1:1 NAT setup

Unanswered Question
Sep 16th, 2010

Hello,

Being a newbie I need a step by step guidance on how to setup an 1:1 NAT on cisco 876 router.

The reason I need this is because i'm trying to connect to a internal windows vpn server from the internet, so one of your guys advised to do that.

I'm pasting both of mine and his posts just to give you a clearer picture on what I actually need:

"Hello Guys,

Here is the layout that I currently have:

VPN Server (Windows 2008) --> Cisco 876  --> Internet (dynamic ip address) --> Client (My home PC)

So I'm having trouble connecting to the vpn server from my home pc, it actually hangs on "Verifying username and password" and then it just drops because of the timeout.

I googled for the solution and all I could find was that I need to open port 1723 and allow GRE (protocol 47) through the Cisco router.

So I managed to forward port 1723 to the required server, but I can't seem to do that for the GRE.

So can somebody please give me step by step instructions on how to do this, and for that matter how to make the whole thing work.

Note that I'm very new to cisco routers and firewalls, so I'm still not familiar with most of the commands for the router."

--------------------------------------------

Hi,

Unfortunately PPTP does not work with PAT for the server on port TCP/1723. This is because GRE is used in this connection and since GRE itself does not have any port numbers, we will need a NAT (1:1) for the server and not a PAT on TCP port 1723. I suppose that's the reason why it's not working in your case.


The payload when GRE comes into play is going to be something like below:

_______ ________

|            |             |

|   IP      |    GRE  |

|_______|_______|

So as can be seen, the port forwarding that you have configured for the PPTP server on TCP 1723 will not help due to the fact that the router can not find the port number field in the GRE header (though it can find the IP address field in the IP header). Hence, we will need a 1:1 NAT for this server.

-------------------------------------

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 09/16/2010 - 09:47

To setup a static NAT on a router

ip nat inside source static

also if you have any access-lists on the interfaces ie. inside and outside interfaces you will need to allow GRE through eg.

access-list 101 permit gre

If you don't have an acl applied to the interface then dont worry about it.

Edit - obviously you also need "ip nat inside" and "ip nat outside" on the relevant interfaces but it sounds like you already have that.

Jon

Actions

This Discussion