Solved

Trying to setup PPTP VPN on a Cisco 2620 Router

Posted on 2003-11-04
4
3,271 Views
Last Modified: 2012-06-27
Hello,
Here is the version and configuration of our router:

IOS (tm) C2600 Software (C2600-IO3S56I-M), Version 12.1(17), RELEASE SOFTWARE (f
c1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 03-Sep-02 22:23 by kellythw
Image text-base: 0x80008088, data-base: 0x80E63DF8

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)

Cisco2610 uptime is 4 days, 17 hours, 40 minutes
System returned to ROM by reload
System image file is "flash:c2600-io3s56i-mz.121-17.bin"

cisco 2610 (MPC860) processor (revision 0x00) with 53248K/12288K bytes of memory
.
Processor board ID JAD06430CCO (2148467848)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

================================

version 12.1            
no service single-slot-reload-enable                                    
service timestamps debug uptime                              
service timestamps log uptime                            
service password-encryption                          
!
hostname Cisco2610                  
!
ip subnet-zero              
no ip domain-lookup                  
!
ip audit notify log                  
ip audit po max-events 100                          
!
!
crypto isakmp policy 1                      
 hash md5        
 authentication pre-sha                      
crypto isakmp key cdstos107ffbavpn address 204.116.XX.XX                                                  
!
!
crypto ipsec transform-set cds-set esp-des esp-md5-hmac                                                      
!
crypto map cds-map 1 ipsec-isakmp                                
 set peer 204.116.XX.XX                      
 set transform-set cds-set                          
 match address 115                  
!
!
interface Ethernet0/0                    
 description connected to EthernetLAN                                    
 ip address 192.168.131.5 255.255.255.0                                      
 ip nat inside              
 half-duplex            
!
interface Ethernet1/0                    
 description connected to Internet                                  
 ip address 207.144.XX.XX 255.255.255.0                                      
 ip nat outside              
 no ip route-cache                  
 no ip mroute-cache                  
 half-dup      
 crypto map cds-map                  
!
router rip          
 version 2          
 passive-interface Ethernet1/0                              
 network 192.168.131.0                      
 no auto-summary                
!
ip nat inside source route-map nonat interface Ethernet1/0 overload                                                                  
ip nat inside source static tcp 192.168.131.1 3389 207.144.YY.YY 3389 extendable                                                                                

ip classless            
ip route 0.0.0.0 0.0.0.0 Ethernet1/0                                    
ip route 10.166.203.0 255.255.255.0 204.116.XX.XX                                                
no ip http server                
!
access-list 1 permit 192.168.131.0 0.0.0.255                                            
access-list 102 permit ip 10.166.203.0 0.0.0.255 any                                                    
access-list 102 permit tcp 10.166.20                                  
access-list 102 permit udp 10.166.203.0 0.0.0.255 any                                                    
access-list 102 permit icmp 10.166.203.0 0.0.0.255 any                                                      
access-list 110 permit udp host 207.144.XX.XX host 204.116.XX.XX eq isakmp      
access-list 110 permit udp host 204.116.XX.XX host 207.114.XX.XX eq isakmp
access-list 111 deny   ip 192.168.131.0 0.0.0.255 10.166.203.0 0.0.0.255
access-list 111 permit ip 192.168.131.0 0.0.0.255 any
access-list 115 permit ip 192.168.131.0 0.0.0.255 10.166.203.0 0.0.0.255
route-map nonat permit 10
 match ip address 111


As you can see we currently do NAT and have an IPSEC VPN between remote offices. We want to allow users to VPN into our network through this router by NAT'ing to a Windows 2000 VPN server using PPTP (we do not have IPSec configured on the domain). Is this possible? Will the firmware for the router need to be updated? What configuration commands would be needed to allow the GRE and 1723 traffic? We have already NAT'ted over the 3389 port so we can use Terminal Services, but I can't get authenticated from the 2000 VPN server.

Thanks very much in advance!

ScoWat
0
Comment
Question by:scowat
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9681543
You cannot do it if the only IP address you have is the outside interface of the router.
You need a 1-1 static nat to a public IP address.

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

0
 

Author Comment

by:scowat
ID: 9682455
Sorry, I am not clear on this. Can you elaborate? Specifically:

 - What do you mean the 'only IP address you have is the outside interface of the router'?

 - Does Microsoft's 'story' imply that a PPTP VPN through NAT is not possible?

 - Why does the Cisco documentation keep referencing PIX? Isn't that a firewall product? We don't have that installed; do the concepts still apply?

 - In order to accomplish our goals of allowing users to VPN into the network, should we use configure an IPSec policy for the domain and use L2TP to the Windows 2000 VPN server? Does our router support this using IOS 12.1?

 - Is there an easier way to accomplish remote client VPN connectivity?

Thank you very much for your assistance.

Sincerely,

ScoWat
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 9682724
If the only IP address you get from the ISP is the one that gets assigned to the outside interface of the router, then you are using PAT, not NAT for address translation.
That's what this command does for you:
>ip nat inside source route-map nonat interface Ethernet1/0 overload
 
You need at least one more ip address in the 207.144.XX.XX subnet and create a static 1-1 nat, i.e.:
Assuming PPTP server = 192.168.131.16
Assuming 207.144.XX.yy is another IP address available to you that is not the same as the interface address:

ip nat inside source static 192.168.131.16 207.144.xx.yy

- Microsoft story, it will not work over PAT, but it will work over NAT (with 1-1 nat)
- Cisco's story is the same. PIX or router, same difference. Just reinforces the idea that it won't work over PAT, but it will with 1-1 NAT

Is there an easier way? Personal opinion, I don't care for Microsoft PPTP. I would never suggest one of my customers use it. I would put in a device that is designed specifically for that purpose. IPSEC is much more secure than PPTP. Cisco VPN concentrator, Cisco PIX FW, and others that I'm less familiar with like SonicWall and Adtran NetVanta 2000 series.
Depends on your budget, but the Adtran is promising at a very competitive price point.
PIX is pretty competitive and is my favorite. Piece of cake to setup and use.
I've heard the SonicWall is just as easy to set up.

 
0
 

Author Comment

by:scowat
ID: 9686139
Thanks! We do have the availability of additional 'true' IP addresses. Your previous answer made sense to me and I have just a couple more clarifying questions:

 - Do I assign the secondary IP address to the Ethernet1/0 (external) interface? If not, how will it respond to traffic destined for that IP address (or the NAT'ed VPN server)?

 - Is the command you provided all I should need to have NAT 1-1 connectivity to VPN server? (ip nat inside source static 192.168.131.16 207.144.xx.yy)

I plan on testing this today and really appreciate your help.

Sincerely,

ScoWat
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question