dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9
share rss forum feed


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to kasper501

Re: Another USG 50 newb...Cisco VPN Client getting dropped

From the logs it sure looks like your router config has:
- PORT FORWARDING of UDP ports 500 and 4500
- FIREWALL rule allowing UDP ports 500 and 4500

its also possible that IPSec (protocol 50) is involved, off the top of my head I can't recall if that is also configured in port forwarding and firewall.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

What is said above, check you default FW rules, they have IKE,IPSec services included, remove them.


kasper501

join:2011-08-24

1 edit

Click for full size
I don't have anything being forwarded, so I'm confused as where to look for those "IKE,IPSec services".

Ive included a screen shot of my "Default_Allow_WAN_To_ZyWALL" Service Group rules. Can I provide any other informatin?

kasper501

join:2011-08-24

Arghgh....I've been fighting with this all day. I kind of lost it after my ATT MicroCell began getting kicked off the network. Emailed Zyxel for support to see whether they might be able to provide some insight, but at this point I setup my Netgear WND4000 again and everything is fkn working. /arghgh, want to smash!



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Check your PM



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to kasper501

NATT is your problem, remove it from the Default_Allow_WAN_To_ZyWALL rule.


kasper501

join:2011-08-24

Thanks, guys!!!!

I'll try tomorrow.



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

NATT is NAT Traversal and its UDP port 4500, which you can see from the logs is involved with your VPN client getting caught in the firewall.


kasper501

join:2011-08-24

1 edit

Click for full size
BBARRERA...Thanks so much. Thank you, everyone, for your assistance!!! Its finally working, I'm no longer getting disconnected from my work vpn client. I've been connected for over an hour now. Its sites like this that make the internet so awesome.

I do have one more question....not sure if I should start another post, its related to my AT&T microcell. I dont have cell coverage in my house so I need the microcell to get a cell connection. My MicroCell has been dropping connection too since I setup the new router. I was thinking of using the DMZ port; is this how I should configure the default DMZ rules to allow the following ports to pass through?

123/UDP: NTP timing (NTP traffic)
443/TCP: Https over TLS/SSL for provisioning and management traffic
4500/UDP: IPSec NAT Traversal (for all signaling, data, voice traffic)
500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used)
4500/UDP: After NAT detection, 4500/UDP is used



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

If you have only 1 public IP, I can't think of any advantage in setting up DMZ. Just forward those ports to your microcell and then likely have problems with your work laptop VPN.



imanon

@comcast.net
reply to kasper501

Microcell does not require a DMZ, since you've already taken NATT and IKE out of the default rule that normally forces those inbound to the Zywall, you'll be good.

Microcell needs to make a VPN tunnel to AT&T's datacenter, almost identical to how your machine makes a VPN tunnel to your office.