Solved

PPTP to Windows server though Adtran NetVanta 3205

Posted on 2004-04-27
8
1,380 Views
Last Modified: 2013-11-29
I am trying to setup a VPN to my W2k RRAS with PPTP, but when I try to connect from outside the firewall, it times out with error 721 after trying to validate username and password.

I have created an ip access-list which permits tcp 1723, and type 47 gre packets.  I also use nat destination list.

ip access-list extended VPN
   permit tcp any host 67.50.x.x eq 1723
   permit gre any host 67.50.x.x

NAT destination list VPN address 192.168.1.13


Am I missing something?

Mike
0
Comment
Question by:PhilOlszewski
  • 4
  • 4
8 Comments
 
LVL 2

Expert Comment

by:benjamin
ID: 10933202
Hi,

I have seen this many times and normally it is the router/firewall not passing VPN (PPTP) correctly or the Nat is not working correctly with mapping the ports back and forth.  What router/firewall do you have, can you connect to the vpn if you are on your internal LAN.  If you can it shows a router/firewall issue.

Let me know, ow and if your router is supplied by your ISP ring them and check that is passed VPN traffic I had one from MCI a few onths ago that would not it was not part of there standard config.

Ben
0
 

Author Comment

by:PhilOlszewski
ID: 10938678
It does work from inside the LAN so I know that it is a firewall issue.  The firewall is a Adtran NetVanta 3205.  This is the current config:

IndyInet#sho runn
Building configuration...
!
!
hostname "IndyInet"
enable password xxx
!
ip subnet-zero
ip classless
ip routing
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
username admin password xxx!
banner motd #
Unauthorized Access is strictly prohibited.
#
!
!
ip firewall
ip firewall check syn-flood
!
!
!
!
!
interface eth 0/1
  speed auto
  ip address  192.168.1.3  255.255.255.0
  access-policy Trusted
  no shutdown
!
interface t1 1/1
  description Frame Relay Internet
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface fr 1 point-to-point
  frame-relay lmi-type ansi
  no shutdown
  cross-connect 1 t1 1/1 1 frame-relay 1
!
interface fr 1.1 point-to-point
  frame-relay interface-dlci 16
  ip address  172.16.0.34  255.255.255.252
  access-policy Untrusted
!
!
!
ip access-list standard InternalNetwork
  permit any
!
ip access-list standard MatchAll
  permit any
!
!
ip access-list extended ExchangeServer
  permit ip host 192.168.1.9  any
  permit udp host 192.168.1.9  any
!
ip access-list extended InCitrix
  permit tcp any  host 67.50.x.x eq 1601
!
ip access-list extended InCitrix2
  permit tcp any  host 67.50.x.x eq 1602
!
ip access-list extended InExchangeServer
  permit tcp any  host 67.50.x.x eq smtp
  permit tcp any  host 67.50.x.x eq www
  permit tcp any  host 67.50.x.x eq pop3
  permit icmp any  host 67.50.x.x
!
ip access-list extended InSmtp
  permit tcp any  host 67.50.x.x eq smtp
!
ip access-list extended InTelnet
  permit tcp any  host 67.50.x.x eq telnet
!
ip access-list extended InTerminalServer1
  permit tcp any  host 67.50.x.x eq 3389
!
ip access-list extended InTerminalServer2
  permit tcp any  host 67.50.x.x eq 3389
!
ip access-list extended OneIp
  permit icmp host 208.152.x.x  host 67.50.x.x
  permit icmp host 216.110.x.x  host 67.50.x.x
!
ip access-list extended VPN
  permit tcp any  host 67.50.x.x eq 1723
  permit gre any  host 67.50.x.x
!
ip access-list extended WAN
  permit tcp any  host 172.16.0.34
!
ip policy-class Trusted
  nat source list ExchangeServer address 67.50.x.x overload
  nat source list MatchAll address 67.50.x.x overload
  allow list MatchAll
!
ip policy-class Untrusted
  nat destination list InTerminalServer1 address 192.168.1.4
  nat destination list InSmtp address 192.168.4.3
  nat destination list InCitrix address 192.168.1.5
  nat destination list InTelnet address 192.168.1.3
  nat destination list OneIp address 192.168.1.3
  nat destination list InTerminalServer2 address 192.168.4.3
  allow list WAN
  nat destination list InCitrix2 address 192.168.1.4
  nat destination list InExchangeServer address 192.168.1.9
  nat destination list VPN address 192.168.1.13
!
!
ip route 0.0.0.0 0.0.0.0 fr 1.1
ip route 67.50.x.x 255.255.255.248 192.168.1.2
ip route 172.26.1.0 255.255.255.0 192.168.1.2
ip route 192.168.0.0 255.255.0.0 192.168.1.2
!
no ip n-form agent
no ip http server
ip snmp agent
no ip ftp agent
!
!
snmp-server contact "admin"
snmp-server location "USA"
snmp-server chassis-id "Netvanta3205"
snmp-server community jiminy RO
snmp-server community public RO
line con 0
  no login
  password "xxx"
  line-timeout 0
!
line telnet 0 4
  login
  password "xxx"
!
end
0
 
LVL 2

Expert Comment

by:benjamin
ID: 10953497
Ok

not being lazy but this article may well help,

http://www.tomsnetworking.com/Sections-article49-page1.php

I think your firewall is not allowing passthrough, might be worth checking with the manufacture that the Firewall either requires the ports to be opened or has the functionality built in.  All so I noted your access list is your firewall refuseing the connection because of the IP address it is coming from bext thing to check.

Ben
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:PhilOlszewski
ID: 10953824
The firewall does not have passthrough functionality built in, that is why I created an access list for VPN which allows TCP port 1723, and GRE type 41 traffic.  I don't think the firewall is refusing connection because of the source IP.  My other access-list pass through just fine. (Citrix, Citrix2, TerminalServer1).  Is there another port that should be open besides TCP 1723, and GRE?

Mike
0
 

Author Comment

by:PhilOlszewski
ID: 10961376
I just was browsing the Adtran website, and I found that the version of firmware does not provide PPTP.  I am going to flash the firmaware, and upgrade the IOS, to fix this problem.

Mike
0
 
LVL 2

Accepted Solution

by:
benjamin earned 500 total points
ID: 10962214
sounds good give it ago and let us know either way if thats ok.
0
 

Author Comment

by:PhilOlszewski
ID: 11006563
The uppgrade worked. I upgraded to the latest IOS, and firmware.
0
 
LVL 2

Expert Comment

by:benjamin
ID: 11021339
Ok, good to hear it is working.

Ben
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question