We help IT Professionals succeed at work.

Setting up Microsoft VPN passthrough on Cisco 1841 router in SDM

Tosti asked
Hello Experts,

I have a problem configuring a Cisco 1841 router to passthrough VPN traffic.
The situation is as follows:

* Cisco router is being used as Easy VPN Server. Clients now use Cisco or Shrewsoft clients to connect.
* I am in the process of installing a SBS 2011 server behind this Cisco.
* Now I can and want to use Microsoft VPN connection to the server.
* I have made a NAT entry for port 1723 to the internal IP adress of the new server.
* in the Firewall configuration I allowed protocol pptp and SDM_GRE for the internal IP.

When I try to connect with a Windows 7 machine to the external IP of the Cisco nothing happens. The connection hangs on "connecting to <IP-address> through WAN-miniport PPTP.

I'm configuring the Cisco through SDM, as I am a Newbie on configuring Cisco routers. So console configuration is not a good idea :)

Is it possible to use the integrated Easy VPN Server along side of the VPN passhrough?
Can someone help me out here?

Watch Question

Istvan KalmarHead of IT Security Division
Top Expert 2010


It need to work... what shows the log of the dropped packets?


Hi ikalmar, Thanx for your reply.
I checked the log and when I try to connect I can see the following:
Under Active sessions I can see pptp with the IP adress of my external PC.
Dropped packets keep adding up and there is no entry under allowed packets.

Something is not configured right I'm afraid... Can you tell me how to check the config?
Sr. Systems Engineer
Did you disable EasyVPN?

Fixup IKE?


Hi gcoltharp,

No I have not disabled EasyVPN, could that be the problem?
Is it easy to do this, and then later turn it on again?

What do you mean with fixup IKE?

Thanx for responding!
Gary ColtharpSr. Systems Engineer

Absolutely....the cisco can only do one or the other, not both.

Some Ciscos will have a "Fixups" under configuration in the PDM or SDM. You need enable fixup IKE for it to pass it.

As far as enabl/disable.... you should be able to just uncheck the box and disable EasyVPN. If you check it again, you configs should still be there. I would back up your config before doing so, just in case. :)


OK Thanx, I will try this out.
Will get back with the results.


OK, it's solved!
The things I did are:
* Disable EasyVPN (I ended up deleting the connection, there was no checkbox).
-- It did not resolve the problem
* I forgot to properly run the VPN wizard on the new SBS 2011 machine.
-- After running this wizard, the VPN connection stopped at "verifying username and password".
* Then I added in the Firewall & ACL section of the cisco router the same values (GRE, PPTP) in the inzone -to- outzone instead of only from out to in. This did the trick.

Apparently the router was not configured to send out this kind of traffic. Does that make sense?

Anyway, the problem is fixed.
I'll reward the points to gcoltharp for guiding me in the right direction, thanx!