[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

PPTP inbound thru Cisco router to Win2003 Server does not work!

Posted on 2007-11-16
6
Medium Priority
?
579 Views
Last Modified: 2009-11-18
Inbound PPTP conection won't connect..
private IP of Win2003 server is: 10.100.1.5
Public IP (via static NAT on outside of router) is: 208.51.103.73

Have the pertinent IP NAT statements in the router:
ip nat inside source static 10.100.1.5 208.51.103.73 route-map VPN-NAT_fixup
!!! Access below applied to outside interface !!!
access-list 122 permit gre any host 208.51.103.73
access-list 122 permit tcp any host 208.51.103.73 eq 1723

access-list 2000 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 2000 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
route-map VPN-NAT_fixup permit 1
 match ip address 2000

Get the following PPTP failure on Win server event log:
Event Type:        Warning
Event Source:    Rasman
Event Category:                None
Event ID:              20209
Date:                     11/16/2007
Time:                     8:18:19 AM
User:                     N/A
Computer:          ATLUTILITY
Description:
A connection between the VPN server and the VPN client 76.20.198.1 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Other NOTES:
All other static mappings (ie smtp port 25 and web) to internal servers work perfectly!
NAT translation table show GRE and TCP/1723 translations on the Cisco 2851

ANY IDEAS ANYONE?....been scratching my head for hours!
0
Comment
Question by:dfhampson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20303968
Have you allowed GRE outbound from your windows server to the internet? i.e. what's in your internal interfaces ACL?

Why do you have a route map on the static nat? This should not be necessary. Because the router isn't terminating the VPNs, there's no need to filter nat traffic.

Incidentally, if you have a cisco router, why not use ipsec on the router as opposed to setting up pptp vpns? This tends to be a lot more secure. You can still do authentication back to AD using radius via IAS. At worst I would use L2TP over IPSEC on windows as opposed to PPTP. This can still be set up with a pre shared key.
0
 

Author Comment

by:dfhampson
ID: 20304464
We have no outbound ACL on this Cisco router (2851).  Yes, we are terminating VPN's on this router,
so we have to have the route-maps....should have mentioned that in the problem description.

This customer (we are a Cisco VAR) is no will in to replace all PPTP clients with IPSec.....believe me,
we have tried!

I will investigate the route-map issue...maybe that is causing the problem sine the PPTP clients are getting a 10.x.x.x address.  I just figured it wouldn't be a problem since the 10.x.x.x traffic to/from the client was in a tunnel....but I was wrong once before :-)....thanx for your input!  
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 2000 total points
ID: 20304508
If you are terminating VPNs on the router, then your config is right, you will need the route map.

With regards to the issue, here is an article that describes allowing PPTP through a PIX/ASA. The principal is the same on a router: http://www.cisco.com/warp/public/110/pix_pptp.html

In this case the problem appears to be that the access list you have specified in the route map does not allow any traffic. i.e. as access-lists have an implicit deny, access-list 2000 is equivalent to having an access-list that says deny ip any any.

In order to configure this correctly, I would add a permit ip any any line after the deny lines in access list 2000.
0
 

Author Comment

by:dfhampson
ID: 20304514
Removing the routemap from that particular static fixed the problem!  I just need to figure out how to
add it back with the correct entries in the ACL to avoid VPN/NAT conflicts....

Thanx for the advice.
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 20305261
No problem, you should be able to use this access list with the route map, this will stop router (but not server) vpn traffic from being natted but allow other traffic to be natted:-

access-list 2000 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 2000 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 2000 permit ip any any
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question