Solved

PPTP inbound thru Cisco router to Win2003 Server does not work!

Posted on 2007-11-16
6
561 Views
Last Modified: 2009-11-18
Inbound PPTP conection won't connect..
private IP of Win2003 server is: 10.100.1.5
Public IP (via static NAT on outside of router) is: 208.51.103.73

Have the pertinent IP NAT statements in the router:
ip nat inside source static 10.100.1.5 208.51.103.73 route-map VPN-NAT_fixup
!!! Access below applied to outside interface !!!
access-list 122 permit gre any host 208.51.103.73
access-list 122 permit tcp any host 208.51.103.73 eq 1723

access-list 2000 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 2000 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
route-map VPN-NAT_fixup permit 1
 match ip address 2000

Get the following PPTP failure on Win server event log:
Event Type:        Warning
Event Source:    Rasman
Event Category:                None
Event ID:              20209
Date:                     11/16/2007
Time:                     8:18:19 AM
User:                     N/A
Computer:          ATLUTILITY
Description:
A connection between the VPN server and the VPN client 76.20.198.1 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Other NOTES:
All other static mappings (ie smtp port 25 and web) to internal servers work perfectly!
NAT translation table show GRE and TCP/1723 translations on the Cisco 2851

ANY IDEAS ANYONE?....been scratching my head for hours!
0
Comment
Question by:dfhampson
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20303968
Have you allowed GRE outbound from your windows server to the internet? i.e. what's in your internal interfaces ACL?

Why do you have a route map on the static nat? This should not be necessary. Because the router isn't terminating the VPNs, there's no need to filter nat traffic.

Incidentally, if you have a cisco router, why not use ipsec on the router as opposed to setting up pptp vpns? This tends to be a lot more secure. You can still do authentication back to AD using radius via IAS. At worst I would use L2TP over IPSEC on windows as opposed to PPTP. This can still be set up with a pre shared key.
0
 

Author Comment

by:dfhampson
ID: 20304464
We have no outbound ACL on this Cisco router (2851).  Yes, we are terminating VPN's on this router,
so we have to have the route-maps....should have mentioned that in the problem description.

This customer (we are a Cisco VAR) is no will in to replace all PPTP clients with IPSec.....believe me,
we have tried!

I will investigate the route-map issue...maybe that is causing the problem sine the PPTP clients are getting a 10.x.x.x address.  I just figured it wouldn't be a problem since the 10.x.x.x traffic to/from the client was in a tunnel....but I was wrong once before :-)....thanx for your input!  
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 20304508
If you are terminating VPNs on the router, then your config is right, you will need the route map.

With regards to the issue, here is an article that describes allowing PPTP through a PIX/ASA. The principal is the same on a router: http://www.cisco.com/warp/public/110/pix_pptp.html

In this case the problem appears to be that the access list you have specified in the route map does not allow any traffic. i.e. as access-lists have an implicit deny, access-list 2000 is equivalent to having an access-list that says deny ip any any.

In order to configure this correctly, I would add a permit ip any any line after the deny lines in access list 2000.
0
 

Author Comment

by:dfhampson
ID: 20304514
Removing the routemap from that particular static fixed the problem!  I just need to figure out how to
add it back with the correct entries in the ACL to avoid VPN/NAT conflicts....

Thanx for the advice.
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 20305261
No problem, you should be able to use this access list with the route map, this will stop router (but not server) vpn traffic from being natted but allow other traffic to be natted:-

access-list 2000 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 2000 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 2000 permit ip any any
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now