PPTP inbound thru Cisco router to Win2003 Server does not work!

Posted on 2007-11-16
Last Modified: 2009-11-18
Inbound PPTP conection won't connect..
private IP of Win2003 server is:
Public IP (via static NAT on outside of router) is:

Have the pertinent IP NAT statements in the router:
ip nat inside source static route-map VPN-NAT_fixup
!!! Access below applied to outside interface !!!
access-list 122 permit gre any host
access-list 122 permit tcp any host eq 1723

access-list 2000 deny   ip
access-list 2000 deny   ip
route-map VPN-NAT_fixup permit 1
 match ip address 2000

Get the following PPTP failure on Win server event log:
Event Type:        Warning
Event Source:    Rasman
Event Category:                None
Event ID:              20209
Date:                     11/16/2007
Time:                     8:18:19 AM
User:                     N/A
Computer:          ATLUTILITY
A connection between the VPN server and the VPN client has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Other NOTES:
All other static mappings (ie smtp port 25 and web) to internal servers work perfectly!
NAT translation table show GRE and TCP/1723 translations on the Cisco 2851

ANY IDEAS ANYONE?....been scratching my head for hours!
Question by:dfhampson
  • 3
  • 2
LVL 10

Expert Comment

ID: 20303968
Have you allowed GRE outbound from your windows server to the internet? i.e. what's in your internal interfaces ACL?

Why do you have a route map on the static nat? This should not be necessary. Because the router isn't terminating the VPNs, there's no need to filter nat traffic.

Incidentally, if you have a cisco router, why not use ipsec on the router as opposed to setting up pptp vpns? This tends to be a lot more secure. You can still do authentication back to AD using radius via IAS. At worst I would use L2TP over IPSEC on windows as opposed to PPTP. This can still be set up with a pre shared key.

Author Comment

ID: 20304464
We have no outbound ACL on this Cisco router (2851).  Yes, we are terminating VPN's on this router,
so we have to have the route-maps....should have mentioned that in the problem description.

This customer (we are a Cisco VAR) is no will in to replace all PPTP clients with IPSec.....believe me,
we have tried!

I will investigate the route-map issue...maybe that is causing the problem sine the PPTP clients are getting a 10.x.x.x address.  I just figured it wouldn't be a problem since the 10.x.x.x traffic to/from the client was in a tunnel....but I was wrong once before :-)....thanx for your input!  
LVL 10

Accepted Solution

cstosgale earned 500 total points
ID: 20304508
If you are terminating VPNs on the router, then your config is right, you will need the route map.

With regards to the issue, here is an article that describes allowing PPTP through a PIX/ASA. The principal is the same on a router:

In this case the problem appears to be that the access list you have specified in the route map does not allow any traffic. i.e. as access-lists have an implicit deny, access-list 2000 is equivalent to having an access-list that says deny ip any any.

In order to configure this correctly, I would add a permit ip any any line after the deny lines in access list 2000.

Author Comment

ID: 20304514
Removing the routemap from that particular static fixed the problem!  I just need to figure out how to
add it back with the correct entries in the ACL to avoid VPN/NAT conflicts....

Thanx for the advice.
LVL 10

Expert Comment

ID: 20305261
No problem, you should be able to use this access list with the route map, this will stop router (but not server) vpn traffic from being natted but allow other traffic to be natted:-

access-list 2000 deny   ip
access-list 2000 deny   ip
access-list 2000 permit ip any any

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Failover VPN Question Sonicwall 5 48
trouble on installing syslog-ng on CentOS 7 7 52
Syslog-ng works. Now what? How to filter and manage? 8 57
Cisco RV042G 4 6
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question