We help IT Professionals succeed at work.

PPTP pass thru on a cisco 2811 Router

Medium Priority
937 Views
Last Modified: 2012-08-13
I have a Cisco 2811 Router that I need to be able to have PPTP Pass Through.  I have gotten it to connect with the IP address but when it goes to Verify User name and Password it errors out.  I believe it has to do with the GRE Protocol not getting thought the router.  I have tried serveral different scenarios and no luck.  Here a copy of my configuration.  Any help will be great

Thx.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw-bolton
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$D8a0$hvvNmmZOFhSJvgTMQCEh40
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http java-list 51 timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw pptp timeout 3600
ip inspect name myfw icmp timeout 3600

!
!
no ip bootp server
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
chat-script config-aa "" "ATS0=1" "OK" ""
!
crypto pki trustpoint TP-self-signed-2874316955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2874316955
 revocation-check none
 rsakeypair TP-self-signed-2874316955
!
!
crypto pki certificate chain TP-self-signed-2874316955
 certificate self-signed 01 nvram:IOS-Self-Sig#3501.cer
username admin privilege 15 secret 5 $1$xByH$MJqBLEs7MyrkVsoUKIRDw1
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
!
!
!
interface Loopback0
 ip address xxx.xxx.xxx.34 255.255.255.240
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 10.1.1.1 255.255.252.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0:0
 description (Point to Point)
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0/0/0:0.1 (Internet)
 ip address xxx.xxx.xxx.137 255.255.255.0
 ip access-group 110 in
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 16  
!
interface Serial0/0/1:0
 description WAN Interface (Private/MCI#MGBJB6T1001)
 ip unnumbered FastEthernet0/0
 encapsulation ppp
 priority-group 4
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
ip route 10.1.7.0 255.255.255.0 Serial0/0/1:0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 30
ip nat translation syn-timeout 10
ip nat translation dns-timeout 25
ip nat translation icmp-timeout 10
ip nat pool xxxxxxx xxx.xxx.xxx.33 xxx.xxx.xxx.33 netmask 255.255.255.240
ip nat inside source list 10 pool xxxxxxx overload
ip nat inside source static tcp 10.1.1.252 25 interface Loopback0 25
ip nat inside source static tcp 10.1.1.252 80 interface Loopback0 80
ip nat inside source static tcp 10.1.1.253 3389 interface Loopback0 3389
ip nat inside source static tcp 10.1.1.250 21 interface Loopback0 21
ip nat inside source static tcp 10.1.1.250 20 interface Loopback0 20
ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
!
logging trap debugging
access-list 10 deny   10.1.1.1
access-list 10 deny   xxx.xxx.xxx.137
access-list 10 permit 10.1.0.0 0.0.3.255
access-list 101 remark SDM_ACL Category=17
access-list 101 permit tcp 10.1.0.0 0.0.3.255 any
access-list 101 permit udp 10.1.0.0 0.0.3.255 any
access-list 101 permit icmp 10.1.0.0 0.0.3.255 any
access-list 101 deny   ip any any
access-list 110 remark SDM_ACL Category=17
access-list 110 deny   ip 10.1.0.0 0.0.3.255 any
access-list 110 permit tcp any host xxx.xxx.xxx.35
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq 3389
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp-data
access-list 110 permit udp any host xxx.xxx.xxx.34 eq 20
access-list 110 permit tcp any host xxx.xxx.xxx.35 eq 1723
access-list 110 permit gre any any
access-list 110 permit tcp any host xxx.xxx.xxx.34 range 1024 3000
access-list 110 permit icmp any host xxx.xxx.xxx.137
access-list 110 deny   ip any any
priority-list 4 protocol ip high udp 5004
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 session-timeout 60
 exec-timeout 60 0
 absolute-timeout 120
 script startup config-aa
 script reset config-aa
 login local
 modem InOut
 terminal-type vt100
 history size 100
 transport input all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


Comment
Watch Question

Add this;

ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723

Cheers,
Rajesh

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
You'll need a 1-1 static nat for the GRE
 >no ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35

Your access-list covers everything
 access-list 110 permit tcp any host xxx.xxx.xxx.35  <== quite dangerous, though
 access-list 110 permit tcp any host xxx.xxx.xxx.35 eq 1723 <== never hits this because of the line above
 access-list 110 permit gre any any  <== OK


Author

Commented:
I made the changes that Rajesh and you made is it still won't let GRE through.  Would rebooting the router help as this moment?

Author

Commented:
do I need to remove the
Access-list 110 permit tcp any host xxx.xxx.xxx.35?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
>ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723

>interface Loopback0
> ip address xxx.xxx.xxx.34 255.255.255.240

Raj, you're mapping tcp 1720 to the wrong IP address if you use the Looback address.
   assuming, of course, that 10.1.1.249 is your PPTP server . . .

no ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723
no ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35 <== this maps both GRE and TCP/1723 to the one IP

Author

Commented:
10.1.1.249 is my pptp server.  I am also using xxx.xxx.xxx.35 as my public address for the VPN.  I don't know if this is one of the problems.  I made all the changes lrmoore said and tested with no success.  I have tested my VPN server inside the network and have no problems, so it is definitly something with the router.  Also is everything good with my access-list?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
How about posting a fresh output of running config after making all the changes?
Can you verify the subnet mask and default gateway on the PPTP server? Is the DG this router's LAN IP?

Author

Commented:
Here it is.  I would show my ip address but don't know how much of a security risk that would be.

!This is the show startup-config output of the router: show startup-config
!----------------------------------------------------------------------------

Using 6704 out of 245752 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw-bolton
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$D8a0$hvvNmmZOFhSJvgTMQCEh40
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http java-list 51 timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw pptp timeout 3600
ip inspect name myfw icmp timeout 3600

!
!
no ip bootp server
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
chat-script config-aa "" "ATS0=1" "OK" ""
!
crypto pki trustpoint TP-self-signed-2874316955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2874316955
 revocation-check none
 rsakeypair TP-self-signed-2874316955
!
!
crypto pki certificate chain TP-self-signed-2874316955
 certificate self-signed 01 nvram:IOS-Self-Sig#3501.cer
username admin privilege 15 secret 5 $1$xByH$MJqBLEs7MyrkVsoUKIRDw1
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
!
!
!
interface Loopback0
 ip address xxx.xxx.xxx.34 255.255.255.240
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 10.1.1.1 255.255.252.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0:0
 description Outside Interface (Internet)
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0/0/0:0.1 point-to-point
 ip address xxx.xxx.xxx.xxx 255.255.255.0
 ip access-group 110 in
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 16  
!
interface Serial0/0/1:0
 description WAN Interface (Private/MCI#MGBJB6T1001)
 ip unnumbered FastEthernet0/0
 encapsulation ppp
 priority-group 4
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
ip route 10.1.7.0 255.255.255.0 Serial0/0/1:0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 30
ip nat translation syn-timeout 10
ip nat translation dns-timeout 25
ip nat translation icmp-timeout 10
ip nat pool company xxx.xxxxxx.33 xxx.xxx.xxx.33 netmask 255.255.255.240
ip nat inside source list 10 pool company overload
ip nat inside source static tcp 10.1.1.252 25 interface Loopback0 25
ip nat inside source static tcp 10.1.1.252 80 interface Loopback0 80
ip nat inside source static tcp 10.1.1.253 3389 interface Loopback0 3389
ip nat inside source static tcp 10.1.1.250 21 interface Loopback0 21
ip nat inside source static tcp 10.1.1.250 20 interface Loopback0 20
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35
!
logging trap debugging
access-list 10 deny   10.1.1.1
access-list 10 deny   xxx.xxx.xxx.xxx
access-list 10 permit 10.1.0.0 0.0.3.255
access-list 101 remark SDM_ACL Category=17
access-list 101 permit tcp 10.1.0.0 0.0.3.255 any
access-list 101 permit udp 10.1.0.0 0.0.3.255 any
access-list 101 permit icmp 10.1.0.0 0.0.3.255 any
access-list 101 deny   ip any any
access-list 110 remark SDM_ACL Category=17
access-list 110 deny   ip 10.1.0.0 0.0.3.255 any
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq 3389
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp-data
access-list 110 permit udp any host xxx.xxx.xxx.34 eq 20
access-list 110 permit tcp any hostxxx.xxx.xxx.35 eq 1723
access-list 110 permit gre any any
access-list 110 permit tcp any host xxx.xxx.xxx.34 range 1024 3000
access-list 110 permit icmp any host xxx.xxx.xxx.137
access-list 110 deny   ip any any
priority-list 4 protocol ip high udp 5004
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 session-timeout 60
 exec-timeout 60 0
 absolute-timeout 120
 script startup config-aa
 script reset config-aa
 login local
 modem InOut
 terminal-type vt100
 history size 100
 transport input all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Try adding this. You're not allowing GRE into your LAN interface, even though you are allowing it in the WAN interface.

  access-list 101 permit gre host 10.1.1.249 any
  access-list 101 permit tcp host 10.1.1.249 any eq 1723

Author

Commented:
Did it and still same problem as before...
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Save the router config and reboot it - when you have an opportunity..
Did you enter these acls on top of the deny any?

Does it now look like this:

access-list 101 deny   ip any any
access-list 101 permit gre host 10.1.1.249 any
access-list 101 permit tcp host 10.1.1.249 any eq 1723

Or this:
access-list 101 permit gre host 10.1.1.249 any
access-list 101 permit tcp host 10.1.1.249 any eq 1723
access-list 101 deny   ip any any

Check results of "show ip access-list" and see if you are getting hitcounters increasing on these acl entries..

Author

Commented:
I have added them above the deny ip any any.  I will be able to reboot my Router after 5 today and then test vpn.  I did the show ip access-list and everything seems to be in order.  Don't see a hitcounter anywhere..
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
And you have verified the default gateway of the PPTP server?
You can browse the Internet from the PPTP server itself?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
I have tested everything internet, browse network, etc.  Anything else you want me to test?  As I said before, if I make a vpn connection inside the network it works.

Author

Commented:
Rebooted the Router and tryed my VPN with the same results.  
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.