Solved

Allowing PPTP traffic through IOS firewall

Posted on 2001-07-27
10
426 Views
Last Modified: 2008-03-17
I have a Cisco 3620 with the Firewall IOS.  I also have a MS VPN Server sitting behind it on a DMZ.  I want to allow only PPTP related traffic to this server.  I know I have to open port TCP 1723, but how do I allow protocol type 47 (GRE) and UDP 500?  If anyone has the command, please let me know.
0
Comment
Question by:Silas
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6327011
Are you trying to paas the GRE through the IOS firewall and terminate the VPN on an internal host, or use the IOS firewall as the VPN terminator?
0
 

Author Comment

by:Silas
ID: 6327021
I am trying to pass GRE through the IOS FireWall to an Internal host (2000 server)
0
 
LVL 17

Accepted Solution

by:
mikecr earned 8 total points
ID: 6327435
You should be able to do this with an access list entry like:

access-list 101 permit gre host 20.1.1.0 host 30.1.1.0

If your terminating at a 2000 server then you are probably passing DHCP to the client upon connection, correct? Use those IP's in your firewall setup.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:svindler
ID: 6338585
To continue Mikecr's suggestion:
access-list 101 permit gre any host 30.1.1.0
access-list 101 permit udp any host 30.1.1.0 eq 500
access-list 101 permit tcp any host 30.1.1.0 eq 1723

provided that 30.1.1.0 is your server and you probably can't limit the source ip's right?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6339238
Just to add one more tidbit:
Using svindler's access list, apply it to the Serial interface inbound:

Interface serial 0/0
 ip access-group 101 in

Do you have a static NAT map from your external IP address group to a private IP address in the DMZ?
0
 

Author Comment

by:Silas
ID: 6340452
the access-list 101 looks good, however, when I attempt to authenticate with the server from the Internet, I get a 650 error (unable to complete connection).  The VPN server is statically natted to 1723, and udp 500.  I can't statically nat to gre (at least I don't see a way to do that).  Any ideas?  Can I nat/pat a vpn server?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6341367
To my knowledge you can't NAT a VPN server because your beggining and end points need to be real, but don't quote me on that. If your endpoint is natted, it will get stripped off when it gets unatted coming out.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6341566
I agree with Mikecr.  That was the reason I asked where the VPN termination was taking place.   I was under the impression that you had to terminate the VPN on the firewall if you were doing NAT.  Anyone?
0
 
LVL 4

Expert Comment

by:svindler
ID: 6343730
At least for IPSec, it is possible to have the VPN server behind a nat'ting firewall. You just have to not authenticate the ip header, only the payload.
I don't know too much about pptp, but I was under the impression that it was even less demanding than IPSec with regards to firewall requirements.
0
 

Author Comment

by:Silas
ID: 6348457
Well, looks like this VPN won't work with NAT.  Nevertheless, this access list statement is correct.  Thanks for the help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question