?
Solved

PPTP VPN through Cisco router

Posted on 2014-09-04
25
Medium Priority
?
936 Views
Last Modified: 2014-09-05
Hi

I have to set up a temporary vpn solution at two offices, each has a Cisco router

I used the following NAT rule to send traffic to the RAS

ip nat inside source static tcp [local RAS IP] 1723 interface Dialer2 1723

On the C850 it works like a dream, on the C837 I can telnet the port but the VPN fails, the error is related the GRE - I have scoured the web but I cannot see how to enable GRE through the cisco as it doesn't exist as a NAT option

Help!
0
Comment
Question by:DLeaver
  • 13
  • 12
25 Comments
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40302925
Hi,

There is a reason to why PPTP isn't the most popular VPN-protocol any more. GRE is a real hassle sometimes.

Make sure that your service provider supports GRE. I know some mobile providers in Sweden don't, some of them requires a special setting in their modem and some allow it freely.

Are you having a public IP on your dialer interface or is it a NAT-solution?
Can you pass on your access-lists for the dialer interface?
you have to allow GRE to pass through with "permit gre any any"-command (or specify the IP-addresses instead of any any)

Marcus
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40302947
The only access-list that looks to be associated with the Dialer interface is the crypto map one used for the VPN

Bit wary of adding an access-list to the interface, as I tried to do this last night and it kicked me out, and I had to get the client to restart the device this morning before I could get back in

Assuming you were doing this from scratch what syntax would you use which would also ensure all other traffic would work properly through the external interface?

The dialer interface has an external IP
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40302964
Internet is working well from the RAS server?

This should be the only thing you should need if there is no access-list available:

Remove your current nat-rule for port 1723.

ip nat inside source list 101 interface <Outside Interface> overload

ip access-list extended 101
10 permit gre any any
20 permit tcp <internal IP of RAS> host any eq 1723
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Author Comment

by:DLeaver
ID: 40303040
ip nat inside source list 1 interface Dialer0 overload
!
!
access-list 1 permit 192.168.0.0 0.0.0.255


I already have the above in my config, will adding your suggestion cause any issues here?
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40303060
Hi,

No - it should not make any issue - but this is theoretical of course, I do not take any legal responsibility :-)
What I usually do when I'm unsure and I don't have physical access / console access is that I do it at night when not so many users are online, and I schedule a reboot within a suitable time. For this I would schedule it to reboot in 10min.

If my config does not make me lose the connection I just cancel the reboot.

http://cciepursuit.wordpress.com/2007/04/28/how-to-schedule-a-reload/

Sorry - I missed one thing in my previous comment, the internal IP of RAS at first line in ACL.
ip access-list extended 101
10 permit gre <internal IP of RAS> any
20 permit tcp <internal IP of RAS> host any eq 1723
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303121
Thats great info

Just to confirm for my own knowledge sake

I can have multiple ip nat inside source lists?

So applying this along with the ACL's will just apply another set of allowed services into the router, it wouldn't block anything else?
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40303127
Yes - that is correct. I have it on my routers.
It should not block anything else because you specify that this rule should only apply to the RAS-server.

However - its of course always good manners to call someone on-site and tell them that you made a change and want them to confirm that everything is working well :-)

By the way - in your first post you say "ip nat inside source static tcp [local RAS IP] 1723 interface Dialer2 1723" but in your third post you say Dialer0.

Are you sure you're not mixing up the interfaces in your configuration as well? Or do you have two dial interfaces (or three)?
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303182
Sorry, thats just lack of consistency in my config cleansing
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303221
I have applied the above but still no luck, I can't even telnet the port anymore??
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303224
This is probably a daft observation, isn't the above letting the traffic out not in?
0
 
LVL 4

Accepted Solution

by:
MarcusSjogren earned 2000 total points
ID: 40303259
This should definitely not affect the ability to telnet to the router (even though it did). Did you schedule the reboot as recommended?¨

Cisco have another alternative configuration from the one I'm using.

ip nat inside source static tcp <IP RAS Server> 1723 interface <Public Interface> 1723

ip nat inside source list 101 interface <public IP> overload

ip access-list extended 101
10 permit gre <internal IP of RAS> any
no 20 permit tcp <internal IP of RAS> host any eq 1723
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303285
Sorry, added some confusion there.  No loss of SSH to the router

When I say I cannot telnet, I mean on port 1723, which I could previously with the original config

So the above I am just adding in the NAT rule I am took out originally?
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40303319
Aha - then I misunderstood.

Yes - you add the one you had, remove the last line in the access-list, so you will have this configured:

ip nat inside source list 101 interface <public IP> overload

 ip access-list extended 101
10 permit gre <internal IP of RAS> any



Marcus
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40303320
By the way - just to double-check.

Have you configured "ip nat inside" on the inside interface and "ip nat outside" on the Dialer interface?
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303337
Yes that is all in place but I am still getting VPN client failure error 806 related to GRE

ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
!
access-list 105 permit gre host 192.168.0.10 any
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40303370
You are allowing any traffic to enter the router, right?

Because I just saw that Cisco generally needs an IP access-list to specifically allow GRE.
Just for testing - you can do this:

ip access-list extended 106
10 permit gre any any
20 permit any any

interface <outside interface>
ip access-group 106 in
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303391
Still have the same issue with this applied - thanks for sticking with it, any other suggestions?
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40303412
Are you sure the RAS firewall isn't blocking gre?
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303415
Its a Windows 2003 server so the Windows firewall has to be disabled before RAS can be installed, only have the VPN role installed on the RAS
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40303741
Any other ideas?
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40305308
Can you please paste your whole config? Cleaned of course.
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40305313
And by the way - you might want to look at setting up SSTP VPN instead of PPTP.
0
 
LVL 12

Author Comment

by:DLeaver
ID: 40305680
As this is just a temporary solution I have enabled a HImatchi connection to the server which the PPTP now runs over, and this is working well

Thanks for persisting, I believe the suggestions above are completely valid and should work so full points to you
0
 
LVL 12

Author Closing Comment

by:DLeaver
ID: 40305682
Excellent, very helpful expert!
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 40305685
Your welcome, thank you for your kind words!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question