PhilOlszewski
asked on
PPTP to Windows server though Adtran NetVanta 3205
I am trying to setup a VPN to my W2k RRAS with PPTP, but when I try to connect from outside the firewall, it times out with error 721 after trying to validate username and password.
I have created an ip access-list which permits tcp 1723, and type 47 gre packets. I also use nat destination list.
ip access-list extended VPN
permit tcp any host 67.50.x.x eq 1723
permit gre any host 67.50.x.x
NAT destination list VPN address 192.168.1.13
Am I missing something?
Mike
I have created an ip access-list which permits tcp 1723, and type 47 gre packets. I also use nat destination list.
ip access-list extended VPN
permit tcp any host 67.50.x.x eq 1723
permit gre any host 67.50.x.x
NAT destination list VPN address 192.168.1.13
Am I missing something?
Mike
ASKER
It does work from inside the LAN so I know that it is a firewall issue. The firewall is a Adtran NetVanta 3205. This is the current config:
IndyInet#sho runn
Building configuration...
!
!
hostname "IndyInet"
enable password xxx
!
ip subnet-zero
ip classless
ip routing
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
username admin password xxx!
banner motd #
Unauthorized Access is strictly prohibited.
#
!
!
ip firewall
ip firewall check syn-flood
!
!
!
!
!
interface eth 0/1
speed auto
ip address 192.168.1.3 255.255.255.0
access-policy Trusted
no shutdown
!
interface t1 1/1
description Frame Relay Internet
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface fr 1 point-to-point
frame-relay lmi-type ansi
no shutdown
cross-connect 1 t1 1/1 1 frame-relay 1
!
interface fr 1.1 point-to-point
frame-relay interface-dlci 16
ip address 172.16.0.34 255.255.255.252
access-policy Untrusted
!
!
!
ip access-list standard InternalNetwork
permit any
!
ip access-list standard MatchAll
permit any
!
!
ip access-list extended ExchangeServer
permit ip host 192.168.1.9 any
permit udp host 192.168.1.9 any
!
ip access-list extended InCitrix
permit tcp any host 67.50.x.x eq 1601
!
ip access-list extended InCitrix2
permit tcp any host 67.50.x.x eq 1602
!
ip access-list extended InExchangeServer
permit tcp any host 67.50.x.x eq smtp
permit tcp any host 67.50.x.x eq www
permit tcp any host 67.50.x.x eq pop3
permit icmp any host 67.50.x.x
!
ip access-list extended InSmtp
permit tcp any host 67.50.x.x eq smtp
!
ip access-list extended InTelnet
permit tcp any host 67.50.x.x eq telnet
!
ip access-list extended InTerminalServer1
permit tcp any host 67.50.x.x eq 3389
!
ip access-list extended InTerminalServer2
permit tcp any host 67.50.x.x eq 3389
!
ip access-list extended OneIp
permit icmp host 208.152.x.x host 67.50.x.x
permit icmp host 216.110.x.x host 67.50.x.x
!
ip access-list extended VPN
permit tcp any host 67.50.x.x eq 1723
permit gre any host 67.50.x.x
!
ip access-list extended WAN
permit tcp any host 172.16.0.34
!
ip policy-class Trusted
nat source list ExchangeServer address 67.50.x.x overload
nat source list MatchAll address 67.50.x.x overload
allow list MatchAll
!
ip policy-class Untrusted
nat destination list InTerminalServer1 address 192.168.1.4
nat destination list InSmtp address 192.168.4.3
nat destination list InCitrix address 192.168.1.5
nat destination list InTelnet address 192.168.1.3
nat destination list OneIp address 192.168.1.3
nat destination list InTerminalServer2 address 192.168.4.3
allow list WAN
nat destination list InCitrix2 address 192.168.1.4
nat destination list InExchangeServer address 192.168.1.9
nat destination list VPN address 192.168.1.13
!
!
ip route 0.0.0.0 0.0.0.0 fr 1.1
ip route 67.50.x.x 255.255.255.248 192.168.1.2
ip route 172.26.1.0 255.255.255.0 192.168.1.2
ip route 192.168.0.0 255.255.0.0 192.168.1.2
!
no ip n-form agent
no ip http server
ip snmp agent
no ip ftp agent
!
!
snmp-server contact "admin"
snmp-server location "USA"
snmp-server chassis-id "Netvanta3205"
snmp-server community jiminy RO
snmp-server community public RO
line con 0
no login
password "xxx"
line-timeout 0
!
line telnet 0 4
login
password "xxx"
!
end
IndyInet#sho runn
Building configuration...
!
!
hostname "IndyInet"
enable password xxx
!
ip subnet-zero
ip classless
ip routing
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
username admin password xxx!
banner motd #
Unauthorized Access is strictly prohibited.
#
!
!
ip firewall
ip firewall check syn-flood
!
!
!
!
!
interface eth 0/1
speed auto
ip address 192.168.1.3 255.255.255.0
access-policy Trusted
no shutdown
!
interface t1 1/1
description Frame Relay Internet
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface fr 1 point-to-point
frame-relay lmi-type ansi
no shutdown
cross-connect 1 t1 1/1 1 frame-relay 1
!
interface fr 1.1 point-to-point
frame-relay interface-dlci 16
ip address 172.16.0.34 255.255.255.252
access-policy Untrusted
!
!
!
ip access-list standard InternalNetwork
permit any
!
ip access-list standard MatchAll
permit any
!
!
ip access-list extended ExchangeServer
permit ip host 192.168.1.9 any
permit udp host 192.168.1.9 any
!
ip access-list extended InCitrix
permit tcp any host 67.50.x.x eq 1601
!
ip access-list extended InCitrix2
permit tcp any host 67.50.x.x eq 1602
!
ip access-list extended InExchangeServer
permit tcp any host 67.50.x.x eq smtp
permit tcp any host 67.50.x.x eq www
permit tcp any host 67.50.x.x eq pop3
permit icmp any host 67.50.x.x
!
ip access-list extended InSmtp
permit tcp any host 67.50.x.x eq smtp
!
ip access-list extended InTelnet
permit tcp any host 67.50.x.x eq telnet
!
ip access-list extended InTerminalServer1
permit tcp any host 67.50.x.x eq 3389
!
ip access-list extended InTerminalServer2
permit tcp any host 67.50.x.x eq 3389
!
ip access-list extended OneIp
permit icmp host 208.152.x.x host 67.50.x.x
permit icmp host 216.110.x.x host 67.50.x.x
!
ip access-list extended VPN
permit tcp any host 67.50.x.x eq 1723
permit gre any host 67.50.x.x
!
ip access-list extended WAN
permit tcp any host 172.16.0.34
!
ip policy-class Trusted
nat source list ExchangeServer address 67.50.x.x overload
nat source list MatchAll address 67.50.x.x overload
allow list MatchAll
!
ip policy-class Untrusted
nat destination list InTerminalServer1 address 192.168.1.4
nat destination list InSmtp address 192.168.4.3
nat destination list InCitrix address 192.168.1.5
nat destination list InTelnet address 192.168.1.3
nat destination list OneIp address 192.168.1.3
nat destination list InTerminalServer2 address 192.168.4.3
allow list WAN
nat destination list InCitrix2 address 192.168.1.4
nat destination list InExchangeServer address 192.168.1.9
nat destination list VPN address 192.168.1.13
!
!
ip route 0.0.0.0 0.0.0.0 fr 1.1
ip route 67.50.x.x 255.255.255.248 192.168.1.2
ip route 172.26.1.0 255.255.255.0 192.168.1.2
ip route 192.168.0.0 255.255.0.0 192.168.1.2
!
no ip n-form agent
no ip http server
ip snmp agent
no ip ftp agent
!
!
snmp-server contact "admin"
snmp-server location "USA"
snmp-server chassis-id "Netvanta3205"
snmp-server community jiminy RO
snmp-server community public RO
line con 0
no login
password "xxx"
line-timeout 0
!
line telnet 0 4
login
password "xxx"
!
end
Ok
not being lazy but this article may well help,
http://www.tomsnetworking.com/Sections-article49-page1.php
I think your firewall is not allowing passthrough, might be worth checking with the manufacture that the Firewall either requires the ports to be opened or has the functionality built in. All so I noted your access list is your firewall refuseing the connection because of the IP address it is coming from bext thing to check.
Ben
not being lazy but this article may well help,
http://www.tomsnetworking.com/Sections-article49-page1.php
I think your firewall is not allowing passthrough, might be worth checking with the manufacture that the Firewall either requires the ports to be opened or has the functionality built in. All so I noted your access list is your firewall refuseing the connection because of the IP address it is coming from bext thing to check.
Ben
ASKER
The firewall does not have passthrough functionality built in, that is why I created an access list for VPN which allows TCP port 1723, and GRE type 41 traffic. I don't think the firewall is refusing connection because of the source IP. My other access-list pass through just fine. (Citrix, Citrix2, TerminalServer1). Is there another port that should be open besides TCP 1723, and GRE?
Mike
Mike
ASKER
I just was browsing the Adtran website, and I found that the version of firmware does not provide PPTP. I am going to flash the firmaware, and upgrade the IOS, to fix this problem.
Mike
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The uppgrade worked. I upgraded to the latest IOS, and firmware.
Ok, good to hear it is working.
Ben
Ben
I have seen this many times and normally it is the router/firewall not passing VPN (PPTP) correctly or the Nat is not working correctly with mapping the ports back and forth. What router/firewall do you have, can you connect to the vpn if you are on your internal LAN. If you can it shows a router/firewall issue.
Let me know, ow and if your router is supplied by your ISP ring them and check that is passed VPN traffic I had one from MCI a few onths ago that would not it was not part of there standard config.
Ben