Two tests.
Upgrade to an IOS 12.2T or 12.3 if possible, although I know 12.1T
(12.2) should be good enough for PPTP passthrough, but just in case.
And remove all access lists temporarily from your interfaces. Let us
know if that changes anything. If it doesn't, then it'll be quicker
to look through the rest of the config.
I assume your PPTP server's default gateway has been redirected to the
Cisco instead of the DSL?
On 27 Jan 2005 21:27:17 -0800,
wrote:
>Hey Guys,
>
>I have a Cisco 2611 using IOS 12.1-15(T). Behind it, I have a
>Microsoft server(192.168.1.3) that has RRAS configured and working with
>PPTP just fine. We have been bringing PPTP in VPN through a
>Watchgraurd firewall router for the last 3 years flawlessly across a
>DSL (they have 2 Internet connections). My client wants to bring VPN
>in via the Cisco using PPTP through the T1 instead of the DSL. Most
>employees, the client, and unfortunately myself, all have Comcast cable
>as our ISP since it is the only broadband available in our area. We
>also cannot bring IPSEC out from our homes through Comcast. Therefore
>we are stuck with PPTP.
>
>I need to configure PPTP to come from the Internet through the Cisco
>router to my Microsoft server (192.168.1.3). I was wondering if
>someone can take a look at my sanitized config below to see where I am
>goofing where I can make it work! I will post the solution once it
>works to help humanity!
>
>
>Current configuration : 2984 bytes
>!
>version 12.1
>service single-slot-reload-enable
>service tcp-keepalives-in
>service timestamps debug uptime
>no service timestamps log uptime
>service password-encryption
>!
>hostname XXXXX
>!
>no logging rate-limit
>enable secret
>!
>username XXX privilege 15 password
>clock summer-time EDT recurring
>no ip subnet-zero
>no ip source-route
>!
>no ip finger
>ip ftp source-interface Ethernet0/1
>ip ftp username
>ip ftp password
>ip name-server 2XX.XXX.X.XX
>!
>no ip bootp server
>call rsvp-sync
>cns event-service server
>!
>interface Loopback0
>ip address 192.168.22.65 255.255.255.224
>!
>interface Ethernet0/0
>ip address 192.168.2.2 255.255.255.0
>ip access-group e00 in
>ip access-group NJ out
>no ip proxy-arp
>ip nat inside
>half-duplex
>no cdp enable
>!
>interface Serial0/0
>ip address 85.225.84.214 255.255.255.252
>ip access-group ok-in in
>ip access-group ok-out1 out
>no ip redirects
>no ip proxy-arp
>ip nat outside
>no ip mroute-cache
>service-module t1 timeslots 1-24
>no cdp enable
>!
>interface Ethernet0/1
>ip address 192.168.1.2 255.255.255.0
>ip access-group 3 in
>ip access-group int-in out
>no ip proxy-arp
>ip nat inside
>half-duplex
>no cdp enable
>!
>router rip
>version 2
>passive-interface Serial0/0
>network 192.168.1.0
>no auto-summary
>!
>ip kerberos source-interface any
>ip nat inside source list 3 interface Serial0/0 overload
>ip nat inside source static tcp 192.168.1.3 1723 interface Ethernet0/1
>1723
>ip nat outside source list 2 interface Ethernet0/1
>ip classless
>ip route 0.0.0.0 0.0.0.0 85.215.84.213
>no ip http server
>!
>ip access-list extended int-in
>permit tcp any host 192.168.1.3 eq 1723
>permit gre any host 192.168.1.3
>permit ip any any
>ip access-list extended ok-in
>permit udp host 225.141.9.25 192.168.1.0 0.0.0.255
>permit gre any host 85.225.84.214
>permit tcp any host 85.225.84.214 eq 1723
>evaluate outgo
>ip access-list extended ok-out1
>permit udp any host 225.141.9.25 eq domain
>permit tcp any any established
>permit tcp any any reflect outgo
>permit udp any any reflect outgo
>permit icmp any any reflect outgo
>access-list 2 permit 85.225.84.212 0.0.0.3
>access-list 3 permit 192.168.1.0 0.0.0.255
>access-list 4 permit 192.168.2.0 0.0.0.255
>access-list 98 permit 192.168.0.0 0.0.255.255
>access-list 101 permit ip 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.0
>no cdp run
>!
>dial-peer cor custom
>!
>banner motd ^C
>This is a private system and only authorized individuals are allowed.
>.^C
>!
>line con 0
>exec-timeout 5 0
>password
>login local
>transport input none
>line aux 0
>no exec
>password
>login local
>line vty 0 4
>access-class 98 in
>exec-timeout 45 0
>password
>login
>transport input telnet
>transport output none
>!
>end
>
>Thanks
> Tarek Hamdy, CNE, MCSE, eventual CCNA
Similar Threads
