cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2471
Views
0
Helpful
6
Replies

871 VPN passthrough.

Nathan Farrar
Level 1
Level 1

I am having some trouble with an 871w. Currently I have no firewall configured, I am using NAT. The router is connected to a residential cable modem. The issue I am having is that a client of mine is unable to connect to his work VPN from a PC behind the 871. I try to connect to my work VPN (windows as the client software) and I am able to create a connection but the dialog box will not pass the "Verifying Username and Password" portion. If I connect directly to the modem bypassing the router I have no trouble loging into the VPN. The router is blocking something. I assume it must have somthing to do with NAT. Any ideas?

Thanks

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

PPTP consists of 2 protocols:

1) TCP/1723 - the authentication portion

2) GRE - PPTP data

Base on your explaination, it seems that it passes through the authentication portion, however, no PPTP data (GRE) connection after that.


Here is a sample configuration on configuring PPTP pass through PAT router:

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

You might want to double check the output of "sh ip nat trans" to see if it creates NAT entry for GRE. What version of IOS are you running on the 871?

I think you are correct about GRE being the issue. The router is running advipservicesk9 12.4. I do not have access to the router currently so I cannot check the translation tables. I set up my lab 2621xm which doesn't have the same issue as the 871 and added an ACL that blocks GRE inbound and experienced the same behavior as when I try to connect through the 871. So, since there isn't an ACL on the 871 that is blocking GRE, how would I go about telling it to pass? I am not going to be back onsite until wednesday. I do have remote access to the router but I don't know how I could test this without calling the client up and asking them to connect... they aren't at the location anyway.

Hi Nathan,

If the router has no ACLs, there's no reason it will be blocking the traffic.
But, if its doing PAT, please look at the link that halijenn posted.


If you want to see if the traffic is passing through the router, one way to do it is:

access-list 199 permit tcp host x.x.x.x host x.x.x.x eq 1723
access-list 199 permit gre host x.x.x.x host x.x.x.x
access-list 199 permit ip any any

You can enable the above ACL inbound on the inside interface of the router.
You can modify the list to check if the traffic is passing through the router and exiting the outside interface, and to see if its coming back as well.
Just change x.x.x.x with the IPs in question.

Federico.

The link provided shows that the only configuration on the remote router ("Router Light", equivalent to my 871) in regards to ACLs is NAT. The document goes on to show that I would need to do static mapping on the router connected to the VPN server, not the client router. I may not be understanding the doeument correctly but it seems to me that there really is nothing configured on the client side router other than NAT/PAT which is exacly what I have going on now.

I know it isn't anything wrong with the server side router, as it can be connected to by simply bypassing the 871 and going directly into the modem. So it has to be NAT that is somehow preventing PPTP from functioning. I will try the debugging methods mentioned. I wish I had an 871 here at home with me to test with!

I am still having trouble connecting to the VPN server. I have tried the ACL and noticed that while I am connecting to the VPN GRE packets are passing, I am not seeing any thing on port 1723. I am still not able to connect thorugh the router to the VPN server. Below is my config, please if anyone can see why I wouldn't be able to connect to the server let me know. Could it have something to do with CHAP? It isn't the ISP or the remote side as they work when the router is bypassed.

no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.20.1 192.168.20.200
ip dhcp excluded-address 192.168.10.1 192.168.10.200
!
ip dhcp pool VLAN20_DHCP
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1
   dns-server 192.168.20.1
   domain-name warburton
!
ip dhcp pool VLAN10_DHCP
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 192.168.10.1
   domain-name domain
!
!
ip cef
ip domain name domain
ip name-server 4.2.2.2
no ipv6 cef
!
multilink bundle-name authenticated

!
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
ip address dhcp
ip access-group 100 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip dns server
ip nat inside source static tcp 192.168.20.23 41795 interface FastEthernet4 41809
ip nat inside source list NAT_ADDRESSES interface FastEthernet4 overload
ip nat inside source static tcp 192.168.20.2 41795 interface FastEthernet4 41795
ip nat inside source static tcp 192.168.20.50 41795 interface FastEthernet4 41800
ip nat inside source static tcp 192.168.20.10 41795 interface FastEthernet4 41802
ip nat inside source static tcp 192.168.20.11 41795 interface FastEthernet4 41803
ip nat inside source static tcp 192.168.20.12 41795 interface FastEthernet4 41804
ip nat inside source static tcp 192.168.20.13 41795 interface FastEthernet4 41805
ip nat inside source static tcp 192.168.20.20 41795 interface FastEthernet4 41806
ip nat inside source static tcp 192.168.20.21 41795 interface FastEthernet4 41807
ip nat inside source static tcp 192.168.20.22 41795 interface FastEthernet4 41808
ip nat inside source static tcp 192.168.20.30 41795 interface FastEthernet4 41810
ip nat inside source static tcp 192.168.20.31 41795 interface FastEthernet4 41811
ip nat inside source static tcp 192.168.20.32 41795 interface FastEthernet4 41812
ip nat inside source static tcp 192.168.20.33 41795 interface FastEthernet4 41813
ip nat inside source static tcp 192.168.20.34 41795 interface FastEthernet4 41814
!
ip access-list standard NAT_ADDRESSES
permit 192.168.1.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
!
access-list 100 permit ip any any
!
!
!
!

When he is trying to connect through PPTP, grab the output of "show ip nat trans" from your router.

Also try disabling "ip cef" and see if that resolves the issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: