Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Allowing PPTP traffic through IOS firewall

Posted on 2001-07-27
10
Medium Priority
?
431 Views
Last Modified: 2008-03-17
I have a Cisco 3620 with the Firewall IOS.  I also have a MS VPN Server sitting behind it on a DMZ.  I want to allow only PPTP related traffic to this server.  I know I have to open port TCP 1723, but how do I allow protocol type 47 (GRE) and UDP 500?  If anyone has the command, please let me know.
0
Comment
Question by:Silas
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6327011
Are you trying to paas the GRE through the IOS firewall and terminate the VPN on an internal host, or use the IOS firewall as the VPN terminator?
0
 

Author Comment

by:Silas
ID: 6327021
I am trying to pass GRE through the IOS FireWall to an Internal host (2000 server)
0
 
LVL 17

Accepted Solution

by:
mikecr earned 24 total points
ID: 6327435
You should be able to do this with an access list entry like:

access-list 101 permit gre host 20.1.1.0 host 30.1.1.0

If your terminating at a 2000 server then you are probably passing DHCP to the client upon connection, correct? Use those IP's in your firewall setup.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:svindler
ID: 6338585
To continue Mikecr's suggestion:
access-list 101 permit gre any host 30.1.1.0
access-list 101 permit udp any host 30.1.1.0 eq 500
access-list 101 permit tcp any host 30.1.1.0 eq 1723

provided that 30.1.1.0 is your server and you probably can't limit the source ip's right?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6339238
Just to add one more tidbit:
Using svindler's access list, apply it to the Serial interface inbound:

Interface serial 0/0
 ip access-group 101 in

Do you have a static NAT map from your external IP address group to a private IP address in the DMZ?
0
 

Author Comment

by:Silas
ID: 6340452
the access-list 101 looks good, however, when I attempt to authenticate with the server from the Internet, I get a 650 error (unable to complete connection).  The VPN server is statically natted to 1723, and udp 500.  I can't statically nat to gre (at least I don't see a way to do that).  Any ideas?  Can I nat/pat a vpn server?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6341367
To my knowledge you can't NAT a VPN server because your beggining and end points need to be real, but don't quote me on that. If your endpoint is natted, it will get stripped off when it gets unatted coming out.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6341566
I agree with Mikecr.  That was the reason I asked where the VPN termination was taking place.   I was under the impression that you had to terminate the VPN on the firewall if you were doing NAT.  Anyone?
0
 
LVL 4

Expert Comment

by:svindler
ID: 6343730
At least for IPSec, it is possible to have the VPN server behind a nat'ting firewall. You just have to not authenticate the ip header, only the payload.
I don't know too much about pptp, but I was under the impression that it was even less demanding than IPSec with regards to firewall requirements.
0
 

Author Comment

by:Silas
ID: 6348457
Well, looks like this VPN won't work with NAT.  Nevertheless, this access list statement is correct.  Thanks for the help.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question