NAT gre protocol to PPTP Server on Cisco router

T

TheGuy

Expert Member
Joined
Sep 14, 2009
Messages
2,974
Reaction score
19
Location
Jozi
Hi Guys

I want to allow PPTP VPN connection to an internal PPTP server but I'm not getting the nating quite right.

Below is my config:


ROUTER1#show run
Building configuration...

Current configuration : 924 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ROUTER 1
!
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0
ip address 196.1.1.1 255.255.255.252
ip nat outside
!
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static udp 192.1.1.2 1723 196.1.1.1 1723 extendable
ip nat inside source static tcp 192.1.1.2 1723 196.1.1.1 1723 extendable
ip nat inside source static tcp 192.1.1.2 1721 196.1.1.1 1721 extendable
ip nat inside source static tcp 192.1.1.2 3389 196.1.1.1 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 1 permit 192.1.1.2
access-list 1 permit 192.1.1.1
!

end
Click to expand...

RDP is working so I know it's just protocol GRE 47 that I need to allow.

It has something to do with using Access-list 101 but I'm not sure how it fits together.
 
Looks like you're mixing up your addressing.

Addresses in nat statements & acl not matching what's configured on Eth0
 
Roman4604 said:
Looks like you're mixing up your addressing.

Addresses in nat statements & acl not matching what's configured on Eth0
Click to expand...

Thanks I changed all the ip so it might just be a typo. Rdp is working I'm. Just trying to figure out how to forward gre
 
GRE doesn't match against either udp or tcp, but I also see IOS that I have at least doesn't let you specify gre. So you might have to just do all ip protocols for it like:
Code: 
ip nat inside source static 192.1.1.2 196.1.1.1
 
Tinuva said:
GRE doesn't match against either udp or tcp, but I also see IOS that I have at least doesn't let you specify gre. So you might have to just do all ip protocols for it like:
Code: 
ip nat inside source static 192.1.1.2 196.1.1.1
Click to expand...
Not sure you actually need to port forward GRE. The following Cisco config example also doesn't include it (router House), implying the GRE session is initiated from the server outward (enabled by nat overload) once it recieves a connection request via the command session (port forwarded on tcp 1723).


http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml
 
Ok then try something like this instead:

Code: 
ip nat inside source list 101 interface Serial0 overload
  
access-list 101 permit gre any any
access-list 101 permit tcp 192.1.1.2 1723 196.1.1.1 1723
(ps. code above not checked, just hand written from memory)

Fact however is, you need gre to work for pptp.
 
Tinuva said:
Ok then try something like this instead:
Click to expand...
Again not neccessary, original overload acl will nat anything outbound from 192.1.1.2 (the PPTP server).

Tinuva said:
Fact however is, you need gre to work for pptp.
Click to expand...
True, but if you look at the nat translation tables in Cisco's example the gre session are being establish through router House without any explicit reference to gre in its acls.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X