Go Premium for a chance to win a PS4. Enter to Win


Trying to setup PPTP VPN on a Cisco 2620 Router

Posted on 2003-11-04
Medium Priority
Last Modified: 2012-06-27
Here is the version and configuration of our router:

IOS (tm) C2600 Software (C2600-IO3S56I-M), Version 12.1(17), RELEASE SOFTWARE (f
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 03-Sep-02 22:23 by kellythw
Image text-base: 0x80008088, data-base: 0x80E63DF8

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)

Cisco2610 uptime is 4 days, 17 hours, 40 minutes
System returned to ROM by reload
System image file is "flash:c2600-io3s56i-mz.121-17.bin"

cisco 2610 (MPC860) processor (revision 0x00) with 53248K/12288K bytes of memory
Processor board ID JAD06430CCO (2148467848)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


version 12.1            
no service single-slot-reload-enable                                    
service timestamps debug uptime                              
service timestamps log uptime                            
service password-encryption                          
hostname Cisco2610                  
ip subnet-zero              
no ip domain-lookup                  
ip audit notify log                  
ip audit po max-events 100                          
crypto isakmp policy 1                      
 hash md5        
 authentication pre-sha                      
crypto isakmp key cdstos107ffbavpn address 204.116.XX.XX                                                  
crypto ipsec transform-set cds-set esp-des esp-md5-hmac                                                      
crypto map cds-map 1 ipsec-isakmp                                
 set peer 204.116.XX.XX                      
 set transform-set cds-set                          
 match address 115                  
interface Ethernet0/0                    
 description connected to EthernetLAN                                    
 ip address                                      
 ip nat inside              
interface Ethernet1/0                    
 description connected to Internet                                  
 ip address 207.144.XX.XX                                      
 ip nat outside              
 no ip route-cache                  
 no ip mroute-cache                  
 crypto map cds-map                  
router rip          
 version 2          
 passive-interface Ethernet1/0                              
 no auto-summary                
ip nat inside source route-map nonat interface Ethernet1/0 overload                                                                  
ip nat inside source static tcp 3389 207.144.YY.YY 3389 extendable                                                                                

ip classless            
ip route Ethernet1/0                                    
ip route 204.116.XX.XX                                                
no ip http server                
access-list 1 permit                                            
access-list 102 permit ip any                                                    
access-list 102 permit tcp 10.166.20                                  
access-list 102 permit udp any                                                    
access-list 102 permit icmp any                                                      
access-list 110 permit udp host 207.144.XX.XX host 204.116.XX.XX eq isakmp      
access-list 110 permit udp host 204.116.XX.XX host 207.114.XX.XX eq isakmp
access-list 111 deny   ip
access-list 111 permit ip any
access-list 115 permit ip
route-map nonat permit 10
 match ip address 111

As you can see we currently do NAT and have an IPSEC VPN between remote offices. We want to allow users to VPN into our network through this router by NAT'ing to a Windows 2000 VPN server using PPTP (we do not have IPSec configured on the domain). Is this possible? Will the firmware for the router need to be updated? What configuration commands would be needed to allow the GRE and 1723 traffic? We have already NAT'ted over the 3389 port so we can use Terminal Services, but I can't get authenticated from the 2000 VPN server.

Thanks very much in advance!

Question by:scowat
  • 2
  • 2
LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 9681543
You cannot do it if the only IP address you have is the outside interface of the router.
You need a 1-1 static nat to a public IP address.

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.


Author Comment

ID: 9682455
Sorry, I am not clear on this. Can you elaborate? Specifically:

 - What do you mean the 'only IP address you have is the outside interface of the router'?

 - Does Microsoft's 'story' imply that a PPTP VPN through NAT is not possible?

 - Why does the Cisco documentation keep referencing PIX? Isn't that a firewall product? We don't have that installed; do the concepts still apply?

 - In order to accomplish our goals of allowing users to VPN into the network, should we use configure an IPSec policy for the domain and use L2TP to the Windows 2000 VPN server? Does our router support this using IOS 12.1?

 - Is there an easier way to accomplish remote client VPN connectivity?

Thank you very much for your assistance.


LVL 79

Assisted Solution

lrmoore earned 1000 total points
ID: 9682724
If the only IP address you get from the ISP is the one that gets assigned to the outside interface of the router, then you are using PAT, not NAT for address translation.
That's what this command does for you:
>ip nat inside source route-map nonat interface Ethernet1/0 overload
You need at least one more ip address in the 207.144.XX.XX subnet and create a static 1-1 nat, i.e.:
Assuming PPTP server =
Assuming 207.144.XX.yy is another IP address available to you that is not the same as the interface address:

ip nat inside source static 207.144.xx.yy

- Microsoft story, it will not work over PAT, but it will work over NAT (with 1-1 nat)
- Cisco's story is the same. PIX or router, same difference. Just reinforces the idea that it won't work over PAT, but it will with 1-1 NAT

Is there an easier way? Personal opinion, I don't care for Microsoft PPTP. I would never suggest one of my customers use it. I would put in a device that is designed specifically for that purpose. IPSEC is much more secure than PPTP. Cisco VPN concentrator, Cisco PIX FW, and others that I'm less familiar with like SonicWall and Adtran NetVanta 2000 series.
Depends on your budget, but the Adtran is promising at a very competitive price point.
PIX is pretty competitive and is my favorite. Piece of cake to setup and use.
I've heard the SonicWall is just as easy to set up.


Author Comment

ID: 9686139
Thanks! We do have the availability of additional 'true' IP addresses. Your previous answer made sense to me and I have just a couple more clarifying questions:

 - Do I assign the secondary IP address to the Ethernet1/0 (external) interface? If not, how will it respond to traffic destined for that IP address (or the NAT'ed VPN server)?

 - Is the command you provided all I should need to have NAT 1-1 connectivity to VPN server? (ip nat inside source static 207.144.xx.yy)

I plan on testing this today and really appreciate your help.



Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question