Solved

PPTP pass thru on a cisco 2811 Router

Posted on 2006-11-03
15
886 Views
Last Modified: 2012-08-13
I have a Cisco 2811 Router that I need to be able to have PPTP Pass Through.  I have gotten it to connect with the IP address but when it goes to Verify User name and Password it errors out.  I believe it has to do with the GRE Protocol not getting thought the router.  I have tried serveral different scenarios and no luck.  Here a copy of my configuration.  Any help will be great

Thx.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw-bolton
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$D8a0$hvvNmmZOFhSJvgTMQCEh40
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http java-list 51 timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw pptp timeout 3600
ip inspect name myfw icmp timeout 3600

!
!
no ip bootp server
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
chat-script config-aa "" "ATS0=1" "OK" ""
!
crypto pki trustpoint TP-self-signed-2874316955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2874316955
 revocation-check none
 rsakeypair TP-self-signed-2874316955
!
!
crypto pki certificate chain TP-self-signed-2874316955
 certificate self-signed 01 nvram:IOS-Self-Sig#3501.cer
username admin privilege 15 secret 5 $1$xByH$MJqBLEs7MyrkVsoUKIRDw1
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
!
!
!
interface Loopback0
 ip address xxx.xxx.xxx.34 255.255.255.240
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 10.1.1.1 255.255.252.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0:0
 description (Point to Point)
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0/0/0:0.1 (Internet)
 ip address xxx.xxx.xxx.137 255.255.255.0
 ip access-group 110 in
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 16  
!
interface Serial0/0/1:0
 description WAN Interface (Private/MCI#MGBJB6T1001)
 ip unnumbered FastEthernet0/0
 encapsulation ppp
 priority-group 4
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
ip route 10.1.7.0 255.255.255.0 Serial0/0/1:0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 30
ip nat translation syn-timeout 10
ip nat translation dns-timeout 25
ip nat translation icmp-timeout 10
ip nat pool xxxxxxx xxx.xxx.xxx.33 xxx.xxx.xxx.33 netmask 255.255.255.240
ip nat inside source list 10 pool xxxxxxx overload
ip nat inside source static tcp 10.1.1.252 25 interface Loopback0 25
ip nat inside source static tcp 10.1.1.252 80 interface Loopback0 80
ip nat inside source static tcp 10.1.1.253 3389 interface Loopback0 3389
ip nat inside source static tcp 10.1.1.250 21 interface Loopback0 21
ip nat inside source static tcp 10.1.1.250 20 interface Loopback0 20
ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
!
logging trap debugging
access-list 10 deny   10.1.1.1
access-list 10 deny   xxx.xxx.xxx.137
access-list 10 permit 10.1.0.0 0.0.3.255
access-list 101 remark SDM_ACL Category=17
access-list 101 permit tcp 10.1.0.0 0.0.3.255 any
access-list 101 permit udp 10.1.0.0 0.0.3.255 any
access-list 101 permit icmp 10.1.0.0 0.0.3.255 any
access-list 101 deny   ip any any
access-list 110 remark SDM_ACL Category=17
access-list 110 deny   ip 10.1.0.0 0.0.3.255 any
access-list 110 permit tcp any host xxx.xxx.xxx.35
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq 3389
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp-data
access-list 110 permit udp any host xxx.xxx.xxx.34 eq 20
access-list 110 permit tcp any host xxx.xxx.xxx.35 eq 1723
access-list 110 permit gre any any
access-list 110 permit tcp any host xxx.xxx.xxx.34 range 1024 3000
access-list 110 permit icmp any host xxx.xxx.xxx.137
access-list 110 deny   ip any any
priority-list 4 protocol ip high udp 5004
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 session-timeout 60
 exec-timeout 60 0
 absolute-timeout 120
 script startup config-aa
 script reset config-aa
 login local
 modem InOut
 terminal-type vt100
 history size 100
 transport input all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


0
Comment
Question by:rdaszynski
  • 8
  • 6
15 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17868665
Add this;

ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723

Cheers,
Rajesh

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17868969
You'll need a 1-1 static nat for the GRE
 >no ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35

Your access-list covers everything
 access-list 110 permit tcp any host xxx.xxx.xxx.35  <== quite dangerous, though
 access-list 110 permit tcp any host xxx.xxx.xxx.35 eq 1723 <== never hits this because of the line above
 access-list 110 permit gre any any  <== OK


0
 

Author Comment

by:rdaszynski
ID: 17869003
I made the changes that Rajesh and you made is it still won't let GRE through.  Would rebooting the router help as this moment?
0
 

Author Comment

by:rdaszynski
ID: 17869021
do I need to remove the
Access-list 110 permit tcp any host xxx.xxx.xxx.35?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869075
>ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723

>interface Loopback0
> ip address xxx.xxx.xxx.34 255.255.255.240

Raj, you're mapping tcp 1720 to the wrong IP address if you use the Looback address.
   assuming, of course, that 10.1.1.249 is your PPTP server . . .

no ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723
no ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35 <== this maps both GRE and TCP/1723 to the one IP
0
 

Author Comment

by:rdaszynski
ID: 17869169
10.1.1.249 is my pptp server.  I am also using xxx.xxx.xxx.35 as my public address for the VPN.  I don't know if this is one of the problems.  I made all the changes lrmoore said and tested with no success.  I have tested my VPN server inside the network and have no problems, so it is definitly something with the router.  Also is everything good with my access-list?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869289
How about posting a fresh output of running config after making all the changes?
Can you verify the subnet mask and default gateway on the PPTP server? Is the DG this router's LAN IP?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:rdaszynski
ID: 17869391
Here it is.  I would show my ip address but don't know how much of a security risk that would be.

!This is the show startup-config output of the router: show startup-config
!----------------------------------------------------------------------------

Using 6704 out of 245752 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw-bolton
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$D8a0$hvvNmmZOFhSJvgTMQCEh40
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http java-list 51 timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw pptp timeout 3600
ip inspect name myfw icmp timeout 3600

!
!
no ip bootp server
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
chat-script config-aa "" "ATS0=1" "OK" ""
!
crypto pki trustpoint TP-self-signed-2874316955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2874316955
 revocation-check none
 rsakeypair TP-self-signed-2874316955
!
!
crypto pki certificate chain TP-self-signed-2874316955
 certificate self-signed 01 nvram:IOS-Self-Sig#3501.cer
username admin privilege 15 secret 5 $1$xByH$MJqBLEs7MyrkVsoUKIRDw1
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
!
!
!
interface Loopback0
 ip address xxx.xxx.xxx.34 255.255.255.240
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 10.1.1.1 255.255.252.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0:0
 description Outside Interface (Internet)
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0/0/0:0.1 point-to-point
 ip address xxx.xxx.xxx.xxx 255.255.255.0
 ip access-group 110 in
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 16  
!
interface Serial0/0/1:0
 description WAN Interface (Private/MCI#MGBJB6T1001)
 ip unnumbered FastEthernet0/0
 encapsulation ppp
 priority-group 4
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
ip route 10.1.7.0 255.255.255.0 Serial0/0/1:0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 30
ip nat translation syn-timeout 10
ip nat translation dns-timeout 25
ip nat translation icmp-timeout 10
ip nat pool company xxx.xxxxxx.33 xxx.xxx.xxx.33 netmask 255.255.255.240
ip nat inside source list 10 pool company overload
ip nat inside source static tcp 10.1.1.252 25 interface Loopback0 25
ip nat inside source static tcp 10.1.1.252 80 interface Loopback0 80
ip nat inside source static tcp 10.1.1.253 3389 interface Loopback0 3389
ip nat inside source static tcp 10.1.1.250 21 interface Loopback0 21
ip nat inside source static tcp 10.1.1.250 20 interface Loopback0 20
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35
!
logging trap debugging
access-list 10 deny   10.1.1.1
access-list 10 deny   xxx.xxx.xxx.xxx
access-list 10 permit 10.1.0.0 0.0.3.255
access-list 101 remark SDM_ACL Category=17
access-list 101 permit tcp 10.1.0.0 0.0.3.255 any
access-list 101 permit udp 10.1.0.0 0.0.3.255 any
access-list 101 permit icmp 10.1.0.0 0.0.3.255 any
access-list 101 deny   ip any any
access-list 110 remark SDM_ACL Category=17
access-list 110 deny   ip 10.1.0.0 0.0.3.255 any
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq 3389
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp-data
access-list 110 permit udp any host xxx.xxx.xxx.34 eq 20
access-list 110 permit tcp any hostxxx.xxx.xxx.35 eq 1723
access-list 110 permit gre any any
access-list 110 permit tcp any host xxx.xxx.xxx.34 range 1024 3000
access-list 110 permit icmp any host xxx.xxx.xxx.137
access-list 110 deny   ip any any
priority-list 4 protocol ip high udp 5004
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 session-timeout 60
 exec-timeout 60 0
 absolute-timeout 120
 script startup config-aa
 script reset config-aa
 login local
 modem InOut
 terminal-type vt100
 history size 100
 transport input all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869483
Try adding this. You're not allowing GRE into your LAN interface, even though you are allowing it in the WAN interface.

  access-list 101 permit gre host 10.1.1.249 any
  access-list 101 permit tcp host 10.1.1.249 any eq 1723
0
 

Author Comment

by:rdaszynski
ID: 17869629
Did it and still same problem as before...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869673
Save the router config and reboot it - when you have an opportunity..
Did you enter these acls on top of the deny any?

Does it now look like this:

access-list 101 deny   ip any any
access-list 101 permit gre host 10.1.1.249 any
access-list 101 permit tcp host 10.1.1.249 any eq 1723

Or this:
access-list 101 permit gre host 10.1.1.249 any
access-list 101 permit tcp host 10.1.1.249 any eq 1723
access-list 101 deny   ip any any

Check results of "show ip access-list" and see if you are getting hitcounters increasing on these acl entries..

0
 

Author Comment

by:rdaszynski
ID: 17869910
I have added them above the deny ip any any.  I will be able to reboot my Router after 5 today and then test vpn.  I did the show ip access-list and everything seems to be in order.  Don't see a hitcounter anywhere..
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17869938
And you have verified the default gateway of the PPTP server?
You can browse the Internet from the PPTP server itself?
0
 

Author Comment

by:rdaszynski
ID: 17870239
I have tested everything internet, browse network, etc.  Anything else you want me to test?  As I said before, if I make a vpn connection inside the network it works.
0
 

Author Comment

by:rdaszynski
ID: 17870613
Rebooted the Router and tryed my VPN with the same results.  
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now