PPTP VPN through Cisco router
Hi
I have to set up a temporary vpn solution at two offices, each has a Cisco router
I used the following NAT rule to send traffic to the RAS
ip nat inside source static tcp [local RAS IP] 1723 interface Dialer2 1723
On the C850 it works like a dream, on the C837 I can telnet the port but the VPN fails, the error is related the GRE - I have scoured the web but I cannot see how to enable GRE through the cisco as it doesn't exist as a NAT option
Help!
I have to set up a temporary vpn solution at two offices, each has a Cisco router
I used the following NAT rule to send traffic to the RAS
ip nat inside source static tcp [local RAS IP] 1723 interface Dialer2 1723
On the C850 it works like a dream, on the C837 I can telnet the port but the VPN fails, the error is related the GRE - I have scoured the web but I cannot see how to enable GRE through the cisco as it doesn't exist as a NAT option
Help!
ASKER
The only access-list that looks to be associated with the Dialer interface is the crypto map one used for the VPN
Bit wary of adding an access-list to the interface, as I tried to do this last night and it kicked me out, and I had to get the client to restart the device this morning before I could get back in
Assuming you were doing this from scratch what syntax would you use which would also ensure all other traffic would work properly through the external interface?
The dialer interface has an external IP
Bit wary of adding an access-list to the interface, as I tried to do this last night and it kicked me out, and I had to get the client to restart the device this morning before I could get back in
Assuming you were doing this from scratch what syntax would you use which would also ensure all other traffic would work properly through the external interface?
The dialer interface has an external IP
Internet is working well from the RAS server?
This should be the only thing you should need if there is no access-list available:
Remove your current nat-rule for port 1723.
ip nat inside source list 101 interface <Outside Interface> overload
ip access-list extended 101
10 permit gre any any
20 permit tcp <internal IP of RAS> host any eq 1723
This should be the only thing you should need if there is no access-list available:
Remove your current nat-rule for port 1723.
ip nat inside source list 101 interface <Outside Interface> overload
ip access-list extended 101
10 permit gre any any
20 permit tcp <internal IP of RAS> host any eq 1723
ASKER
ip nat inside source list 1 interface Dialer0 overload
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
I already have the above in my config, will adding your suggestion cause any issues here?
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
I already have the above in my config, will adding your suggestion cause any issues here?
Hi,
No - it should not make any issue - but this is theoretical of course, I do not take any legal responsibility :-)
What I usually do when I'm unsure and I don't have physical access / console access is that I do it at night when not so many users are online, and I schedule a reboot within a suitable time. For this I would schedule it to reboot in 10min.
If my config does not make me lose the connection I just cancel the reboot.
http://cciepursuit.wordpress.com/2007/04/28/how-to-schedule-a-reload/
Sorry - I missed one thing in my previous comment, the internal IP of RAS at first line in ACL.
ip access-list extended 101
10 permit gre <internal IP of RAS> any
20 permit tcp <internal IP of RAS> host any eq 1723
No - it should not make any issue - but this is theoretical of course, I do not take any legal responsibility :-)
What I usually do when I'm unsure and I don't have physical access / console access is that I do it at night when not so many users are online, and I schedule a reboot within a suitable time. For this I would schedule it to reboot in 10min.
If my config does not make me lose the connection I just cancel the reboot.
http://cciepursuit.wordpress.com/2007/04/28/how-to-schedule-a-reload/
Sorry - I missed one thing in my previous comment, the internal IP of RAS at first line in ACL.
ip access-list extended 101
10 permit gre <internal IP of RAS> any
20 permit tcp <internal IP of RAS> host any eq 1723
ASKER
Thats great info
Just to confirm for my own knowledge sake
I can have multiple ip nat inside source lists?
So applying this along with the ACL's will just apply another set of allowed services into the router, it wouldn't block anything else?
Just to confirm for my own knowledge sake
I can have multiple ip nat inside source lists?
So applying this along with the ACL's will just apply another set of allowed services into the router, it wouldn't block anything else?
Yes - that is correct. I have it on my routers.
It should not block anything else because you specify that this rule should only apply to the RAS-server.
However - its of course always good manners to call someone on-site and tell them that you made a change and want them to confirm that everything is working well :-)
By the way - in your first post you say "ip nat inside source static tcp [local RAS IP] 1723 interface Dialer2 1723" but in your third post you say Dialer0.
Are you sure you're not mixing up the interfaces in your configuration as well? Or do you have two dial interfaces (or three)?
It should not block anything else because you specify that this rule should only apply to the RAS-server.
However - its of course always good manners to call someone on-site and tell them that you made a change and want them to confirm that everything is working well :-)
By the way - in your first post you say "ip nat inside source static tcp [local RAS IP] 1723 interface Dialer2 1723" but in your third post you say Dialer0.
Are you sure you're not mixing up the interfaces in your configuration as well? Or do you have two dial interfaces (or three)?
ASKER
Sorry, thats just lack of consistency in my config cleansing
ASKER
I have applied the above but still no luck, I can't even telnet the port anymore??
ASKER
This is probably a daft observation, isn't the above letting the traffic out not in?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, added some confusion there. No loss of SSH to the router
When I say I cannot telnet, I mean on port 1723, which I could previously with the original config
So the above I am just adding in the NAT rule I am took out originally?
When I say I cannot telnet, I mean on port 1723, which I could previously with the original config
So the above I am just adding in the NAT rule I am took out originally?
Aha - then I misunderstood.
Yes - you add the one you had, remove the last line in the access-list, so you will have this configured:
ip nat inside source list 101 interface <public IP> overload
ip access-list extended 101
10 permit gre <internal IP of RAS> any
Marcus
Yes - you add the one you had, remove the last line in the access-list, so you will have this configured:
ip nat inside source list 101 interface <public IP> overload
ip access-list extended 101
10 permit gre <internal IP of RAS> any
Marcus
By the way - just to double-check.
Have you configured "ip nat inside" on the inside interface and "ip nat outside" on the Dialer interface?
Have you configured "ip nat inside" on the inside interface and "ip nat outside" on the Dialer interface?
ASKER
Yes that is all in place but I am still getting VPN client failure error 806 related to GRE
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
!
access-list 105 permit gre host 192.168.0.10 any
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
!
access-list 105 permit gre host 192.168.0.10 any
You are allowing any traffic to enter the router, right?
Because I just saw that Cisco generally needs an IP access-list to specifically allow GRE.
Just for testing - you can do this:
ip access-list extended 106
10 permit gre any any
20 permit any any
interface <outside interface>
ip access-group 106 in
Because I just saw that Cisco generally needs an IP access-list to specifically allow GRE.
Just for testing - you can do this:
ip access-list extended 106
10 permit gre any any
20 permit any any
interface <outside interface>
ip access-group 106 in
ASKER
Still have the same issue with this applied - thanks for sticking with it, any other suggestions?
Are you sure the RAS firewall isn't blocking gre?
ASKER
Its a Windows 2003 server so the Windows firewall has to be disabled before RAS can be installed, only have the VPN role installed on the RAS
ASKER
Any other ideas?
Can you please paste your whole config? Cleaned of course.
And by the way - you might want to look at setting up SSTP VPN instead of PPTP.
ASKER
As this is just a temporary solution I have enabled a HImatchi connection to the server which the PPTP now runs over, and this is working well
Thanks for persisting, I believe the suggestions above are completely valid and should work so full points to you
Thanks for persisting, I believe the suggestions above are completely valid and should work so full points to you
ASKER
Excellent, very helpful expert!
Your welcome, thank you for your kind words!
There is a reason to why PPTP isn't the most popular VPN-protocol any more. GRE is a real hassle sometimes.
Make sure that your service provider supports GRE. I know some mobile providers in Sweden don't, some of them requires a special setting in their modem and some allow it freely.
Are you having a public IP on your dialer interface or is it a NAT-solution?
Can you pass on your access-lists for the dialer interface?
you have to allow GRE to pass through with "permit gre any any"-command (or specify the IP-addresses instead of any any)
Marcus