Solved

PPTP pass thru on a cisco 2811 Router

Posted on 2006-11-03
15
884 Views
Last Modified: 2012-08-13
I have a Cisco 2811 Router that I need to be able to have PPTP Pass Through.  I have gotten it to connect with the IP address but when it goes to Verify User name and Password it errors out.  I believe it has to do with the GRE Protocol not getting thought the router.  I have tried serveral different scenarios and no luck.  Here a copy of my configuration.  Any help will be great

Thx.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw-bolton
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$D8a0$hvvNmmZOFhSJvgTMQCEh40
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http java-list 51 timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw pptp timeout 3600
ip inspect name myfw icmp timeout 3600

!
!
no ip bootp server
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
chat-script config-aa "" "ATS0=1" "OK" ""
!
crypto pki trustpoint TP-self-signed-2874316955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2874316955
 revocation-check none
 rsakeypair TP-self-signed-2874316955
!
!
crypto pki certificate chain TP-self-signed-2874316955
 certificate self-signed 01 nvram:IOS-Self-Sig#3501.cer
username admin privilege 15 secret 5 $1$xByH$MJqBLEs7MyrkVsoUKIRDw1
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
!
!
!
interface Loopback0
 ip address xxx.xxx.xxx.34 255.255.255.240
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 10.1.1.1 255.255.252.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0:0
 description (Point to Point)
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0/0/0:0.1 (Internet)
 ip address xxx.xxx.xxx.137 255.255.255.0
 ip access-group 110 in
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 16  
!
interface Serial0/0/1:0
 description WAN Interface (Private/MCI#MGBJB6T1001)
 ip unnumbered FastEthernet0/0
 encapsulation ppp
 priority-group 4
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
ip route 10.1.7.0 255.255.255.0 Serial0/0/1:0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 30
ip nat translation syn-timeout 10
ip nat translation dns-timeout 25
ip nat translation icmp-timeout 10
ip nat pool xxxxxxx xxx.xxx.xxx.33 xxx.xxx.xxx.33 netmask 255.255.255.240
ip nat inside source list 10 pool xxxxxxx overload
ip nat inside source static tcp 10.1.1.252 25 interface Loopback0 25
ip nat inside source static tcp 10.1.1.252 80 interface Loopback0 80
ip nat inside source static tcp 10.1.1.253 3389 interface Loopback0 3389
ip nat inside source static tcp 10.1.1.250 21 interface Loopback0 21
ip nat inside source static tcp 10.1.1.250 20 interface Loopback0 20
ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
!
logging trap debugging
access-list 10 deny   10.1.1.1
access-list 10 deny   xxx.xxx.xxx.137
access-list 10 permit 10.1.0.0 0.0.3.255
access-list 101 remark SDM_ACL Category=17
access-list 101 permit tcp 10.1.0.0 0.0.3.255 any
access-list 101 permit udp 10.1.0.0 0.0.3.255 any
access-list 101 permit icmp 10.1.0.0 0.0.3.255 any
access-list 101 deny   ip any any
access-list 110 remark SDM_ACL Category=17
access-list 110 deny   ip 10.1.0.0 0.0.3.255 any
access-list 110 permit tcp any host xxx.xxx.xxx.35
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq 3389
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp-data
access-list 110 permit udp any host xxx.xxx.xxx.34 eq 20
access-list 110 permit tcp any host xxx.xxx.xxx.35 eq 1723
access-list 110 permit gre any any
access-list 110 permit tcp any host xxx.xxx.xxx.34 range 1024 3000
access-list 110 permit icmp any host xxx.xxx.xxx.137
access-list 110 deny   ip any any
priority-list 4 protocol ip high udp 5004
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 session-timeout 60
 exec-timeout 60 0
 absolute-timeout 120
 script startup config-aa
 script reset config-aa
 login local
 modem InOut
 terminal-type vt100
 history size 100
 transport input all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


0
Comment
Question by:rdaszynski
  • 8
  • 6
15 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17868665
Add this;

ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723

Cheers,
Rajesh

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17868969
You'll need a 1-1 static nat for the GRE
 >no ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35

Your access-list covers everything
 access-list 110 permit tcp any host xxx.xxx.xxx.35  <== quite dangerous, though
 access-list 110 permit tcp any host xxx.xxx.xxx.35 eq 1723 <== never hits this because of the line above
 access-list 110 permit gre any any  <== OK


0
 

Author Comment

by:rdaszynski
ID: 17869003
I made the changes that Rajesh and you made is it still won't let GRE through.  Would rebooting the router help as this moment?
0
 

Author Comment

by:rdaszynski
ID: 17869021
do I need to remove the
Access-list 110 permit tcp any host xxx.xxx.xxx.35?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869075
>ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723

>interface Loopback0
> ip address xxx.xxx.xxx.34 255.255.255.240

Raj, you're mapping tcp 1720 to the wrong IP address if you use the Looback address.
   assuming, of course, that 10.1.1.249 is your PPTP server . . .

no ip nat inside source static tcp <PPTP_Server> 1723 interface Loopback0 1723
no ip nat inside source static network 10.1.1.249 xxx.xxx.xxx.35 /32
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35 <== this maps both GRE and TCP/1723 to the one IP
0
 

Author Comment

by:rdaszynski
ID: 17869169
10.1.1.249 is my pptp server.  I am also using xxx.xxx.xxx.35 as my public address for the VPN.  I don't know if this is one of the problems.  I made all the changes lrmoore said and tested with no success.  I have tested my VPN server inside the network and have no problems, so it is definitly something with the router.  Also is everything good with my access-list?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869289
How about posting a fresh output of running config after making all the changes?
Can you verify the subnet mask and default gateway on the PPTP server? Is the DG this router's LAN IP?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:rdaszynski
ID: 17869391
Here it is.  I would show my ip address but don't know how much of a security risk that would be.

!This is the show startup-config output of the router: show startup-config
!----------------------------------------------------------------------------

Using 6704 out of 245752 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw-bolton
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$D8a0$hvvNmmZOFhSJvgTMQCEh40
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http java-list 51 timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw pptp timeout 3600
ip inspect name myfw icmp timeout 3600

!
!
no ip bootp server
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
chat-script config-aa "" "ATS0=1" "OK" ""
!
crypto pki trustpoint TP-self-signed-2874316955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2874316955
 revocation-check none
 rsakeypair TP-self-signed-2874316955
!
!
crypto pki certificate chain TP-self-signed-2874316955
 certificate self-signed 01 nvram:IOS-Self-Sig#3501.cer
username admin privilege 15 secret 5 $1$xByH$MJqBLEs7MyrkVsoUKIRDw1
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
!
!
!
interface Loopback0
 ip address xxx.xxx.xxx.34 255.255.255.240
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 10.1.1.1 255.255.252.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0:0
 description Outside Interface (Internet)
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0/0/0:0.1 point-to-point
 ip address xxx.xxx.xxx.xxx 255.255.255.0
 ip access-group 110 in
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 16  
!
interface Serial0/0/1:0
 description WAN Interface (Private/MCI#MGBJB6T1001)
 ip unnumbered FastEthernet0/0
 encapsulation ppp
 priority-group 4
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
ip route 10.1.7.0 255.255.255.0 Serial0/0/1:0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 30
ip nat translation syn-timeout 10
ip nat translation dns-timeout 25
ip nat translation icmp-timeout 10
ip nat pool company xxx.xxxxxx.33 xxx.xxx.xxx.33 netmask 255.255.255.240
ip nat inside source list 10 pool company overload
ip nat inside source static tcp 10.1.1.252 25 interface Loopback0 25
ip nat inside source static tcp 10.1.1.252 80 interface Loopback0 80
ip nat inside source static tcp 10.1.1.253 3389 interface Loopback0 3389
ip nat inside source static tcp 10.1.1.250 21 interface Loopback0 21
ip nat inside source static tcp 10.1.1.250 20 interface Loopback0 20
ip nat inside source static 10.1.1.249 xxx.xxx.xxx.35
!
logging trap debugging
access-list 10 deny   10.1.1.1
access-list 10 deny   xxx.xxx.xxx.xxx
access-list 10 permit 10.1.0.0 0.0.3.255
access-list 101 remark SDM_ACL Category=17
access-list 101 permit tcp 10.1.0.0 0.0.3.255 any
access-list 101 permit udp 10.1.0.0 0.0.3.255 any
access-list 101 permit icmp 10.1.0.0 0.0.3.255 any
access-list 101 deny   ip any any
access-list 110 remark SDM_ACL Category=17
access-list 110 deny   ip 10.1.0.0 0.0.3.255 any
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq 3389
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp
access-list 110 permit tcp any host xxx.xxx.xxx.34 eq ftp-data
access-list 110 permit udp any host xxx.xxx.xxx.34 eq 20
access-list 110 permit tcp any hostxxx.xxx.xxx.35 eq 1723
access-list 110 permit gre any any
access-list 110 permit tcp any host xxx.xxx.xxx.34 range 1024 3000
access-list 110 permit icmp any host xxx.xxx.xxx.137
access-list 110 deny   ip any any
priority-list 4 protocol ip high udp 5004
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 session-timeout 60
 exec-timeout 60 0
 absolute-timeout 120
 script startup config-aa
 script reset config-aa
 login local
 modem InOut
 terminal-type vt100
 history size 100
 transport input all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869483
Try adding this. You're not allowing GRE into your LAN interface, even though you are allowing it in the WAN interface.

  access-list 101 permit gre host 10.1.1.249 any
  access-list 101 permit tcp host 10.1.1.249 any eq 1723
0
 

Author Comment

by:rdaszynski
ID: 17869629
Did it and still same problem as before...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869673
Save the router config and reboot it - when you have an opportunity..
Did you enter these acls on top of the deny any?

Does it now look like this:

access-list 101 deny   ip any any
access-list 101 permit gre host 10.1.1.249 any
access-list 101 permit tcp host 10.1.1.249 any eq 1723

Or this:
access-list 101 permit gre host 10.1.1.249 any
access-list 101 permit tcp host 10.1.1.249 any eq 1723
access-list 101 deny   ip any any

Check results of "show ip access-list" and see if you are getting hitcounters increasing on these acl entries..

0
 

Author Comment

by:rdaszynski
ID: 17869910
I have added them above the deny ip any any.  I will be able to reboot my Router after 5 today and then test vpn.  I did the show ip access-list and everything seems to be in order.  Don't see a hitcounter anywhere..
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17869938
And you have verified the default gateway of the PPTP server?
You can browse the Internet from the PPTP server itself?
0
 

Author Comment

by:rdaszynski
ID: 17870239
I have tested everything internet, browse network, etc.  Anything else you want me to test?  As I said before, if I make a vpn connection inside the network it works.
0
 

Author Comment

by:rdaszynski
ID: 17870613
Rebooted the Router and tryed my VPN with the same results.  
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now