Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1414
  • Last Modified:

PPTP to Windows server though Adtran NetVanta 3205

I am trying to setup a VPN to my W2k RRAS with PPTP, but when I try to connect from outside the firewall, it times out with error 721 after trying to validate username and password.

I have created an ip access-list which permits tcp 1723, and type 47 gre packets.  I also use nat destination list.

ip access-list extended VPN
   permit tcp any host 67.50.x.x eq 1723
   permit gre any host 67.50.x.x

NAT destination list VPN address 192.168.1.13


Am I missing something?

Mike
0
PhilOlszewski
Asked:
PhilOlszewski
  • 4
  • 4
1 Solution
 
benjaminCommented:
Hi,

I have seen this many times and normally it is the router/firewall not passing VPN (PPTP) correctly or the Nat is not working correctly with mapping the ports back and forth.  What router/firewall do you have, can you connect to the vpn if you are on your internal LAN.  If you can it shows a router/firewall issue.

Let me know, ow and if your router is supplied by your ISP ring them and check that is passed VPN traffic I had one from MCI a few onths ago that would not it was not part of there standard config.

Ben
0
 
PhilOlszewskiAuthor Commented:
It does work from inside the LAN so I know that it is a firewall issue.  The firewall is a Adtran NetVanta 3205.  This is the current config:

IndyInet#sho runn
Building configuration...
!
!
hostname "IndyInet"
enable password xxx
!
ip subnet-zero
ip classless
ip routing
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
username admin password xxx!
banner motd #
Unauthorized Access is strictly prohibited.
#
!
!
ip firewall
ip firewall check syn-flood
!
!
!
!
!
interface eth 0/1
  speed auto
  ip address  192.168.1.3  255.255.255.0
  access-policy Trusted
  no shutdown
!
interface t1 1/1
  description Frame Relay Internet
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface fr 1 point-to-point
  frame-relay lmi-type ansi
  no shutdown
  cross-connect 1 t1 1/1 1 frame-relay 1
!
interface fr 1.1 point-to-point
  frame-relay interface-dlci 16
  ip address  172.16.0.34  255.255.255.252
  access-policy Untrusted
!
!
!
ip access-list standard InternalNetwork
  permit any
!
ip access-list standard MatchAll
  permit any
!
!
ip access-list extended ExchangeServer
  permit ip host 192.168.1.9  any
  permit udp host 192.168.1.9  any
!
ip access-list extended InCitrix
  permit tcp any  host 67.50.x.x eq 1601
!
ip access-list extended InCitrix2
  permit tcp any  host 67.50.x.x eq 1602
!
ip access-list extended InExchangeServer
  permit tcp any  host 67.50.x.x eq smtp
  permit tcp any  host 67.50.x.x eq www
  permit tcp any  host 67.50.x.x eq pop3
  permit icmp any  host 67.50.x.x
!
ip access-list extended InSmtp
  permit tcp any  host 67.50.x.x eq smtp
!
ip access-list extended InTelnet
  permit tcp any  host 67.50.x.x eq telnet
!
ip access-list extended InTerminalServer1
  permit tcp any  host 67.50.x.x eq 3389
!
ip access-list extended InTerminalServer2
  permit tcp any  host 67.50.x.x eq 3389
!
ip access-list extended OneIp
  permit icmp host 208.152.x.x  host 67.50.x.x
  permit icmp host 216.110.x.x  host 67.50.x.x
!
ip access-list extended VPN
  permit tcp any  host 67.50.x.x eq 1723
  permit gre any  host 67.50.x.x
!
ip access-list extended WAN
  permit tcp any  host 172.16.0.34
!
ip policy-class Trusted
  nat source list ExchangeServer address 67.50.x.x overload
  nat source list MatchAll address 67.50.x.x overload
  allow list MatchAll
!
ip policy-class Untrusted
  nat destination list InTerminalServer1 address 192.168.1.4
  nat destination list InSmtp address 192.168.4.3
  nat destination list InCitrix address 192.168.1.5
  nat destination list InTelnet address 192.168.1.3
  nat destination list OneIp address 192.168.1.3
  nat destination list InTerminalServer2 address 192.168.4.3
  allow list WAN
  nat destination list InCitrix2 address 192.168.1.4
  nat destination list InExchangeServer address 192.168.1.9
  nat destination list VPN address 192.168.1.13
!
!
ip route 0.0.0.0 0.0.0.0 fr 1.1
ip route 67.50.x.x 255.255.255.248 192.168.1.2
ip route 172.26.1.0 255.255.255.0 192.168.1.2
ip route 192.168.0.0 255.255.0.0 192.168.1.2
!
no ip n-form agent
no ip http server
ip snmp agent
no ip ftp agent
!
!
snmp-server contact "admin"
snmp-server location "USA"
snmp-server chassis-id "Netvanta3205"
snmp-server community jiminy RO
snmp-server community public RO
line con 0
  no login
  password "xxx"
  line-timeout 0
!
line telnet 0 4
  login
  password "xxx"
!
end
0
 
benjaminCommented:
Ok

not being lazy but this article may well help,

http://www.tomsnetworking.com/Sections-article49-page1.php

I think your firewall is not allowing passthrough, might be worth checking with the manufacture that the Firewall either requires the ports to be opened or has the functionality built in.  All so I noted your access list is your firewall refuseing the connection because of the IP address it is coming from bext thing to check.

Ben
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
PhilOlszewskiAuthor Commented:
The firewall does not have passthrough functionality built in, that is why I created an access list for VPN which allows TCP port 1723, and GRE type 41 traffic.  I don't think the firewall is refusing connection because of the source IP.  My other access-list pass through just fine. (Citrix, Citrix2, TerminalServer1).  Is there another port that should be open besides TCP 1723, and GRE?

Mike
0
 
PhilOlszewskiAuthor Commented:
I just was browsing the Adtran website, and I found that the version of firmware does not provide PPTP.  I am going to flash the firmaware, and upgrade the IOS, to fix this problem.

Mike
0
 
benjaminCommented:
sounds good give it ago and let us know either way if thats ok.
0
 
PhilOlszewskiAuthor Commented:
The uppgrade worked. I upgraded to the latest IOS, and firmware.
0
 
benjaminCommented:
Ok, good to hear it is working.

Ben
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now