Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT and PPTP problems

Status
Not open for further replies.
sgprice78

sgprice78

IS-IT--Management
Joined
Jun 20, 2001
Messages
15
Location
CA
I have set up a VPN server and can connect just fine from within our internal LAN, but when connecting from the internet it times out when verifying the username and password. There is a static NAT mapping to the vpn server and I can connect to other services on the VPN server just fine. I opened TCP port 1723 and allowed GRE to pass through to the vpn server. That didn't work so I tried allowing ALL IP packets through the router to the vpn server but it STILL didn't work.
Do I have to set up something special on the router in order to make NAT work with PPTP tunnels?
We are using a Cisco 2600 with IOS version 12.1
 
Sort by date Sort by votes
Can you post a config? Blank out the confidential parts appropriately, unless you wanna throw the hackers a bone! Regards,

Don
 
Upvote 0 Downvote
Here is the config file on our perimeter router. 100.1.1.13 is the IP of our internal router and 10.1.1.9 is the VPN server. Right now our internal router is forwarding all packets with no firewall or NAT of any sort set up (just until I get this VPN working ;)


!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 2600
!
logging rate-limit console 10 except errors
!
ip subnet-zero
!
!
no ip finger
ip name-server 10.1.1.9
!
!
!
!
interface FastEthernet0/0
ip address 100.1.1.244 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
interface Serial0/0
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip access-group 107 in
ip nat outside
!
ip nat pool net-100 xxx.xxx.xxx.94 xxx.xxx.xxx.94 netmask 255.255.255.240
ip nat inside source list 7 pool net-100
ip nat inside source static 100.1.1.244 xxx.xxx.xxx.93
ip nat inside source static 100.1.1.2 xxx.xxx.xxx.81
ip nat inside source static 100.1.1.3 xxx.xxx.xxx.82
ip nat inside source static 100.1.1.4 xxx.xxx.xxx.83
ip nat inside source static 100.1.1.5 xxx.xxx.xxx.84
ip nat inside source static 100.1.1.6 xxx.xxx.xxx.85
ip nat inside source static 100.1.1.7 xxx.xxx.xxx.86
ip nat inside source static 100.1.1.8 xxx.xxx.xxx.87
ip nat inside source static 100.1.1.9 xxx.xxx.xxx.88
ip nat inside source static 100.1.1.10 xxx.xxx.xxx.89
ip nat inside source static 100.1.1.11 xxx.xxx.xxx.90
ip nat inside source static 10.1.1.9 xxx.xxx.xxx.91
ip nat inside source static 100.1.1.13 63.169.63.92
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 10.1.1.0 255.255.255.0 100.1.1.13
ip route xxx.xxx.xxx.80 255.255.255.240 FastEthernet0/0
no ip http server
!
logging 100.1.1.5
access-list 7 permit xxx.xxx.xxx.0 0.0.0.255
access-list 7 permit 100.1.1.0 0.0.0.255
access-list 7 permit 10.1.1.0 0.0.0.255
access-list 23 permit 100.1.1.0 0.0.0.255
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 107 permit gre any any
access-list 107 permit tcp any host xxx.xxx.xxx.91 eq 1723
! access-list 107 permit ip any host xxx.xxx.xxx.91
access-list 107 permit udp any host xxx.xxx.xxx.87 eq ntp
access-list 107 permit udp host xxx.xxx.xxx.10 eq domain any
access-list 107 permit tcp host xxx.xxx.xxx.10 eq domain any
access-list 107 deny ip any host xxx.xxx.xxx.87 log
access-list 107 deny ip any host xxx.xxx.xxx.84 log
access-list 107 deny ip any host xxx.xxx.xxx.85 log
access-list 107 permit tcp any host xxx.xxx.xxx.83 eq www
access-list 107 permit tcp any host xxx.xxx.xxx.82 eq www
access-list 107 permit tcp any host xxx.xxx.xxx.81 eq www
access-list 107 permit tcp any host xxx.xxx.xxx.83 eq smtp
access-list 107 permit tcp any host xxx.xxx.xxx.83 eq pop3
access-list 107 permit udp any eq domain any
access-list 107 permit tcp any eq domain any
access-list 107 permit udp any any eq domain log
access-list 107 permit tcp any any eq domain log
access-list 107 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.93 eq 23 log
access-list 107 permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.82 eq 27960
access-list 107 permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.82 eq 27960
access-list 107 deny udp any any eq 27960
access-list 107 permit tcp any any gt 1023 established log
access-list 107 permit udp any any eq ntp
access-list 107 permit icmp any any
access-list 107 deny ip any any log
banner login Warning: Unauthorized access or use will result in prosecution to the fullest extent of the law.
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
access-class 23 in
login
!
no scheduler allocate
end
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
540
CPM86
CPM86
Lccarter
  • Locked
  • Question Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
462
Lccarter
Lccarter
acabezas2014
  • Locked
  • Question Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
296
acabezas2014
acabezas2014
mrdom
  • Locked
  • Question Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
320
mrdom
mrdom
dmourghen
  • Locked
  • Question Question
PBR issue and Access-list
Replies
0
Views
336
dmourghen
dmourghen

Part and Inventory Search

Sponsor

Back
Top