cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1883
Views
9
Helpful
16
Replies

PPTP based VPNs from our internal network

Ejaz Ahmed
Level 1
Level 1

Hi Experts,

We are not able to access any PPTP based VPNs from our internal network. It looks like PPTP requests are getting blocked at the router end. I tried the same VPN settings using my system at home and able to access it. We have a Csico router 1905 inside our network.

Plese help on this.

Regars,

Ejaz

16 Replies 16

Peter Long
Level 1
Level 1

Ignore

nkarthikeyan
Level 7
Level 7

Hi Ejaz,

Have you allowed the port 1723 and GRE protocol in your router.... do you any rules that is blocking those ports for the pptp server?

you may need to add inspect policy as well....

Regards

Karthik

 

Hi Karthik,

 

Scenario:

 

PPTP server in client location (middle east)

We are trying to connect to pptp server from office network. In office (in india) , the router(Cisco 1905) is configured with basic configurations and some port forwardings. We have not configrued anything for the port 1723. Also we have configured domain less NAT in the router.

When we tried to connect the ISP cable directly to a machine (without the router),  it worked. So the router is blocking something.

 

Can you please provide me the configuration thats need to be done in Cisco router.

 

Regards,

Ejaz

Hi,

 

You need to allow tcp port 1723 and protocol GRE in access-list if you have anything assigned to the router..... better make it as a bi-directional

ip inspect name <name> pptp

 

int gig xxxx/yyyy (internal interface)

ip inspect <name> in & out

 

Regards

Karthik

Hi Karthik,

I really appreciate for replies.

 

I will check the same and let you know.

We have configred only one access list in the router, whic is to block the ping request from outside.

Can you please advise me in which interface that i need to create the ACL?

 

Regards,

Ejaz

 

 

Hi Ejaz,

 

By looking at your statement, you are not having any ACL for outbound.... you have an ACL for inbound traffic... in which you need to allow the pptp and gre..... source as pptp server and destination as your local lan subnet...... also inpsect statement needs to be applied accordingly...

 

Regards

Karthik

Hi Kathik,

I have configured the access-list as you said. But the inspection command is not taking by the router. I have cisco 1905 router with IOS 15.0.

I have tried to issue the command in global configuration mode. But the router was not recoganizing the command.

 

Regards,

Ejaz

 

Hi Ejaz,

Can you post your router configuration?

 

Regards

Karthik

Hi Karthik,

 

Please see below router configuration

 

 

Router#sh run
Building configuration...

Current configuration : 4384 bytes
!
! Last configuration change at 08:42:10 UTC Tue Aug 19 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable password 7 11080D111E1C0A08247B7977
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1905/K9 sn FGL1803203B
!
!
username admin password 7 050A121B28424F0D39544541
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address x.x.x.x 255.255.255.0
 ip access-group 101 in
 no ip redirects
 ip nat enable
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.2.1 255.255.254.0
 no ip redirects
 ip nat enable
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.2.223 8080 interface GigabitEthernet0/0 8080
ip nat source static tcp 192.168.2.103 8172 interface GigabitEthernet0/0 8172
ip nat source static tcp 192.168.2.103 8701 interface GigabitEthernet0/0 8701
ip nat source static tcp 192.168.2.103 8009 interface GigabitEthernet0/0 8009
ip nat source static tcp 192.168.2.103 27017 interface GigabitEthernet0/0 27017
ip nat source static tcp 192.168.2.103 3001 interface GigabitEthernet0/0 3001
ip nat source static tcp 192.168.2.103 1433 interface GigabitEthernet0/0 1433
ip nat source static tcp 192.168.2.103 6500 interface GigabitEthernet0/0 6500
ip nat source static tcp 192.168.2.103 9043 interface GigabitEthernet0/0 9043
ip nat source static tcp 192.168.2.103 9080 interface GigabitEthernet0/0 9080
ip nat source static tcp 192.168.2.103 81 interface GigabitEthernet0/0 81
ip nat source static tcp 192.168.2.103 444 interface GigabitEthernet0/0 444
ip nat source static tcp 192.168.2.103 8886 interface GigabitEthernet0/0 8886
ip nat source static tcp 192.168.2.103 8888 interface GigabitEthernet0/0 8888
ip nat source static tcp 192.168.2.103 8083 interface GigabitEthernet0/0 8083
ip nat source static tcp 192.168.2.103 443 interface GigabitEthernet0/0 443
ip nat source static tcp 192.168.2.13 22 interface GigabitEthernet0/0 22
ip nat source static tcp 192.168.2.103 8897 interface GigabitEthernet0/0 8897
ip nat source static tcp 192.168.2.223 8081 interface GigabitEthernet0/0 8081
ip nat source static tcp 192.168.2.223 8082 interface GigabitEthernet0/0 8082
ip nat source static tcp 192.168.2.223 8999 interface GigabitEthernet0/0 8999
ip nat source static tcp 192.168.2.223 3283 interface GigabitEthernet0/0 3283
ip nat source static tcp 192.168.2.223 5900 interface GigabitEthernet0/0 5900
ip nat source static tcp 192.168.2.103 3389 interface GigabitEthernet0/0 3389
ip nat source static tcp 192.168.2.13 21 interface GigabitEthernet0/0 21
ip nat source static tcp 192.168.2.225 8111 interface GigabitEthernet0/0 8111
ip nat source static tcp 192.168.2.210 3389 interface GigabitEthernet0/0 2000
ip nat source static tcp 192.168.2.220 5500 interface GigabitEthernet0/0 5500
ip nat source static tcp 192.168.2.220 8283 interface GigabitEthernet0/0 8283
ip nat source static tcp 192.168.2.220 5001 interface GigabitEthernet0/0 5001
ip nat source static tcp 192.168.2.220 3390 interface GigabitEthernet0/0 3390
ip nat source static tcp 192.168.2.220 2222 interface GigabitEthernet0/0 2222
ip nat source static tcp 192.168.2.103 442 interface GigabitEthernet0/0 442
ip route 0.0.0.0 0.0.0.0 y.y.y.y
!
ip access-list extended BLOCK_ROUTERACESS
 permit tcp 192.168.2.0 0.0.0.255 any eq telnet
 deny   ip any any
 permit tcp host 121.242.90.50 any eq telnet
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.1.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit ip any any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class BLOCK_ROUTERACESS in
 exec-timeout 15 0
 login local
 transport input all
!
scheduler allocate 20000 1000
!
end

Hi,

Since you have applied on the inbound interface, you should have the acl like this.....

access-list 101 permit tcp any eq 1723 any

 

butt anyways you have ip any any rule.... that should be okay.....

 

also can you run a debug for pptp.

 

debug ppp negotiation and debug ppp authentication on your routers.......

 

Regards

Karthik

 

 

Regards

Karthik

If you are going  'outbound' from an internal client running a PPTP VPN client, to an External (public) PPTP Server why apply an ACL inbound on the outside interface?

Remove This

interface GigabitEthernet0/0
no  ip access-group 101 in

Add This

interface GigabitEthernet0/1
ip access-group 101 in

You dont need to worry about inspection as you're not running CBAC or Zone Based Firewall

And this is Router, Experts please DO NOT post fixup firewall commands.

 

Pete

Yeah... That makes sense....

 

Regards

Karthik

Hi Pete,

Thank you for the information.

I have removed the acl binding from outside interface and added it to the internal interface but no luck :(

 

Regards,

Ejaz

can you run a debug and check where exactly it fails to establish the connection?

 

Regards

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: