Solved

Allowing PPTP traffic through IOS firewall

Posted on 2001-07-27
10
422 Views
Last Modified: 2008-03-17
I have a Cisco 3620 with the Firewall IOS.  I also have a MS VPN Server sitting behind it on a DMZ.  I want to allow only PPTP related traffic to this server.  I know I have to open port TCP 1723, but how do I allow protocol type 47 (GRE) and UDP 500?  If anyone has the command, please let me know.
0
Comment
Question by:Silas
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6327011
Are you trying to paas the GRE through the IOS firewall and terminate the VPN on an internal host, or use the IOS firewall as the VPN terminator?
0
 

Author Comment

by:Silas
ID: 6327021
I am trying to pass GRE through the IOS FireWall to an Internal host (2000 server)
0
 
LVL 17

Accepted Solution

by:
mikecr earned 8 total points
ID: 6327435
You should be able to do this with an access list entry like:

access-list 101 permit gre host 20.1.1.0 host 30.1.1.0

If your terminating at a 2000 server then you are probably passing DHCP to the client upon connection, correct? Use those IP's in your firewall setup.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:svindler
ID: 6338585
To continue Mikecr's suggestion:
access-list 101 permit gre any host 30.1.1.0
access-list 101 permit udp any host 30.1.1.0 eq 500
access-list 101 permit tcp any host 30.1.1.0 eq 1723

provided that 30.1.1.0 is your server and you probably can't limit the source ip's right?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6339238
Just to add one more tidbit:
Using svindler's access list, apply it to the Serial interface inbound:

Interface serial 0/0
 ip access-group 101 in

Do you have a static NAT map from your external IP address group to a private IP address in the DMZ?
0
 

Author Comment

by:Silas
ID: 6340452
the access-list 101 looks good, however, when I attempt to authenticate with the server from the Internet, I get a 650 error (unable to complete connection).  The VPN server is statically natted to 1723, and udp 500.  I can't statically nat to gre (at least I don't see a way to do that).  Any ideas?  Can I nat/pat a vpn server?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6341367
To my knowledge you can't NAT a VPN server because your beggining and end points need to be real, but don't quote me on that. If your endpoint is natted, it will get stripped off when it gets unatted coming out.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6341566
I agree with Mikecr.  That was the reason I asked where the VPN termination was taking place.   I was under the impression that you had to terminate the VPN on the firewall if you were doing NAT.  Anyone?
0
 
LVL 4

Expert Comment

by:svindler
ID: 6343730
At least for IPSec, it is possible to have the VPN server behind a nat'ting firewall. You just have to not authenticate the ip header, only the payload.
I don't know too much about pptp, but I was under the impression that it was even less demanding than IPSec with regards to firewall requirements.
0
 

Author Comment

by:Silas
ID: 6348457
Well, looks like this VPN won't work with NAT.  Nevertheless, this access list statement is correct.  Thanks for the help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question