PPTP VPN through Cisco router

Hi

I have to set up a temporary vpn solution at two offices, each has a Cisco router

I used the following NAT rule to send traffic to the RAS

ip nat inside source static tcp [local RAS IP] 1723 interface Dialer2 1723

On the C850 it works like a dream, on the C837 I can telnet the port but the VPN fails, the error is related the GRE - I have scoured the web but I cannot see how to enable GRE through the cisco as it doesn't exist as a NAT option

Help!
LVL 12
DLeaverAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MarcusSjogrenCommented:
Hi,

There is a reason to why PPTP isn't the most popular VPN-protocol any more. GRE is a real hassle sometimes.

Make sure that your service provider supports GRE. I know some mobile providers in Sweden don't, some of them requires a special setting in their modem and some allow it freely.

Are you having a public IP on your dialer interface or is it a NAT-solution?
Can you pass on your access-lists for the dialer interface?
you have to allow GRE to pass through with "permit gre any any"-command (or specify the IP-addresses instead of any any)

Marcus
0
DLeaverAuthor Commented:
The only access-list that looks to be associated with the Dialer interface is the crypto map one used for the VPN

Bit wary of adding an access-list to the interface, as I tried to do this last night and it kicked me out, and I had to get the client to restart the device this morning before I could get back in

Assuming you were doing this from scratch what syntax would you use which would also ensure all other traffic would work properly through the external interface?

The dialer interface has an external IP
0
MarcusSjogrenCommented:
Internet is working well from the RAS server?

This should be the only thing you should need if there is no access-list available:

Remove your current nat-rule for port 1723.

ip nat inside source list 101 interface <Outside Interface> overload

ip access-list extended 101
10 permit gre any any
20 permit tcp <internal IP of RAS> host any eq 1723
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

DLeaverAuthor Commented:
ip nat inside source list 1 interface Dialer0 overload
!
!
access-list 1 permit 192.168.0.0 0.0.0.255


I already have the above in my config, will adding your suggestion cause any issues here?
0
MarcusSjogrenCommented:
Hi,

No - it should not make any issue - but this is theoretical of course, I do not take any legal responsibility :-)
What I usually do when I'm unsure and I don't have physical access / console access is that I do it at night when not so many users are online, and I schedule a reboot within a suitable time. For this I would schedule it to reboot in 10min.

If my config does not make me lose the connection I just cancel the reboot.

http://cciepursuit.wordpress.com/2007/04/28/how-to-schedule-a-reload/

Sorry - I missed one thing in my previous comment, the internal IP of RAS at first line in ACL.
ip access-list extended 101
10 permit gre <internal IP of RAS> any
20 permit tcp <internal IP of RAS> host any eq 1723
0
DLeaverAuthor Commented:
Thats great info

Just to confirm for my own knowledge sake

I can have multiple ip nat inside source lists?

So applying this along with the ACL's will just apply another set of allowed services into the router, it wouldn't block anything else?
0
MarcusSjogrenCommented:
Yes - that is correct. I have it on my routers.
It should not block anything else because you specify that this rule should only apply to the RAS-server.

However - its of course always good manners to call someone on-site and tell them that you made a change and want them to confirm that everything is working well :-)

By the way - in your first post you say "ip nat inside source static tcp [local RAS IP] 1723 interface Dialer2 1723" but in your third post you say Dialer0.

Are you sure you're not mixing up the interfaces in your configuration as well? Or do you have two dial interfaces (or three)?
0
DLeaverAuthor Commented:
Sorry, thats just lack of consistency in my config cleansing
0
DLeaverAuthor Commented:
I have applied the above but still no luck, I can't even telnet the port anymore??
0
DLeaverAuthor Commented:
This is probably a daft observation, isn't the above letting the traffic out not in?
0
MarcusSjogrenCommented:
This should definitely not affect the ability to telnet to the router (even though it did). Did you schedule the reboot as recommended?¨

Cisco have another alternative configuration from the one I'm using.

ip nat inside source static tcp <IP RAS Server> 1723 interface <Public Interface> 1723

ip nat inside source list 101 interface <public IP> overload

ip access-list extended 101
10 permit gre <internal IP of RAS> any
no 20 permit tcp <internal IP of RAS> host any eq 1723
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DLeaverAuthor Commented:
Sorry, added some confusion there.  No loss of SSH to the router

When I say I cannot telnet, I mean on port 1723, which I could previously with the original config

So the above I am just adding in the NAT rule I am took out originally?
0
MarcusSjogrenCommented:
Aha - then I misunderstood.

Yes - you add the one you had, remove the last line in the access-list, so you will have this configured:

ip nat inside source list 101 interface <public IP> overload

 ip access-list extended 101
10 permit gre <internal IP of RAS> any



Marcus
0
MarcusSjogrenCommented:
By the way - just to double-check.

Have you configured "ip nat inside" on the inside interface and "ip nat outside" on the Dialer interface?
0
DLeaverAuthor Commented:
Yes that is all in place but I am still getting VPN client failure error 806 related to GRE

ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
!
access-list 105 permit gre host 192.168.0.10 any
0
MarcusSjogrenCommented:
You are allowing any traffic to enter the router, right?

Because I just saw that Cisco generally needs an IP access-list to specifically allow GRE.
Just for testing - you can do this:

ip access-list extended 106
10 permit gre any any
20 permit any any

interface <outside interface>
ip access-group 106 in
0
DLeaverAuthor Commented:
Still have the same issue with this applied - thanks for sticking with it, any other suggestions?
0
MarcusSjogrenCommented:
Are you sure the RAS firewall isn't blocking gre?
0
DLeaverAuthor Commented:
Its a Windows 2003 server so the Windows firewall has to be disabled before RAS can be installed, only have the VPN role installed on the RAS
0
DLeaverAuthor Commented:
Any other ideas?
0
MarcusSjogrenCommented:
Can you please paste your whole config? Cleaned of course.
0
MarcusSjogrenCommented:
And by the way - you might want to look at setting up SSTP VPN instead of PPTP.
0
DLeaverAuthor Commented:
As this is just a temporary solution I have enabled a HImatchi connection to the server which the PPTP now runs over, and this is working well

Thanks for persisting, I believe the suggestions above are completely valid and should work so full points to you
0
DLeaverAuthor Commented:
Excellent, very helpful expert!
0
MarcusSjogrenCommented:
Your welcome, thank you for your kind words!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.