Solved

Trying to setup PPTP VPN on a Cisco 2620 Router

Posted on 2003-11-04
4
3,262 Views
Last Modified: 2012-06-27
Hello,
Here is the version and configuration of our router:

IOS (tm) C2600 Software (C2600-IO3S56I-M), Version 12.1(17), RELEASE SOFTWARE (f
c1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 03-Sep-02 22:23 by kellythw
Image text-base: 0x80008088, data-base: 0x80E63DF8

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)

Cisco2610 uptime is 4 days, 17 hours, 40 minutes
System returned to ROM by reload
System image file is "flash:c2600-io3s56i-mz.121-17.bin"

cisco 2610 (MPC860) processor (revision 0x00) with 53248K/12288K bytes of memory
.
Processor board ID JAD06430CCO (2148467848)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

================================

version 12.1            
no service single-slot-reload-enable                                    
service timestamps debug uptime                              
service timestamps log uptime                            
service password-encryption                          
!
hostname Cisco2610                  
!
ip subnet-zero              
no ip domain-lookup                  
!
ip audit notify log                  
ip audit po max-events 100                          
!
!
crypto isakmp policy 1                      
 hash md5        
 authentication pre-sha                      
crypto isakmp key cdstos107ffbavpn address 204.116.XX.XX                                                  
!
!
crypto ipsec transform-set cds-set esp-des esp-md5-hmac                                                      
!
crypto map cds-map 1 ipsec-isakmp                                
 set peer 204.116.XX.XX                      
 set transform-set cds-set                          
 match address 115                  
!
!
interface Ethernet0/0                    
 description connected to EthernetLAN                                    
 ip address 192.168.131.5 255.255.255.0                                      
 ip nat inside              
 half-duplex            
!
interface Ethernet1/0                    
 description connected to Internet                                  
 ip address 207.144.XX.XX 255.255.255.0                                      
 ip nat outside              
 no ip route-cache                  
 no ip mroute-cache                  
 half-dup      
 crypto map cds-map                  
!
router rip          
 version 2          
 passive-interface Ethernet1/0                              
 network 192.168.131.0                      
 no auto-summary                
!
ip nat inside source route-map nonat interface Ethernet1/0 overload                                                                  
ip nat inside source static tcp 192.168.131.1 3389 207.144.YY.YY 3389 extendable                                                                                

ip classless            
ip route 0.0.0.0 0.0.0.0 Ethernet1/0                                    
ip route 10.166.203.0 255.255.255.0 204.116.XX.XX                                                
no ip http server                
!
access-list 1 permit 192.168.131.0 0.0.0.255                                            
access-list 102 permit ip 10.166.203.0 0.0.0.255 any                                                    
access-list 102 permit tcp 10.166.20                                  
access-list 102 permit udp 10.166.203.0 0.0.0.255 any                                                    
access-list 102 permit icmp 10.166.203.0 0.0.0.255 any                                                      
access-list 110 permit udp host 207.144.XX.XX host 204.116.XX.XX eq isakmp      
access-list 110 permit udp host 204.116.XX.XX host 207.114.XX.XX eq isakmp
access-list 111 deny   ip 192.168.131.0 0.0.0.255 10.166.203.0 0.0.0.255
access-list 111 permit ip 192.168.131.0 0.0.0.255 any
access-list 115 permit ip 192.168.131.0 0.0.0.255 10.166.203.0 0.0.0.255
route-map nonat permit 10
 match ip address 111


As you can see we currently do NAT and have an IPSEC VPN between remote offices. We want to allow users to VPN into our network through this router by NAT'ing to a Windows 2000 VPN server using PPTP (we do not have IPSec configured on the domain). Is this possible? Will the firmware for the router need to be updated? What configuration commands would be needed to allow the GRE and 1723 traffic? We have already NAT'ted over the 3389 port so we can use Terminal Services, but I can't get authenticated from the 2000 VPN server.

Thanks very much in advance!

ScoWat
0
Comment
Question by:scowat
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9681543
You cannot do it if the only IP address you have is the outside interface of the router.
You need a 1-1 static nat to a public IP address.

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

0
 

Author Comment

by:scowat
ID: 9682455
Sorry, I am not clear on this. Can you elaborate? Specifically:

 - What do you mean the 'only IP address you have is the outside interface of the router'?

 - Does Microsoft's 'story' imply that a PPTP VPN through NAT is not possible?

 - Why does the Cisco documentation keep referencing PIX? Isn't that a firewall product? We don't have that installed; do the concepts still apply?

 - In order to accomplish our goals of allowing users to VPN into the network, should we use configure an IPSec policy for the domain and use L2TP to the Windows 2000 VPN server? Does our router support this using IOS 12.1?

 - Is there an easier way to accomplish remote client VPN connectivity?

Thank you very much for your assistance.

Sincerely,

ScoWat
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 9682724
If the only IP address you get from the ISP is the one that gets assigned to the outside interface of the router, then you are using PAT, not NAT for address translation.
That's what this command does for you:
>ip nat inside source route-map nonat interface Ethernet1/0 overload
 
You need at least one more ip address in the 207.144.XX.XX subnet and create a static 1-1 nat, i.e.:
Assuming PPTP server = 192.168.131.16
Assuming 207.144.XX.yy is another IP address available to you that is not the same as the interface address:

ip nat inside source static 192.168.131.16 207.144.xx.yy

- Microsoft story, it will not work over PAT, but it will work over NAT (with 1-1 nat)
- Cisco's story is the same. PIX or router, same difference. Just reinforces the idea that it won't work over PAT, but it will with 1-1 NAT

Is there an easier way? Personal opinion, I don't care for Microsoft PPTP. I would never suggest one of my customers use it. I would put in a device that is designed specifically for that purpose. IPSEC is much more secure than PPTP. Cisco VPN concentrator, Cisco PIX FW, and others that I'm less familiar with like SonicWall and Adtran NetVanta 2000 series.
Depends on your budget, but the Adtran is promising at a very competitive price point.
PIX is pretty competitive and is my favorite. Piece of cake to setup and use.
I've heard the SonicWall is just as easy to set up.

 
0
 

Author Comment

by:scowat
ID: 9686139
Thanks! We do have the availability of additional 'true' IP addresses. Your previous answer made sense to me and I have just a couple more clarifying questions:

 - Do I assign the secondary IP address to the Ethernet1/0 (external) interface? If not, how will it respond to traffic destined for that IP address (or the NAT'ed VPN server)?

 - Is the command you provided all I should need to have NAT 1-1 connectivity to VPN server? (ip nat inside source static 192.168.131.16 207.144.xx.yy)

I plan on testing this today and really appreciate your help.

Sincerely,

ScoWat
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Thomson router 3 64
Sonicwall router blocking NAS drive from the network 20 73
How to setup VPN onCisco RV016 8 39
Eigrp Router 5 48
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now