Trying to setup PPTP VPN on a Cisco 2620 Router

Here is the version and configuration of our router:

IOS (tm) C2600 Software (C2600-IO3S56I-M), Version 12.1(17), RELEASE SOFTWARE (f
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 03-Sep-02 22:23 by kellythw
Image text-base: 0x80008088, data-base: 0x80E63DF8

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)

Cisco2610 uptime is 4 days, 17 hours, 40 minutes
System returned to ROM by reload
System image file is "flash:c2600-io3s56i-mz.121-17.bin"

cisco 2610 (MPC860) processor (revision 0x00) with 53248K/12288K bytes of memory
Processor board ID JAD06430CCO (2148467848)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


version 12.1            
no service single-slot-reload-enable                                    
service timestamps debug uptime                              
service timestamps log uptime                            
service password-encryption                          
hostname Cisco2610                  
ip subnet-zero              
no ip domain-lookup                  
ip audit notify log                  
ip audit po max-events 100                          
crypto isakmp policy 1                      
 hash md5        
 authentication pre-sha                      
crypto isakmp key cdstos107ffbavpn address 204.116.XX.XX                                                  
crypto ipsec transform-set cds-set esp-des esp-md5-hmac                                                      
crypto map cds-map 1 ipsec-isakmp                                
 set peer 204.116.XX.XX                      
 set transform-set cds-set                          
 match address 115                  
interface Ethernet0/0                    
 description connected to EthernetLAN                                    
 ip address                                      
 ip nat inside              
interface Ethernet1/0                    
 description connected to Internet                                  
 ip address 207.144.XX.XX                                      
 ip nat outside              
 no ip route-cache                  
 no ip mroute-cache                  
 crypto map cds-map                  
router rip          
 version 2          
 passive-interface Ethernet1/0                              
 no auto-summary                
ip nat inside source route-map nonat interface Ethernet1/0 overload                                                                  
ip nat inside source static tcp 3389 207.144.YY.YY 3389 extendable                                                                                

ip classless            
ip route Ethernet1/0                                    
ip route 204.116.XX.XX                                                
no ip http server                
access-list 1 permit                                            
access-list 102 permit ip any                                                    
access-list 102 permit tcp 10.166.20                                  
access-list 102 permit udp any                                                    
access-list 102 permit icmp any                                                      
access-list 110 permit udp host 207.144.XX.XX host 204.116.XX.XX eq isakmp      
access-list 110 permit udp host 204.116.XX.XX host 207.114.XX.XX eq isakmp
access-list 111 deny   ip
access-list 111 permit ip any
access-list 115 permit ip
route-map nonat permit 10
 match ip address 111

As you can see we currently do NAT and have an IPSEC VPN between remote offices. We want to allow users to VPN into our network through this router by NAT'ing to a Windows 2000 VPN server using PPTP (we do not have IPSec configured on the domain). Is this possible? Will the firmware for the router need to be updated? What configuration commands would be needed to allow the GRE and 1723 traffic? We have already NAT'ted over the 3389 port so we can use Terminal Services, but I can't get authenticated from the 2000 VPN server.

Thanks very much in advance!

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You cannot do it if the only IP address you have is the outside interface of the router.
You need a 1-1 static nat to a public IP address.

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
scowatAuthor Commented:
Sorry, I am not clear on this. Can you elaborate? Specifically:

 - What do you mean the 'only IP address you have is the outside interface of the router'?

 - Does Microsoft's 'story' imply that a PPTP VPN through NAT is not possible?

 - Why does the Cisco documentation keep referencing PIX? Isn't that a firewall product? We don't have that installed; do the concepts still apply?

 - In order to accomplish our goals of allowing users to VPN into the network, should we use configure an IPSec policy for the domain and use L2TP to the Windows 2000 VPN server? Does our router support this using IOS 12.1?

 - Is there an easier way to accomplish remote client VPN connectivity?

Thank you very much for your assistance.


If the only IP address you get from the ISP is the one that gets assigned to the outside interface of the router, then you are using PAT, not NAT for address translation.
That's what this command does for you:
>ip nat inside source route-map nonat interface Ethernet1/0 overload
You need at least one more ip address in the 207.144.XX.XX subnet and create a static 1-1 nat, i.e.:
Assuming PPTP server =
Assuming 207.144.XX.yy is another IP address available to you that is not the same as the interface address:

ip nat inside source static 207.144.xx.yy

- Microsoft story, it will not work over PAT, but it will work over NAT (with 1-1 nat)
- Cisco's story is the same. PIX or router, same difference. Just reinforces the idea that it won't work over PAT, but it will with 1-1 NAT

Is there an easier way? Personal opinion, I don't care for Microsoft PPTP. I would never suggest one of my customers use it. I would put in a device that is designed specifically for that purpose. IPSEC is much more secure than PPTP. Cisco VPN concentrator, Cisco PIX FW, and others that I'm less familiar with like SonicWall and Adtran NetVanta 2000 series.
Depends on your budget, but the Adtran is promising at a very competitive price point.
PIX is pretty competitive and is my favorite. Piece of cake to setup and use.
I've heard the SonicWall is just as easy to set up.

scowatAuthor Commented:
Thanks! We do have the availability of additional 'true' IP addresses. Your previous answer made sense to me and I have just a couple more clarifying questions:

 - Do I assign the secondary IP address to the Ethernet1/0 (external) interface? If not, how will it respond to traffic destined for that IP address (or the NAT'ed VPN server)?

 - Is the command you provided all I should need to have NAT 1-1 connectivity to VPN server? (ip nat inside source static 207.144.xx.yy)

I plan on testing this today and really appreciate your help.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.