Solved

A little Cisco Guidance on IP NAT and PPTP

Posted on 2004-08-12
9
821 Views
Last Modified: 2012-05-05
I'm trying to setup our Cisco 1700 router to forward Microsoft VPN connection attempts to our VPN server. I want to be able to let any Windows machine from any IP address (dynamic) log onto our network. If I type the following commands, will this open up our router to let PPTP connections through to our server assuming that the server's IP is 192.168.50.2? For any that might be wondering, yes, I know that I have to be in "Enabled" mode.

Command 1: ip nat inside source static tcp 192.168.50.2 1723 interface FastEthernet0/0 1723

Command 2: access-list 101 permit ip any any

The reason I ask is because I've been reading the following page on Cisco.com:
http://cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
I'm not quite sure how to apply this info given on this page though. If someone could explain things a little, that would be great! I'm getting book on Ciscos, and I'll probably get my CCNA, but for now I'm just learning. A little guidance will go a long way.

Here's the config:


Mckeough1720#sho running-config
Building configuration...

Current configuration : 3565 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Mckeough1720
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 $1$aRWL$8GrYUDSoABjufv587pS.5.
enable password 7 0509071B32
!
username mckeough password 7 1309161C0F1E1139
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key MCKEOUGHlandsTraverse49456 address 67.39.227.78 no-xauth
!
crypto isakmp client configuration group mckeough
 key mckeoughlands
 dns 192.168.254.1
 wins 192.168.254.1
 domain ourdomain.com
 pool ippool
 acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 2 ipsec-isakmp
 description Connection to Traverse City Office
 set peer 67.39.227.78
 set transform-set trans1
 match address 161
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
 ip address 10.254.254.5 255.255.255.252
!
interface Ethernet0
 ip address 67.39.131.113 255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 no cdp enable
 crypto map clientmap
!
interface FastEthernet0
 ip address 192.168.254.10 255.255.255.0
 ip nat inside
 no ip route-cache
 ip policy route-map nonat-map
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
ip local pool ippool 10.0.1.100 10.0.1.200
ip nat pool INTERNET 67.39.131.113 67.39.131.113 netmask 255.255.255.248
ip nat inside source route-map INTERNET pool INTERNET overload
ip nat inside source static tcp 192.168.254.1 25 67.39.131.113 25 extendable
ip nat inside source static tcp 192.168.254.1 80 67.39.131.113 80 extendable
ip nat inside source static tcp 192.168.254.2 3389 67.39.131.113 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 67.39.131.113
ip route 10.99.1.0 255.255.255.0 64.109.109.92
no ip http server
ip pim bidir-enable
!
!
ip access-list extended nonat-list
 permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
 permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 101 deny   tcp any eq 139 any
access-list 101 deny   tcp any eq 135 any
access-list 101 deny   udp any eq netbios-ss any
access-list 101 deny   udp any eq netbios-ns any
access-list 101 deny   ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 101 deny   ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 deny   ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.254.0 0.0.0.255 any
access-list 108 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 161 permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
route-map INTERNET permit 10
 match ip address 101
!
route-map nonat-map permit 10
 match ip address nonat-list
 set ip next-hop 10.254.254.6
!
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 password 7 1119180B1313
!
end
0
Comment
Question by:mckeough
  • 4
  • 3
  • 2
9 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 11786437
Well, according to the link you posted, all you need to do is use the command:

ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723

Substitute the 192.168.50.2 address for your VPN server's address.

You don't need the "access-list 101 permit ip any any" command since you already have your NAT traffic defined in route-map INTERNET.

I thought you needed to use a one to one (static) NAT to forward GRE for a PPTP VPN but the link doesn't talk about that.
0
 

Author Comment

by:mckeough
ID: 11786732
I ran the command with the correct IP's but got an error. The error is, "% Invalid input detected at '^' marker." The marker is on the 'p' in 'ip' which is the first thing in the line "ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723." I also tried the exact command (other than the IP address) from Cisco's website and I got the same error. Any ideas?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11786874
Make sure you are in global configuration mode:

router>enable
Password:
router#config term
router(config)#ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723
0
 

Author Comment

by:mckeough
ID: 11787978
Thanks! That worked. The points are yours, but before I close this out could you take a look at a screenshot? If you don't know anything about what is going on, that's fine. The reason I think it has something to do with the Cisco is that when I test a connection from INSIDE our lan directly to our VPN server, authentication is fine. If I try to authenticate by connecting to our outisde IP, then I get the following error:

http://www.mckeough.com/screenshot.jpg

Whether you know or not, thanks for your help!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 11788049
If you are attempting to connect to the VPN server using L2TP along with PPTP, you will need to also forward the L2TP ports to your VPN server:

Try:

router>enable
Password:
router#config term
router(config)#ip nat inside source static tcp 192.168.50.2 1701 67.39.131.113 1701
router(config)#ip nat inside source static udp 192.168.50.2 500 67.39.131.113 500

Remember to use the correct IP address for your VPN server.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11789963
You need to pass GRE, and you can't unless you have 1-1 static NAT.
0
 

Author Comment

by:mckeough
ID: 11797088
IRmoore, are you saying I need a static IP on the other end, need to add another line of configuration to the Cisco router, need another Cisco router at my other office, or all of the above? Instead of replying here reply to the new post, so you guys can get some more points:

http://www.experts-exchange.com/Hardware/Routers/Q_21093340.html


0
 

Author Comment

by:mckeough
ID: 11797123
Irmoore. Go to google and type in "Cisco 1700 commands." Check out what comes up as the first hit! I thought it was neat. You can also type in "Basic Cisco Commands" and you'll see the same thing listed in 3rd or 4th place. Just thought it was neat, and thought I'd tell you since you helped me out so much.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11797448
Way cool....
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now