Solved

PPTP to Windows server though Adtran NetVanta 3205

Posted on 2004-04-27
8
1,344 Views
Last Modified: 2013-11-29
I am trying to setup a VPN to my W2k RRAS with PPTP, but when I try to connect from outside the firewall, it times out with error 721 after trying to validate username and password.

I have created an ip access-list which permits tcp 1723, and type 47 gre packets.  I also use nat destination list.

ip access-list extended VPN
   permit tcp any host 67.50.x.x eq 1723
   permit gre any host 67.50.x.x

NAT destination list VPN address 192.168.1.13


Am I missing something?

Mike
0
Comment
Question by:PhilOlszewski
  • 4
  • 4
8 Comments
 
LVL 2

Expert Comment

by:benjamin
Comment Utility
Hi,

I have seen this many times and normally it is the router/firewall not passing VPN (PPTP) correctly or the Nat is not working correctly with mapping the ports back and forth.  What router/firewall do you have, can you connect to the vpn if you are on your internal LAN.  If you can it shows a router/firewall issue.

Let me know, ow and if your router is supplied by your ISP ring them and check that is passed VPN traffic I had one from MCI a few onths ago that would not it was not part of there standard config.

Ben
0
 

Author Comment

by:PhilOlszewski
Comment Utility
It does work from inside the LAN so I know that it is a firewall issue.  The firewall is a Adtran NetVanta 3205.  This is the current config:

IndyInet#sho runn
Building configuration...
!
!
hostname "IndyInet"
enable password xxx
!
ip subnet-zero
ip classless
ip routing
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
username admin password xxx!
banner motd #
Unauthorized Access is strictly prohibited.
#
!
!
ip firewall
ip firewall check syn-flood
!
!
!
!
!
interface eth 0/1
  speed auto
  ip address  192.168.1.3  255.255.255.0
  access-policy Trusted
  no shutdown
!
interface t1 1/1
  description Frame Relay Internet
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface fr 1 point-to-point
  frame-relay lmi-type ansi
  no shutdown
  cross-connect 1 t1 1/1 1 frame-relay 1
!
interface fr 1.1 point-to-point
  frame-relay interface-dlci 16
  ip address  172.16.0.34  255.255.255.252
  access-policy Untrusted
!
!
!
ip access-list standard InternalNetwork
  permit any
!
ip access-list standard MatchAll
  permit any
!
!
ip access-list extended ExchangeServer
  permit ip host 192.168.1.9  any
  permit udp host 192.168.1.9  any
!
ip access-list extended InCitrix
  permit tcp any  host 67.50.x.x eq 1601
!
ip access-list extended InCitrix2
  permit tcp any  host 67.50.x.x eq 1602
!
ip access-list extended InExchangeServer
  permit tcp any  host 67.50.x.x eq smtp
  permit tcp any  host 67.50.x.x eq www
  permit tcp any  host 67.50.x.x eq pop3
  permit icmp any  host 67.50.x.x
!
ip access-list extended InSmtp
  permit tcp any  host 67.50.x.x eq smtp
!
ip access-list extended InTelnet
  permit tcp any  host 67.50.x.x eq telnet
!
ip access-list extended InTerminalServer1
  permit tcp any  host 67.50.x.x eq 3389
!
ip access-list extended InTerminalServer2
  permit tcp any  host 67.50.x.x eq 3389
!
ip access-list extended OneIp
  permit icmp host 208.152.x.x  host 67.50.x.x
  permit icmp host 216.110.x.x  host 67.50.x.x
!
ip access-list extended VPN
  permit tcp any  host 67.50.x.x eq 1723
  permit gre any  host 67.50.x.x
!
ip access-list extended WAN
  permit tcp any  host 172.16.0.34
!
ip policy-class Trusted
  nat source list ExchangeServer address 67.50.x.x overload
  nat source list MatchAll address 67.50.x.x overload
  allow list MatchAll
!
ip policy-class Untrusted
  nat destination list InTerminalServer1 address 192.168.1.4
  nat destination list InSmtp address 192.168.4.3
  nat destination list InCitrix address 192.168.1.5
  nat destination list InTelnet address 192.168.1.3
  nat destination list OneIp address 192.168.1.3
  nat destination list InTerminalServer2 address 192.168.4.3
  allow list WAN
  nat destination list InCitrix2 address 192.168.1.4
  nat destination list InExchangeServer address 192.168.1.9
  nat destination list VPN address 192.168.1.13
!
!
ip route 0.0.0.0 0.0.0.0 fr 1.1
ip route 67.50.x.x 255.255.255.248 192.168.1.2
ip route 172.26.1.0 255.255.255.0 192.168.1.2
ip route 192.168.0.0 255.255.0.0 192.168.1.2
!
no ip n-form agent
no ip http server
ip snmp agent
no ip ftp agent
!
!
snmp-server contact "admin"
snmp-server location "USA"
snmp-server chassis-id "Netvanta3205"
snmp-server community jiminy RO
snmp-server community public RO
line con 0
  no login
  password "xxx"
  line-timeout 0
!
line telnet 0 4
  login
  password "xxx"
!
end
0
 
LVL 2

Expert Comment

by:benjamin
Comment Utility
Ok

not being lazy but this article may well help,

http://www.tomsnetworking.com/Sections-article49-page1.php

I think your firewall is not allowing passthrough, might be worth checking with the manufacture that the Firewall either requires the ports to be opened or has the functionality built in.  All so I noted your access list is your firewall refuseing the connection because of the IP address it is coming from bext thing to check.

Ben
0
 

Author Comment

by:PhilOlszewski
Comment Utility
The firewall does not have passthrough functionality built in, that is why I created an access list for VPN which allows TCP port 1723, and GRE type 41 traffic.  I don't think the firewall is refusing connection because of the source IP.  My other access-list pass through just fine. (Citrix, Citrix2, TerminalServer1).  Is there another port that should be open besides TCP 1723, and GRE?

Mike
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:PhilOlszewski
Comment Utility
I just was browsing the Adtran website, and I found that the version of firmware does not provide PPTP.  I am going to flash the firmaware, and upgrade the IOS, to fix this problem.

Mike
0
 
LVL 2

Accepted Solution

by:
benjamin earned 500 total points
Comment Utility
sounds good give it ago and let us know either way if thats ok.
0
 

Author Comment

by:PhilOlszewski
Comment Utility
The uppgrade worked. I upgraded to the latest IOS, and firmware.
0
 
LVL 2

Expert Comment

by:benjamin
Comment Utility
Ok, good to hear it is working.

Ben
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now