?
Solved

PPTP to Windows server though Adtran NetVanta 3205

Posted on 2004-04-27
8
Medium Priority
?
1,404 Views
Last Modified: 2013-11-29
I am trying to setup a VPN to my W2k RRAS with PPTP, but when I try to connect from outside the firewall, it times out with error 721 after trying to validate username and password.

I have created an ip access-list which permits tcp 1723, and type 47 gre packets.  I also use nat destination list.

ip access-list extended VPN
   permit tcp any host 67.50.x.x eq 1723
   permit gre any host 67.50.x.x

NAT destination list VPN address 192.168.1.13


Am I missing something?

Mike
0
Comment
Question by:PhilOlszewski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 2

Expert Comment

by:benjamin
ID: 10933202
Hi,

I have seen this many times and normally it is the router/firewall not passing VPN (PPTP) correctly or the Nat is not working correctly with mapping the ports back and forth.  What router/firewall do you have, can you connect to the vpn if you are on your internal LAN.  If you can it shows a router/firewall issue.

Let me know, ow and if your router is supplied by your ISP ring them and check that is passed VPN traffic I had one from MCI a few onths ago that would not it was not part of there standard config.

Ben
0
 

Author Comment

by:PhilOlszewski
ID: 10938678
It does work from inside the LAN so I know that it is a firewall issue.  The firewall is a Adtran NetVanta 3205.  This is the current config:

IndyInet#sho runn
Building configuration...
!
!
hostname "IndyInet"
enable password xxx
!
ip subnet-zero
ip classless
ip routing
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
username admin password xxx!
banner motd #
Unauthorized Access is strictly prohibited.
#
!
!
ip firewall
ip firewall check syn-flood
!
!
!
!
!
interface eth 0/1
  speed auto
  ip address  192.168.1.3  255.255.255.0
  access-policy Trusted
  no shutdown
!
interface t1 1/1
  description Frame Relay Internet
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface fr 1 point-to-point
  frame-relay lmi-type ansi
  no shutdown
  cross-connect 1 t1 1/1 1 frame-relay 1
!
interface fr 1.1 point-to-point
  frame-relay interface-dlci 16
  ip address  172.16.0.34  255.255.255.252
  access-policy Untrusted
!
!
!
ip access-list standard InternalNetwork
  permit any
!
ip access-list standard MatchAll
  permit any
!
!
ip access-list extended ExchangeServer
  permit ip host 192.168.1.9  any
  permit udp host 192.168.1.9  any
!
ip access-list extended InCitrix
  permit tcp any  host 67.50.x.x eq 1601
!
ip access-list extended InCitrix2
  permit tcp any  host 67.50.x.x eq 1602
!
ip access-list extended InExchangeServer
  permit tcp any  host 67.50.x.x eq smtp
  permit tcp any  host 67.50.x.x eq www
  permit tcp any  host 67.50.x.x eq pop3
  permit icmp any  host 67.50.x.x
!
ip access-list extended InSmtp
  permit tcp any  host 67.50.x.x eq smtp
!
ip access-list extended InTelnet
  permit tcp any  host 67.50.x.x eq telnet
!
ip access-list extended InTerminalServer1
  permit tcp any  host 67.50.x.x eq 3389
!
ip access-list extended InTerminalServer2
  permit tcp any  host 67.50.x.x eq 3389
!
ip access-list extended OneIp
  permit icmp host 208.152.x.x  host 67.50.x.x
  permit icmp host 216.110.x.x  host 67.50.x.x
!
ip access-list extended VPN
  permit tcp any  host 67.50.x.x eq 1723
  permit gre any  host 67.50.x.x
!
ip access-list extended WAN
  permit tcp any  host 172.16.0.34
!
ip policy-class Trusted
  nat source list ExchangeServer address 67.50.x.x overload
  nat source list MatchAll address 67.50.x.x overload
  allow list MatchAll
!
ip policy-class Untrusted
  nat destination list InTerminalServer1 address 192.168.1.4
  nat destination list InSmtp address 192.168.4.3
  nat destination list InCitrix address 192.168.1.5
  nat destination list InTelnet address 192.168.1.3
  nat destination list OneIp address 192.168.1.3
  nat destination list InTerminalServer2 address 192.168.4.3
  allow list WAN
  nat destination list InCitrix2 address 192.168.1.4
  nat destination list InExchangeServer address 192.168.1.9
  nat destination list VPN address 192.168.1.13
!
!
ip route 0.0.0.0 0.0.0.0 fr 1.1
ip route 67.50.x.x 255.255.255.248 192.168.1.2
ip route 172.26.1.0 255.255.255.0 192.168.1.2
ip route 192.168.0.0 255.255.0.0 192.168.1.2
!
no ip n-form agent
no ip http server
ip snmp agent
no ip ftp agent
!
!
snmp-server contact "admin"
snmp-server location "USA"
snmp-server chassis-id "Netvanta3205"
snmp-server community jiminy RO
snmp-server community public RO
line con 0
  no login
  password "xxx"
  line-timeout 0
!
line telnet 0 4
  login
  password "xxx"
!
end
0
 
LVL 2

Expert Comment

by:benjamin
ID: 10953497
Ok

not being lazy but this article may well help,

http://www.tomsnetworking.com/Sections-article49-page1.php

I think your firewall is not allowing passthrough, might be worth checking with the manufacture that the Firewall either requires the ports to be opened or has the functionality built in.  All so I noted your access list is your firewall refuseing the connection because of the IP address it is coming from bext thing to check.

Ben
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 

Author Comment

by:PhilOlszewski
ID: 10953824
The firewall does not have passthrough functionality built in, that is why I created an access list for VPN which allows TCP port 1723, and GRE type 41 traffic.  I don't think the firewall is refusing connection because of the source IP.  My other access-list pass through just fine. (Citrix, Citrix2, TerminalServer1).  Is there another port that should be open besides TCP 1723, and GRE?

Mike
0
 

Author Comment

by:PhilOlszewski
ID: 10961376
I just was browsing the Adtran website, and I found that the version of firmware does not provide PPTP.  I am going to flash the firmaware, and upgrade the IOS, to fix this problem.

Mike
0
 
LVL 2

Accepted Solution

by:
benjamin earned 1500 total points
ID: 10962214
sounds good give it ago and let us know either way if thats ok.
0
 

Author Comment

by:PhilOlszewski
ID: 11006563
The uppgrade worked. I upgraded to the latest IOS, and firmware.
0
 
LVL 2

Expert Comment

by:benjamin
ID: 11021339
Ok, good to hear it is working.

Ben
0

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question