Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 335
  • Last Modified:

Get pptp to pass throug a cisco 2600

Looking for a way to use pptp vpn at work.  Got the windows vpn,ras,client all that good stuff worked out and tested ok.  Cannot get pptp to pass through the router.  Does anyone know how to do this or if it's possible to do with nat or access-lists??

Thanks in advance!

0
zenportafino
Asked:
zenportafino
  • 5
  • 5
1 Solution
 
lrmooreCommented:
You have to be more specific.
You have a RRAS server on the inside network
You want to connect with a client from outside the network.

Yes, it is possible, but you must have a minimum of 2 public IP addresses. One for NAT for everyone and one just for the RRAS server.. If you can post your config (minus the passwords and real public ips) we can probably come up with something for you to try.

REferences:
PPTP traffic consists of a TCP connection for tunnel maintenance (port 1723) and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation (same issue with PIX firewall)
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

But, with one-one static nat it works just fine..

0
 
zenportafinoAuthor Commented:
Thanks for the reply.  Here's the sh run. Any questions just ask.  Thanks again.

sesamestreet#sh run
Building configuration...

Current configuration : 3492 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sesamestreet
!
enable password 7 928377736400192888276365
!
!
!
!
!
clock timezone CMT -8
ip subnet-zero
no ip finger
ip domain-name SESAMESTREET.com
ip name-server 4.2.2.2
ip name-server 4.2.2.2
!
!
!
!
interface FastEthernet0/0
 description cAN YOU TELL ME HOW TO GET TO
 ip address 10.0.0.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface Serial0/0
 description To ISP
 bandwidth 1536
 no ip address
 ip access-group 100 in
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip address 62.62.62.129 255.255.255.128
 ip access-group 100 in
 ip nat outside
 frame-relay interface-dlci 500 IETF
!
ip nat inside source list 11 interface Serial0/0.1 overload
ip nat inside source static tcp 192.168.1.7 110 62.62.62.250 110 extendable
ip nat inside source static tcp 192.168.1.7 25 62.62.62.250 25 extendable
ip nat inside source static tcp 10.0.0.2 80 62.62.62.129 80 extendable
ip nat inside source static 10.0.0.2 62.62.62.137
ip nat inside source static tcp 192.168.1.13 80 62.62.62.200 80 extendable
ip nat inside source static tcp 192.168.1.16 80 62.62.62.201 80 extendable
ip nat inside source static tcp 192.168.1.16 443 62.62.62.201 443 extendable
ip nat inside source static tcp 192.168.1.55 21 62.62.62.204 21 extendable
ip nat inside source static tcp 192.168.1.55 20 62.62.62.204 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip http server
ip http port 8000
ip http access-class 11
!
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any
!
line con 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 transport preferred none
 transport input none
line aux 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 modem InOut
 transport preferred none
 transport input all
 transport output pad v120 telnet rlogin udptn
 stopbits 1
 flowcontrol hardware
line vty 0
 exec-timeout 30 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 transport preferred none
line vty 1
 exec-timeout 30 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 transport preferred none
line vty 2 4
 exec-timeout 30 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 transport preferred none
!
end
0
 
zenportafinoAuthor Commented:
I want to use 62.62.62.135 for the public IP and 192.168.1.57 for the inside ras server.

I've tried adding this but it didn't work

ip nat inside source static tcp 192.168.1.57 1723 62.62.62.135 1723 extendable
ip nat inside source static tcp 192.168.1.57 47 62.62.62.135 47 extendable
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
lrmooreCommented:
You must create a 1-1 static nat, not port translations.

  ip nat inside source static 192.168.1.57 62.62.62.135

With this access-list, if  your VPN users are at home with a 192.168.1.x subnet, the VPN traffic will be blocked.
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any

Let's just remove the acl from the interface while testing, then we can re-apply something more apropriate..

0
 
zenportafinoAuthor Commented:
I have done the above before but don't like it because it allows every single port to pass to the 1.57 interface.  It seems really insecure.  How can I control filtering natting everything from from 135 to 57?
0
 
lrmooreCommented:
Whether you like it or not, it's the only way to do what you want.
The good news is that it is easy to control. Create an inbound access-list like this, allowing only the ports you need:

   access-list extended inbound
     permit tcp any any established   <----required (best to keep at the top, too)
     permit ucp any eq 53 any          <----required for dns resolution
     permit tcp any host 62.62.62.135 eq 1723      <-- to establish PPTP connection
     permit gre any host 62.62.62.135                  <-- required for the PPTP data
     permit tcp any host 62.62.62.250 eq smtp      <-- allow inbound email
     permit tcp any host 62.62.62.250 eq pop3      <-- allow inbound pop3
     permit tcp any host 62.62.62.129 eq www      <-- allow inbound www
     permit tcp any host 62.62.62.200 eq www      <-- allow inbound www2
     permit tcp any host 62.62.62.201 eq www      <-- allow inbound www3
     permit tcp any host 62.62.62.201 eq 443        <-- allow inbound https
     permit tcp any host 62.62.62.250 eq ftp          <-- allow ftp
     permit tcp any host 62.62.62.250 eq ftp-data   <-- allow ftp-data
     permit tcp any host 62.62.62.250 gt 1024        <-- may be required to allow active ftp
     deny ip any any log                                       <--- "log" keyword makes troubleshooting easy

Check the logs periodically for denied packets (any reconnaissance activity will be logged) and make additional entries to the acl as appropriate to keep them out. For example, I see recon activity from South America, Asia, Middle East, etc. I know for a fact that I don't serve any customers outside the US, so I can create block lists by IP ranges and just block them all out, even out of the ports that I have open to others..
0
 
zenportafinoAuthor Commented:
lrmoore,

When I add lines to an access list, is there a method in making sure that lines at the top and bottom of the list stay in sequence.  In otherwords, do I have to type the entire access-list over each time I want to edit it?

Thanks again.

0
 
lrmooreCommented:
Yes, you have to re-do the whole thing.
The newest IOS' allow you to use line-numbering in the access-lists. That way you can insert lines wherever you need to..
I always keep a script in a test file with my acl..

interface serial 0/0
  no access-group 101 in

no access-list 101
access-list 101 permit tcp any any established
<etc>

interface serial 0/0
  access-group 101 in

This way, I can make changes in seconds by just editing the text file and copying it to the router..
0
 
zenportafinoAuthor Commented:
Do I need the nat translations and the access-list or just the access-list?
0
 
lrmooreCommented:
Of course, if you are changing something in the access-list that requires a change in the translations, then of course, they have to match..
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now