Solved

Allowing PPTP traffic through IOS firewall

Posted on 2001-07-27
10
427 Views
Last Modified: 2008-03-17
I have a Cisco 3620 with the Firewall IOS.  I also have a MS VPN Server sitting behind it on a DMZ.  I want to allow only PPTP related traffic to this server.  I know I have to open port TCP 1723, but how do I allow protocol type 47 (GRE) and UDP 500?  If anyone has the command, please let me know.
0
Comment
Question by:Silas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6327011
Are you trying to paas the GRE through the IOS firewall and terminate the VPN on an internal host, or use the IOS firewall as the VPN terminator?
0
 

Author Comment

by:Silas
ID: 6327021
I am trying to pass GRE through the IOS FireWall to an Internal host (2000 server)
0
 
LVL 17

Accepted Solution

by:
mikecr earned 8 total points
ID: 6327435
You should be able to do this with an access list entry like:

access-list 101 permit gre host 20.1.1.0 host 30.1.1.0

If your terminating at a 2000 server then you are probably passing DHCP to the client upon connection, correct? Use those IP's in your firewall setup.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 4

Expert Comment

by:svindler
ID: 6338585
To continue Mikecr's suggestion:
access-list 101 permit gre any host 30.1.1.0
access-list 101 permit udp any host 30.1.1.0 eq 500
access-list 101 permit tcp any host 30.1.1.0 eq 1723

provided that 30.1.1.0 is your server and you probably can't limit the source ip's right?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6339238
Just to add one more tidbit:
Using svindler's access list, apply it to the Serial interface inbound:

Interface serial 0/0
 ip access-group 101 in

Do you have a static NAT map from your external IP address group to a private IP address in the DMZ?
0
 

Author Comment

by:Silas
ID: 6340452
the access-list 101 looks good, however, when I attempt to authenticate with the server from the Internet, I get a 650 error (unable to complete connection).  The VPN server is statically natted to 1723, and udp 500.  I can't statically nat to gre (at least I don't see a way to do that).  Any ideas?  Can I nat/pat a vpn server?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6341367
To my knowledge you can't NAT a VPN server because your beggining and end points need to be real, but don't quote me on that. If your endpoint is natted, it will get stripped off when it gets unatted coming out.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6341566
I agree with Mikecr.  That was the reason I asked where the VPN termination was taking place.   I was under the impression that you had to terminate the VPN on the firewall if you were doing NAT.  Anyone?
0
 
LVL 4

Expert Comment

by:svindler
ID: 6343730
At least for IPSec, it is possible to have the VPN server behind a nat'ting firewall. You just have to not authenticate the ip header, only the payload.
I don't know too much about pptp, but I was under the impression that it was even less demanding than IPSec with regards to firewall requirements.
0
 

Author Comment

by:Silas
ID: 6348457
Well, looks like this VPN won't work with NAT.  Nevertheless, this access list statement is correct.  Thanks for the help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
replacing 2811 to ISR 4331 2 80
Home wifi - Does it matter what router? 9 94
Port not opening complex Huwaei Router - Sonicwall - Airport extreme 32 137
Ping issue with M.M.M.M 13 43
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question