VPN GRE Tunel through Cisco Router to windows 2008 RRAS

Unanswered Question
Apr 3rd, 2011

i need to provide remote access to external users over VPN connection. i have an server 2008 with 1 NIC ( and condifured VPN on RRAS, i enabled GRE and 1723 port on my Cisco firewall as well (

I can VPN to RRAS internally fine and can telnet to 1723 port but cannot get through externally.
i get Error 800 when establish connection on windown 7 PC.

i cannot telnet to 1723 port externally (from internet), please review my Cisco confug and advice if i missed anythings:

Current configuration : 6058 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname wrmelgw
logging buffered 51200
logging console critical
enable secret 5 ***********
no aaa new-model
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-860329787
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-860329787
revocation-check none
rsakeypair TP-self-signed-860329787
crypto pki certificate chain TP-self-signed-860329787
certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38363033 32393738 37301E17 0D313031 31313130 32313934
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3836 30333239
  37383730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B48727D9 C6678610 CF7A69F6 BFFE48F2 63EE0A8D BFD7B83A 50659F84 FF358CA5
  5AD0ED97 B7D8212F E99AB991 36D0B172 538D1639 D68B8746 51650BAC 17256811
  80AB4344 B40FCDD1 B64B7011 49F90515 E2AD7346 4B1F1E5D 20F7D5F5 6B0AC5A8
  255FC444 1C29392E 634F9611 CF5761ED B873C63F 95B04B0D 38760A1B F6A5667B
  02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
  11041A30 18821677 726D656C 67772E79 6F757264 6F6D6169 6E2E636F 6D301F06
  03551D23 04183016 80145FE0 D5554371 95D2A995 956BBCB2 0686C313 A06B301D
  0603551D 0E041604 145FE0D5 55437195 D2A99595 6BBCB206 86C313A0 6B300D06
  092A8648 86F70D01 01040500 03818100 245311C1 A9BBA0F4 66D3A9BA 6D8AF2FD
  B5513CDE 45785D42 3496AF0B 3B3CBFB3 D258E2F9 E9B071E5 3D581442 A73E063F
  21E5CF80 FA0D717F 8A6F5202 BB88C26C A6D3A559 BA520562 9CA08447 0DB28B33
  5BBDC1D4 86EA654F 3AFEA64D 8BA13738 14952C7A 0FB76D7A 2B47883A 27DCB43B
  7DA80B53 8D98010E 451A2949 CBCE63A7
dot11 syslog
no ip source-route
ip cef
ip dhcp excluded-address
no ip bootp server
ip domain name yourdomain.com
ip name-server
ip name-server
username ******** privilege 15 secret 5 ********
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key QnrpzdFI address 59.*.*.*
crypto isakmp keepalive 30 5
crypto ipsec transform-set vpn-ts esp-3des esp-md5-hmac
crypto map rtp 1 ipsec-isakmp
set peer 59.*.*.*
set transform-set vpn-ts
match address sydLAN
log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
interface FastEthernet0
interface FastEthernet1
description Inside
switchport access vlan 100
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description Data VLAN
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
interface Vlan100
description Voice VLAN
no ip address
interface Dialer0
ip address
ip access-group extIN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *@*.com
ppp chap password 7 ************
crypto map rtp
ip forward-protocol nd
ip route
ip route
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 80 interface Dialer0 8001
ip nat inside source static tcp 80 interface Dialer0 8008
ip nat inside source route-map VPN-nonat interface Dialer0 overload
ip nat inside source static tcp 1723 1723 extendable
ip nat inside source static tcp 8000 8000 extendable
ip access-list extended NONAT
deny   ip
permit ip any
permit ip any
ip access-list extended extIN
permit tcp any any eq 1723
permit ip any
permit icmp any any
permit tcp any any established
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any any ttl-exceeded
permit icmp any any unreachable
permit tcp any any eq 22
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit gre any any
permit ahp any any
permit tcp any host eq 8000
permit tcp any host eq 8001
permit tcp any host eq 8008
deny   ip any any log
ip access-list extended sydLAN
permit ip
permit ip
logging trap debugging
dialer-list 1 protocol ip permit
no cdp run
route-map VPN-nonat permit 1
match ip address NONAT
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Sun, 04/03/2011 - 22:10

As you are using Dialer0 ip address instead of a spare interface, can you please change the following:


ip nat inside source static tcp 1723 1723 extendable


ip nat inside source static tcp 1723 interface Dialer0 1723 extendable

Then clear the translation after the changes.

I tried to telnet on port 1723 however it does not open.

Can you also check if the server is enabled to allow inbound connection from any other subnets but its own. Typically it will allow access from the same host but not necessarily from other subnets.

reza.rafatifard Sun, 04/03/2011 - 22:41

Hi Jennifer,

The router not accept "ip nat inside source static tcp 1723 interface Dialer0 1723 extendable" i have to remove "extendable" to apply it.

the issue is still in place after change on NAT per your advice.

i can VPN from other branch (internally) on different subbnet with no problem

also just update you that the GRE tunnel was working two weeks ago but after an outage period for the router the VPN stopped working.

Jennifer Halim Sun, 04/03/2011 - 22:47

If it works previously, then I don't think it's a configuration issue. Might need to open a TAC case to investigate the issue further.

I am still not able to telnet on port 1723 to the ip address. Is the traffic even hitting the router dialer0 interface from the internet?

can you please monitor the ACL applied to your dialer interface, try to access the PPTP VPN from the internet, and see if the hitcount increases. If not, then the traffic doesn't even come towards the router yet.

Jennifer Halim Sun, 04/03/2011 - 23:59

It's static translation, so it will always be used once you have cleared the translation for the existing connections.


This Discussion