Solved

Allowing PPTP traffic through IOS firewall

Posted on 2001-07-27
10
415 Views
Last Modified: 2008-03-17
I have a Cisco 3620 with the Firewall IOS.  I also have a MS VPN Server sitting behind it on a DMZ.  I want to allow only PPTP related traffic to this server.  I know I have to open port TCP 1723, but how do I allow protocol type 47 (GRE) and UDP 500?  If anyone has the command, please let me know.
0
Comment
Question by:Silas
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6327011
Are you trying to paas the GRE through the IOS firewall and terminate the VPN on an internal host, or use the IOS firewall as the VPN terminator?
0
 

Author Comment

by:Silas
ID: 6327021
I am trying to pass GRE through the IOS FireWall to an Internal host (2000 server)
0
 
LVL 17

Accepted Solution

by:
mikecr earned 8 total points
ID: 6327435
You should be able to do this with an access list entry like:

access-list 101 permit gre host 20.1.1.0 host 30.1.1.0

If your terminating at a 2000 server then you are probably passing DHCP to the client upon connection, correct? Use those IP's in your firewall setup.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6338585
To continue Mikecr's suggestion:
access-list 101 permit gre any host 30.1.1.0
access-list 101 permit udp any host 30.1.1.0 eq 500
access-list 101 permit tcp any host 30.1.1.0 eq 1723

provided that 30.1.1.0 is your server and you probably can't limit the source ip's right?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6339238
Just to add one more tidbit:
Using svindler's access list, apply it to the Serial interface inbound:

Interface serial 0/0
 ip access-group 101 in

Do you have a static NAT map from your external IP address group to a private IP address in the DMZ?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:Silas
ID: 6340452
the access-list 101 looks good, however, when I attempt to authenticate with the server from the Internet, I get a 650 error (unable to complete connection).  The VPN server is statically natted to 1723, and udp 500.  I can't statically nat to gre (at least I don't see a way to do that).  Any ideas?  Can I nat/pat a vpn server?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6341367
To my knowledge you can't NAT a VPN server because your beggining and end points need to be real, but don't quote me on that. If your endpoint is natted, it will get stripped off when it gets unatted coming out.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6341566
I agree with Mikecr.  That was the reason I asked where the VPN termination was taking place.   I was under the impression that you had to terminate the VPN on the firewall if you were doing NAT.  Anyone?
0
 
LVL 4

Expert Comment

by:svindler
ID: 6343730
At least for IPSec, it is possible to have the VPN server behind a nat'ting firewall. You just have to not authenticate the ip header, only the payload.
I don't know too much about pptp, but I was under the impression that it was even less demanding than IPSec with regards to firewall requirements.
0
 

Author Comment

by:Silas
ID: 6348457
Well, looks like this VPN won't work with NAT.  Nevertheless, this access list statement is correct.  Thanks for the help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
network blips every couple minutes 5 55
VLAN Tag for chained network device. 11 56
Failover VDSL Modems 3 27
Cisco iWAN 8 47
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now