pptp & gre & cisco & 2600 & VPN & not working

Discussion in 'Cisco' started by thamdy@quixnet.net, Jan 28, 2005.

  1. Guest

    Hey Guys,

    I have a Cisco 2611 using IOS 12.1-15(T). Behind it, I have a
    Microsoft server(192.168.1.3) that has RRAS configured and working with
    PPTP just fine. We have been bringing PPTP in VPN through a
    Watchgraurd firewall router for the last 3 years flawlessly across a
    DSL (they have 2 Internet connections). My client wants to bring VPN
    in via the Cisco using PPTP through the T1 instead of the DSL. Most
    employees, the client, and unfortunately myself, all have Comcast cable
    as our ISP since it is the only broadband available in our area. We
    also cannot bring IPSEC out from our homes through Comcast. Therefore
    we are stuck with PPTP.

    I need to configure PPTP to come from the Internet through the Cisco
    router to my Microsoft server (192.168.1.3). I was wondering if
    someone can take a look at my sanitized config below to see where I am
    goofing where I can make it work! I will post the solution once it
    works to help humanity!


    Current configuration : 2984 bytes
    !
    version 12.1
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname XXXXX
    !
    no logging rate-limit
    enable secret
    !
    username XXX privilege 15 password
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    !
    no ip finger
    ip ftp source-interface Ethernet0/1
    ip ftp username
    ip ftp password
    ip name-server 2XX.XXX.X.XX
    !
    no ip bootp server
    call rsvp-sync
    cns event-service server
    !
    interface Loopback0
    ip address 192.168.22.65 255.255.255.224
    !
    interface Ethernet0/0
    ip address 192.168.2.2 255.255.255.0
    ip access-group e00 in
    ip access-group NJ out
    no ip proxy-arp
    ip nat inside
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 85.225.84.214 255.255.255.252
    ip access-group ok-in in
    ip access-group ok-out1 out
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface Ethernet0/1
    ip address 192.168.1.2 255.255.255.0
    ip access-group 3 in
    ip access-group int-in out
    no ip proxy-arp
    ip nat inside
    half-duplex
    no cdp enable
    !
    router rip
    version 2
    passive-interface Serial0/0
    network 192.168.1.0
    no auto-summary
    !
    ip kerberos source-interface any
    ip nat inside source list 3 interface Serial0/0 overload
    ip nat inside source static tcp 192.168.1.3 1723 interface Ethernet0/1
    1723
    ip nat outside source list 2 interface Ethernet0/1
    ip classless
    ip route 0.0.0.0 0.0.0.0 85.215.84.213
    no ip http server
    !
    ip access-list extended int-in
    permit tcp any host 192.168.1.3 eq 1723
    permit gre any host 192.168.1.3
    permit ip any any
    ip access-list extended ok-in
    permit udp host 225.141.9.25 192.168.1.0 0.0.0.255
    permit gre any host 85.225.84.214
    permit tcp any host 85.225.84.214 eq 1723
    evaluate outgo
    ip access-list extended ok-out1
    permit udp any host 225.141.9.25 eq domain
    permit tcp any any established
    permit tcp any any reflect outgo
    permit udp any any reflect outgo
    permit icmp any any reflect outgo
    access-list 2 permit 85.225.84.212 0.0.0.3
    access-list 3 permit 192.168.1.0 0.0.0.255
    access-list 4 permit 192.168.2.0 0.0.0.255
    access-list 98 permit 192.168.0.0 0.0.255.255
    access-list 101 permit ip 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.0
    no cdp run
    !
    dial-peer cor custom
    !
    banner motd ^C
    This is a private system and only authorized individuals are allowed.
    ..^C
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    end

    Thanks
    Tarek Hamdy, CNE, MCSE, eventual CCNA
    , Jan 28, 2005
    #1
    1. Advertising

  2. Bob Guest

    Two tests.
    Upgrade to an IOS 12.2T or 12.3 if possible, although I know 12.1T
    (12.2) should be good enough for PPTP passthrough, but just in case.

    And remove all access lists temporarily from your interfaces. Let us
    know if that changes anything. If it doesn't, then it'll be quicker
    to look through the rest of the config.

    I assume your PPTP server's default gateway has been redirected to the
    Cisco instead of the DSL?



    On 27 Jan 2005 21:27:17 -0800, wrote:

    >Hey Guys,
    >
    >I have a Cisco 2611 using IOS 12.1-15(T). Behind it, I have a
    >Microsoft server(192.168.1.3) that has RRAS configured and working with
    >PPTP just fine. We have been bringing PPTP in VPN through a
    >Watchgraurd firewall router for the last 3 years flawlessly across a
    >DSL (they have 2 Internet connections). My client wants to bring VPN
    >in via the Cisco using PPTP through the T1 instead of the DSL. Most
    >employees, the client, and unfortunately myself, all have Comcast cable
    >as our ISP since it is the only broadband available in our area. We
    >also cannot bring IPSEC out from our homes through Comcast. Therefore
    >we are stuck with PPTP.
    >
    >I need to configure PPTP to come from the Internet through the Cisco
    >router to my Microsoft server (192.168.1.3). I was wondering if
    >someone can take a look at my sanitized config below to see where I am
    >goofing where I can make it work! I will post the solution once it
    >works to help humanity!
    >
    >
    >Current configuration : 2984 bytes
    >!
    >version 12.1
    >service single-slot-reload-enable
    >service tcp-keepalives-in
    >service timestamps debug uptime
    >no service timestamps log uptime
    >service password-encryption
    >!
    >hostname XXXXX
    >!
    >no logging rate-limit
    >enable secret
    >!
    >username XXX privilege 15 password
    >clock summer-time EDT recurring
    >no ip subnet-zero
    >no ip source-route
    >!
    >no ip finger
    >ip ftp source-interface Ethernet0/1
    >ip ftp username
    >ip ftp password
    >ip name-server 2XX.XXX.X.XX
    >!
    >no ip bootp server
    >call rsvp-sync
    >cns event-service server
    >!
    >interface Loopback0
    >ip address 192.168.22.65 255.255.255.224
    >!
    >interface Ethernet0/0
    >ip address 192.168.2.2 255.255.255.0
    >ip access-group e00 in
    >ip access-group NJ out
    >no ip proxy-arp
    >ip nat inside
    >half-duplex
    >no cdp enable
    >!
    >interface Serial0/0
    >ip address 85.225.84.214 255.255.255.252
    >ip access-group ok-in in
    >ip access-group ok-out1 out
    >no ip redirects
    >no ip proxy-arp
    >ip nat outside
    >no ip mroute-cache
    >service-module t1 timeslots 1-24
    >no cdp enable
    >!
    >interface Ethernet0/1
    >ip address 192.168.1.2 255.255.255.0
    >ip access-group 3 in
    >ip access-group int-in out
    >no ip proxy-arp
    >ip nat inside
    >half-duplex
    >no cdp enable
    >!
    >router rip
    >version 2
    >passive-interface Serial0/0
    >network 192.168.1.0
    >no auto-summary
    >!
    >ip kerberos source-interface any
    >ip nat inside source list 3 interface Serial0/0 overload
    >ip nat inside source static tcp 192.168.1.3 1723 interface Ethernet0/1
    >1723
    >ip nat outside source list 2 interface Ethernet0/1
    >ip classless
    >ip route 0.0.0.0 0.0.0.0 85.215.84.213
    >no ip http server
    >!
    >ip access-list extended int-in
    >permit tcp any host 192.168.1.3 eq 1723
    >permit gre any host 192.168.1.3
    >permit ip any any
    >ip access-list extended ok-in
    >permit udp host 225.141.9.25 192.168.1.0 0.0.0.255
    >permit gre any host 85.225.84.214
    >permit tcp any host 85.225.84.214 eq 1723
    >evaluate outgo
    >ip access-list extended ok-out1
    >permit udp any host 225.141.9.25 eq domain
    >permit tcp any any established
    >permit tcp any any reflect outgo
    >permit udp any any reflect outgo
    >permit icmp any any reflect outgo
    >access-list 2 permit 85.225.84.212 0.0.0.3
    >access-list 3 permit 192.168.1.0 0.0.0.255
    >access-list 4 permit 192.168.2.0 0.0.0.255
    >access-list 98 permit 192.168.0.0 0.0.255.255
    >access-list 101 permit ip 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.0
    >no cdp run
    >!
    >dial-peer cor custom
    >!
    >banner motd ^C
    >This is a private system and only authorized individuals are allowed.
    >.^C
    >!
    >line con 0
    >exec-timeout 5 0
    >password
    >login local
    >transport input none
    >line aux 0
    >no exec
    >password
    >login local
    >line vty 0 4
    >access-class 98 in
    >exec-timeout 45 0
    >password
    >login
    >transport input telnet
    >transport output none
    >!
    >end
    >
    >Thanks
    > Tarek Hamdy, CNE, MCSE, eventual CCNA
    Bob, Jan 28, 2005
    #2
    1. Advertising

  3. Guest

    Bob,

    Thanks for answering. I'll do as you recommend. When I try to use the
    Cisco to receive the VPN, I do make it the default gateway for the
    Microsoft server. Right now, we are using the DSL. I will switch it
    this weekend when I try again.

    Tarek
    Bob wrote:
    > Two tests.
    > Upgrade to an IOS 12.2T or 12.3 if possible, although I know 12.1T
    > (12.2) should be good enough for PPTP passthrough, but just in case.
    >
    > And remove all access lists temporarily from your interfaces. Let us
    > know if that changes anything. If it doesn't, then it'll be quicker
    > to look through the rest of the config.
    >
    > I assume your PPTP server's default gateway has been redirected to

    the
    > Cisco instead of the DSL?
    >
    >
    >
    > On 27 Jan 2005 21:27:17 -0800, wrote:
    >
    > >Hey Guys,
    > >
    > >I have a Cisco 2611 using IOS 12.1-15(T). Behind it, I have a
    > >Microsoft server(192.168.1.3) that has RRAS configured and working

    with
    > >PPTP just fine. We have been bringing PPTP in VPN through a
    > >Watchgraurd firewall router for the last 3 years flawlessly across a
    > >DSL (they have 2 Internet connections). My client wants to bring

    VPN
    > >in via the Cisco using PPTP through the T1 instead of the DSL. Most
    > >employees, the client, and unfortunately myself, all have Comcast

    cable
    > >as our ISP since it is the only broadband available in our area. We
    > >also cannot bring IPSEC out from our homes through Comcast.

    Therefore
    > >we are stuck with PPTP.
    > >
    > >I need to configure PPTP to come from the Internet through the Cisco
    > >router to my Microsoft server (192.168.1.3). I was wondering if
    > >someone can take a look at my sanitized config below to see where I

    am
    > >goofing where I can make it work! I will post the solution once it
    > >works to help humanity!
    > >
    > >
    > >Current configuration : 2984 bytes
    > >!
    > >version 12.1
    > >service single-slot-reload-enable
    > >service tcp-keepalives-in
    > >service timestamps debug uptime
    > >no service timestamps log uptime
    > >service password-encryption
    > >!
    > >hostname XXXXX
    > >!
    > >no logging rate-limit
    > >enable secret
    > >!
    > >username XXX privilege 15 password
    > >clock summer-time EDT recurring
    > >no ip subnet-zero
    > >no ip source-route
    > >!
    > >no ip finger
    > >ip ftp source-interface Ethernet0/1
    > >ip ftp username
    > >ip ftp password
    > >ip name-server 2XX.XXX.X.XX
    > >!
    > >no ip bootp server
    > >call rsvp-sync
    > >cns event-service server
    > >!
    > >interface Loopback0
    > >ip address 192.168.22.65 255.255.255.224
    > >!
    > >interface Ethernet0/0
    > >ip address 192.168.2.2 255.255.255.0
    > >ip access-group e00 in
    > >ip access-group NJ out
    > >no ip proxy-arp
    > >ip nat inside
    > >half-duplex
    > >no cdp enable
    > >!
    > >interface Serial0/0
    > >ip address 85.225.84.214 255.255.255.252
    > >ip access-group ok-in in
    > >ip access-group ok-out1 out
    > >no ip redirects
    > >no ip proxy-arp
    > >ip nat outside
    > >no ip mroute-cache
    > >service-module t1 timeslots 1-24
    > >no cdp enable
    > >!
    > >interface Ethernet0/1
    > >ip address 192.168.1.2 255.255.255.0
    > >ip access-group 3 in
    > >ip access-group int-in out
    > >no ip proxy-arp
    > >ip nat inside
    > >half-duplex
    > >no cdp enable
    > >!
    > >router rip
    > >version 2
    > >passive-interface Serial0/0
    > >network 192.168.1.0
    > >no auto-summary
    > >!
    > >ip kerberos source-interface any
    > >ip nat inside source list 3 interface Serial0/0 overload
    > >ip nat inside source static tcp 192.168.1.3 1723 interface

    Ethernet0/1
    > >1723
    > >ip nat outside source list 2 interface Ethernet0/1
    > >ip classless
    > >ip route 0.0.0.0 0.0.0.0 85.215.84.213
    > >no ip http server
    > >!
    > >ip access-list extended int-in
    > >permit tcp any host 192.168.1.3 eq 1723
    > >permit gre any host 192.168.1.3
    > >permit ip any any
    > >ip access-list extended ok-in
    > >permit udp host 225.141.9.25 192.168.1.0 0.0.0.255
    > >permit gre any host 85.225.84.214
    > >permit tcp any host 85.225.84.214 eq 1723
    > >evaluate outgo
    > >ip access-list extended ok-out1
    > >permit udp any host 225.141.9.25 eq domain
    > >permit tcp any any established
    > >permit tcp any any reflect outgo
    > >permit udp any any reflect outgo
    > >permit icmp any any reflect outgo
    > >access-list 2 permit 85.225.84.212 0.0.0.3
    > >access-list 3 permit 192.168.1.0 0.0.0.255
    > >access-list 4 permit 192.168.2.0 0.0.0.255
    > >access-list 98 permit 192.168.0.0 0.0.255.255
    > >access-list 101 permit ip 192.168.0.0 0.0.255.255 0.0.0.0

    255.255.255.0
    > >no cdp run
    > >!
    > >dial-peer cor custom
    > >!
    > >banner motd ^C
    > >This is a private system and only authorized individuals are

    allowed.
    > >.^C
    > >!
    > >line con 0
    > >exec-timeout 5 0
    > >password
    > >login local
    > >transport input none
    > >line aux 0
    > >no exec
    > >password
    > >login local
    > >line vty 0 4
    > >access-class 98 in
    > >exec-timeout 45 0
    > >password
    > >login
    > >transport input telnet
    > >transport output none
    > >!
    > >end
    > >
    > >Thanks
    > > Tarek Hamdy, CNE, MCSE, eventual CCNA
    , Jan 28, 2005
    #3
  4. Guest

    I upgraded the IOS. This has firewall features, but I have not
    implemented the new features. I eleminated unneeded Acceess-list
    statements. If anyone has any ideas on what I can change to bring in
    PPTP into my Microsoft server, please let me know.

    Current configuration : 2801 bytes
    !
    version 12.3
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname XXXXX
    !
    no logging rate-limit
    enable secret
    !
    username XXX privilege 15 password
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    !
    no ip finger
    ip ftp source-interface Ethernet0/1
    ip ftp username
    ip ftp password
    ip name-server 2XX.XXX.X.XX
    !
    no ip bootp server
    call rsvp-sync
    cns event-service server
    !
    interface Loopback0
    ip address 192.168.22.65 255.255.255.224
    !
    interface Ethernet0/0
    !
    ip address 192.168.0.2 255.255.255.0
    no ip proxy-arp
    ip nat inside
    shutdown
    half-duplex
    no cdp enable
    !
    interface Ethernet0/0
    ip address 192.168.0.2 255.255.255.0
    no ip proxy-arp
    ip nat inside
    shutdown
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 85.225.84.214 255.255.255.252
    ip access-group ok-in in
    ip access-group ok-out1 out
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface Ethernet0/1
    ip address 192.168.1.2 255.255.255.0
    ip access-group 3 in
    ip access-group int-in out
    no ip proxy-arp
    ip nat inside
    half-duplex
    no cdp enable
    !
    router rip
    version 2
    passive-interface Serial0/0
    network 192.168.1.0
    no auto-summary
    !
    ip kerberos source-interface any
    ip nat inside source list 3 interface Serial0/0 overload
    ip nat inside source static tcp 192.168.1.3 1723 interface Ethernet0/1
    1723
    ip nat outside source list 2 interface Ethernet0/1
    ip classless
    ip route 0.0.0.0 0.0.0.0 85.215.84.213
    no ip http server
    !
    ip access-list extended int-in
    permit tcp any host 192.168.1.3 eq 1723
    permit gre any host 192.168.1.3
    permit ip any any
    ip access-list extended ok-in
    permit udp host 225.141.9.25 192.168.1.0 0.0.0.255
    permit gre any host 85.225.84.214
    permit tcp any host 85.225.84.214 eq 1723
    evaluate outgo
    ip access-list extended ok-out1
    permit udp any host 225.141.9.25 eq domain
    permit tcp any any established
    permit tcp any any reflect outgo
    permit udp any any reflect outgo
    permit icmp any any reflect outgo
    access-list 2 permit 85.225.84.212 0.0.0.3
    access-list 3 permit 192.168.1.0 0.0.0.255
    access-list 98 permit 192.168.0.0 0.0.255.255
    no cdp run
    !
    dial-peer cor custom
    !
    banner motd ^C
    This is a private system and only authorized individuals are allowed.
    ..^C
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    end

    Thanks

    Tarek Hamdy
    , Feb 7, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pedro Ribeiro
    Replies:
    0
    Views:
    1,061
    Pedro Ribeiro
    Dec 14, 2003
  2. Dennis
    Replies:
    3
    Views:
    18,325
    Dennis
    Mar 1, 2004
  3. someone@somewhere

    PPTP / GRE port forwarding

    someone@somewhere, Sep 16, 2005, in forum: Cisco
    Replies:
    1
    Views:
    106,741
  4. Greg
    Replies:
    0
    Views:
    3,672
  5. vall
    Replies:
    0
    Views:
    1,103
Loading...

Share This Page