Solved

Get pptp to pass throug a cisco 2600

Posted on 2004-10-11
10
262 Views
Last Modified: 2010-05-18
Looking for a way to use pptp vpn at work.  Got the windows vpn,ras,client all that good stuff worked out and tested ok.  Cannot get pptp to pass through the router.  Does anyone know how to do this or if it's possible to do with nat or access-lists??

Thanks in advance!

0
Comment
Question by:zenportafino
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12282937
You have to be more specific.
You have a RRAS server on the inside network
You want to connect with a client from outside the network.

Yes, it is possible, but you must have a minimum of 2 public IP addresses. One for NAT for everyone and one just for the RRAS server.. If you can post your config (minus the passwords and real public ips) we can probably come up with something for you to try.

REferences:
PPTP traffic consists of a TCP connection for tunnel maintenance (port 1723) and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation (same issue with PIX firewall)
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

But, with one-one static nat it works just fine..

0
 
LVL 1

Author Comment

by:zenportafino
ID: 12283608
Thanks for the reply.  Here's the sh run. Any questions just ask.  Thanks again.

sesamestreet#sh run
Building configuration...

Current configuration : 3492 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sesamestreet
!
enable password 7 928377736400192888276365
!
!
!
!
!
clock timezone CMT -8
ip subnet-zero
no ip finger
ip domain-name SESAMESTREET.com
ip name-server 4.2.2.2
ip name-server 4.2.2.2
!
!
!
!
interface FastEthernet0/0
 description cAN YOU TELL ME HOW TO GET TO
 ip address 10.0.0.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface Serial0/0
 description To ISP
 bandwidth 1536
 no ip address
 ip access-group 100 in
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip address 62.62.62.129 255.255.255.128
 ip access-group 100 in
 ip nat outside
 frame-relay interface-dlci 500 IETF
!
ip nat inside source list 11 interface Serial0/0.1 overload
ip nat inside source static tcp 192.168.1.7 110 62.62.62.250 110 extendable
ip nat inside source static tcp 192.168.1.7 25 62.62.62.250 25 extendable
ip nat inside source static tcp 10.0.0.2 80 62.62.62.129 80 extendable
ip nat inside source static 10.0.0.2 62.62.62.137
ip nat inside source static tcp 192.168.1.13 80 62.62.62.200 80 extendable
ip nat inside source static tcp 192.168.1.16 80 62.62.62.201 80 extendable
ip nat inside source static tcp 192.168.1.16 443 62.62.62.201 443 extendable
ip nat inside source static tcp 192.168.1.55 21 62.62.62.204 21 extendable
ip nat inside source static tcp 192.168.1.55 20 62.62.62.204 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip http server
ip http port 8000
ip http access-class 11
!
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any
!
line con 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 transport preferred none
 transport input none
line aux 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 modem InOut
 transport preferred none
 transport input all
 transport output pad v120 telnet rlogin udptn
 stopbits 1
 flowcontrol hardware
line vty 0
 exec-timeout 30 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 transport preferred none
line vty 1
 exec-timeout 30 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 transport preferred none
line vty 2 4
 exec-timeout 30 0
 password 7 37ye7777a7d7f777a7b7cc76
 login
 transport preferred none
!
end
0
 
LVL 1

Author Comment

by:zenportafino
ID: 12283637
I want to use 62.62.62.135 for the public IP and 192.168.1.57 for the inside ras server.

I've tried adding this but it didn't work

ip nat inside source static tcp 192.168.1.57 1723 62.62.62.135 1723 extendable
ip nat inside source static tcp 192.168.1.57 47 62.62.62.135 47 extendable
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12285995
You must create a 1-1 static nat, not port translations.

  ip nat inside source static 192.168.1.57 62.62.62.135

With this access-list, if  your VPN users are at home with a 192.168.1.x subnet, the VPN traffic will be blocked.
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any

Let's just remove the acl from the interface while testing, then we can re-apply something more apropriate..

0
 
LVL 1

Author Comment

by:zenportafino
ID: 12289634
I have done the above before but don't like it because it allows every single port to pass to the 1.57 interface.  It seems really insecure.  How can I control filtering natting everything from from 135 to 57?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 12289878
Whether you like it or not, it's the only way to do what you want.
The good news is that it is easy to control. Create an inbound access-list like this, allowing only the ports you need:

   access-list extended inbound
     permit tcp any any established   <----required (best to keep at the top, too)
     permit ucp any eq 53 any          <----required for dns resolution
     permit tcp any host 62.62.62.135 eq 1723      <-- to establish PPTP connection
     permit gre any host 62.62.62.135                  <-- required for the PPTP data
     permit tcp any host 62.62.62.250 eq smtp      <-- allow inbound email
     permit tcp any host 62.62.62.250 eq pop3      <-- allow inbound pop3
     permit tcp any host 62.62.62.129 eq www      <-- allow inbound www
     permit tcp any host 62.62.62.200 eq www      <-- allow inbound www2
     permit tcp any host 62.62.62.201 eq www      <-- allow inbound www3
     permit tcp any host 62.62.62.201 eq 443        <-- allow inbound https
     permit tcp any host 62.62.62.250 eq ftp          <-- allow ftp
     permit tcp any host 62.62.62.250 eq ftp-data   <-- allow ftp-data
     permit tcp any host 62.62.62.250 gt 1024        <-- may be required to allow active ftp
     deny ip any any log                                       <--- "log" keyword makes troubleshooting easy

Check the logs periodically for denied packets (any reconnaissance activity will be logged) and make additional entries to the acl as appropriate to keep them out. For example, I see recon activity from South America, Asia, Middle East, etc. I know for a fact that I don't serve any customers outside the US, so I can create block lists by IP ranges and just block them all out, even out of the ports that I have open to others..
0
 
LVL 1

Author Comment

by:zenportafino
ID: 12335519
lrmoore,

When I add lines to an access list, is there a method in making sure that lines at the top and bottom of the list stay in sequence.  In otherwords, do I have to type the entire access-list over each time I want to edit it?

Thanks again.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12335567
Yes, you have to re-do the whole thing.
The newest IOS' allow you to use line-numbering in the access-lists. That way you can insert lines wherever you need to..
I always keep a script in a test file with my acl..

interface serial 0/0
  no access-group 101 in

no access-list 101
access-list 101 permit tcp any any established
<etc>

interface serial 0/0
  access-group 101 in

This way, I can make changes in seconds by just editing the text file and copying it to the router..
0
 
LVL 1

Author Comment

by:zenportafino
ID: 12335970
Do I need the nat translations and the access-list or just the access-list?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12337857
Of course, if you are changing something in the access-list that requires a change in the translations, then of course, they have to match..
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now