PPTP inbound thru Cisco router to Win2003 Server does not work!

Posted on 2007-11-16
Last Modified: 2009-11-18
Inbound PPTP conection won't connect..
private IP of Win2003 server is:
Public IP (via static NAT on outside of router) is:

Have the pertinent IP NAT statements in the router:
ip nat inside source static route-map VPN-NAT_fixup
!!! Access below applied to outside interface !!!
access-list 122 permit gre any host
access-list 122 permit tcp any host eq 1723

access-list 2000 deny   ip
access-list 2000 deny   ip
route-map VPN-NAT_fixup permit 1
 match ip address 2000

Get the following PPTP failure on Win server event log:
Event Type:        Warning
Event Source:    Rasman
Event Category:                None
Event ID:              20209
Date:                     11/16/2007
Time:                     8:18:19 AM
User:                     N/A
Computer:          ATLUTILITY
A connection between the VPN server and the VPN client has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Other NOTES:
All other static mappings (ie smtp port 25 and web) to internal servers work perfectly!
NAT translation table show GRE and TCP/1723 translations on the Cisco 2851

ANY IDEAS ANYONE?....been scratching my head for hours!
Question by:dfhampson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 10

Expert Comment

ID: 20303968
Have you allowed GRE outbound from your windows server to the internet? i.e. what's in your internal interfaces ACL?

Why do you have a route map on the static nat? This should not be necessary. Because the router isn't terminating the VPNs, there's no need to filter nat traffic.

Incidentally, if you have a cisco router, why not use ipsec on the router as opposed to setting up pptp vpns? This tends to be a lot more secure. You can still do authentication back to AD using radius via IAS. At worst I would use L2TP over IPSEC on windows as opposed to PPTP. This can still be set up with a pre shared key.

Author Comment

ID: 20304464
We have no outbound ACL on this Cisco router (2851).  Yes, we are terminating VPN's on this router,
so we have to have the route-maps....should have mentioned that in the problem description.

This customer (we are a Cisco VAR) is no will in to replace all PPTP clients with IPSec.....believe me,
we have tried!

I will investigate the route-map issue...maybe that is causing the problem sine the PPTP clients are getting a 10.x.x.x address.  I just figured it wouldn't be a problem since the 10.x.x.x traffic to/from the client was in a tunnel....but I was wrong once before :-)....thanx for your input!  
LVL 10

Accepted Solution

cstosgale earned 500 total points
ID: 20304508
If you are terminating VPNs on the router, then your config is right, you will need the route map.

With regards to the issue, here is an article that describes allowing PPTP through a PIX/ASA. The principal is the same on a router:

In this case the problem appears to be that the access list you have specified in the route map does not allow any traffic. i.e. as access-lists have an implicit deny, access-list 2000 is equivalent to having an access-list that says deny ip any any.

In order to configure this correctly, I would add a permit ip any any line after the deny lines in access list 2000.

Author Comment

ID: 20304514
Removing the routemap from that particular static fixed the problem!  I just need to figure out how to
add it back with the correct entries in the ACL to avoid VPN/NAT conflicts....

Thanx for the advice.
LVL 10

Expert Comment

ID: 20305261
No problem, you should be able to use this access list with the route map, this will stop router (but not server) vpn traffic from being natted but allow other traffic to be natted:-

access-list 2000 deny   ip
access-list 2000 deny   ip
access-list 2000 permit ip any any

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question