Passing MS PPTP traffic through a NAT router

Unanswered Question
Jan 13th, 2008
User Badges:

I have a 2611 running IOS 12.3 configured as a NAT router. I need to allow external PPTP VPN clients to connect to a MS Win 2003 server running RRAS on my inside network. I have configured static nat to forward TCP port 1723 traffic from the router's outside interface to the 2003 server, but there doesn't appear to be a way to use static NAT to forward GRE traffic. I've tried building an access-list with no success. External clients are able to reach the server, but authentication fails. I tested the connection with internal clients successfully, so I know that the RRAS server is set up correctly. When external clients attempt to connect, the connection appears to be successful, but the process hangs on authentication. I've followed the steps listed in Document ID 12483 explicitly, but still no success. Any help will be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
htarra Fri, 01/18/2008 - 13:14
User Badges:
  • Bronze, 100 points or more

The platform and the IOS image do support GRE going outbound (after all it is just an IP packet passing through the router). Where your problem is however, is that PPTP and more specificall GRE does not work well with PAT or "overloading" of the interface. For PPTP (GRE) to work through this you will need to have a static translation for the client machine accessing the PPTP server, or be using a non-overloaded interface.

doncrawley Fri, 01/18/2008 - 13:30
User Badges:

Thanks for your reply. Actually, I solved the problem by upgrading to a slightly newer version of the IOS. The problem apparently was a software bug. PPTP and GRE both work fine with PAT and overloading on the outside interface. It is now working fine, as described in Document ID: 12483.


This Discussion