables rules at all for it all to work (opening up port 1723 or things like you posted above) with either the Cicso client or the built-in Windows method.  It works 100% fine.  Kinda slow since I'm on a modem, but, it works fine with no real playing needed.  The only catch is I have gre tunnels enabled in my server's kernel.

----------

## gianbeos

 *MrBlack wrote:*   

> Hi, I'd like to run Cisco VPN Client on a Windows XP machine in my home network. While i can access the internet on the XP machine (http, ftp ...) I can't use the Cisco VPN Client on it.
> 
> Should I enter something in my iptables script ? 
> 
> 

 

Did you see any log of the filtered packet?

What do you use at the other end of the VPN tunnel? A Cisco PIX or a VPN Concentrator? Only the concentrator supports a tunnel behind NAT.

Bye.

----------

