Solved

PPTP inbound thru Cisco router to Win2003 Server does not work!

Posted on 2007-11-16
6
565 Views
Last Modified: 2009-11-18
Inbound PPTP conection won't connect..
private IP of Win2003 server is: 10.100.1.5
Public IP (via static NAT on outside of router) is: 208.51.103.73

Have the pertinent IP NAT statements in the router:
ip nat inside source static 10.100.1.5 208.51.103.73 route-map VPN-NAT_fixup
!!! Access below applied to outside interface !!!
access-list 122 permit gre any host 208.51.103.73
access-list 122 permit tcp any host 208.51.103.73 eq 1723

access-list 2000 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 2000 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
route-map VPN-NAT_fixup permit 1
 match ip address 2000

Get the following PPTP failure on Win server event log:
Event Type:        Warning
Event Source:    Rasman
Event Category:                None
Event ID:              20209
Date:                     11/16/2007
Time:                     8:18:19 AM
User:                     N/A
Computer:          ATLUTILITY
Description:
A connection between the VPN server and the VPN client 76.20.198.1 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Other NOTES:
All other static mappings (ie smtp port 25 and web) to internal servers work perfectly!
NAT translation table show GRE and TCP/1723 translations on the Cisco 2851

ANY IDEAS ANYONE?....been scratching my head for hours!
0
Comment
Question by:dfhampson
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20303968
Have you allowed GRE outbound from your windows server to the internet? i.e. what's in your internal interfaces ACL?

Why do you have a route map on the static nat? This should not be necessary. Because the router isn't terminating the VPNs, there's no need to filter nat traffic.

Incidentally, if you have a cisco router, why not use ipsec on the router as opposed to setting up pptp vpns? This tends to be a lot more secure. You can still do authentication back to AD using radius via IAS. At worst I would use L2TP over IPSEC on windows as opposed to PPTP. This can still be set up with a pre shared key.
0
 

Author Comment

by:dfhampson
ID: 20304464
We have no outbound ACL on this Cisco router (2851).  Yes, we are terminating VPN's on this router,
so we have to have the route-maps....should have mentioned that in the problem description.

This customer (we are a Cisco VAR) is no will in to replace all PPTP clients with IPSec.....believe me,
we have tried!

I will investigate the route-map issue...maybe that is causing the problem sine the PPTP clients are getting a 10.x.x.x address.  I just figured it wouldn't be a problem since the 10.x.x.x traffic to/from the client was in a tunnel....but I was wrong once before :-)....thanx for your input!  
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 20304508
If you are terminating VPNs on the router, then your config is right, you will need the route map.

With regards to the issue, here is an article that describes allowing PPTP through a PIX/ASA. The principal is the same on a router: http://www.cisco.com/warp/public/110/pix_pptp.html

In this case the problem appears to be that the access list you have specified in the route map does not allow any traffic. i.e. as access-lists have an implicit deny, access-list 2000 is equivalent to having an access-list that says deny ip any any.

In order to configure this correctly, I would add a permit ip any any line after the deny lines in access list 2000.
0
 

Author Comment

by:dfhampson
ID: 20304514
Removing the routemap from that particular static fixed the problem!  I just need to figure out how to
add it back with the correct entries in the ACL to avoid VPN/NAT conflicts....

Thanx for the advice.
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 20305261
No problem, you should be able to use this access list with the route map, this will stop router (but not server) vpn traffic from being natted but allow other traffic to be natted:-

access-list 2000 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 2000 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 2000 permit ip any any
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Load Balancing 3 29
parental control on huwei HG658b 1 21
Running a 2nd company from the same location 3 44
Ping configured interface on Sonicwall 16 48
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question