topic Re: SR520 PPTP Pass Through Configuration in Network Security

SR520 PPTP Pass Through Configuration

txlombardi_2 — Mon, 11 Mar 2019 19:07:52 GMT

I just installed a new SR520-FE-K9 at a customer's business. I can't see anyway in CCA 2.1 to configure a pass through PPTP VPN to their Windows 2003 server, which acts as the VPN server. You can easily configure port forwarding for port 1723 to the server, but there is no provision to forward protocol 47 (GRE) to the server. I looked at the CLI script and the CCA configuration created a whole lot of script with which I am not familiar. I tried adding what I thought would do the trick but it it is lacking something in the firewall access list configuration, so I removed the entry. Can anyone lend a hand on this?

Also, there doesn't seem to be any way to enable remote access to the firewall through CCA. At least I can't find it. And when I created a IPsec VPN server on the firewall to be used with the Cisco client, the connection is made easily enough. However the CCA did not create the necessary firewall access list to permit traffic into the remote network. I am hesitant to start adding my own access lists for fear I will screw up the CCA configuration .

I'm not a Cisco router/firewall guru, but I've configured my share of routers and ASA 5500's in my time. I even held a CCNA for a while until it expired. It would seem that the SR520 is unnecessarily complicated to configure and the CCA configuration interface is incomplete. I looked around for sample configurations to learn more about what was in the script, but could find nothing (if anyone knows where to find samples, please, let me know). The point is I could have had a WatchGuard Firebox up in 30 minutes, while the basic SR520 configuration took much longer-hours when the research and test configurations are counted. It shouldn't be that hard.

Any help will be much appreciated.

Tony

Re: SR520 PPTP Pass Through Configuration

praprama — Thu, 11 Nov 2010 15:30:47 GMT

Hi,

PPTP connections will not work thorugh the zone-based firewall with a PAT. The reason i am saying it will not work is because we can port forward GRE traffic as you mentioned. Only option we have is to have a 1:1 NAT for the PPTP server and not port-forward TCP/1723. Hope that clears things about PPTP. if you have a free public IP address, try performing a 1:1 NAT to that and see if it helps.

Coming to the VPN config, it looks alright to me. Enable the debugs "debug cry isa" and "debug cry ips" and then try connecting from a VPN client and forward those debugs.

Also, i see you have "ip inspect log drop-pkt" enabled. When trying to connect to the VPN, do you see any syslogs for dropped packets by the zone based firewall there?

Regards,

Prapanch

Re: SR520 PPTP Pass Through Configuration

txlombardi_2 — Thu, 11 Nov 2010 21:09:28 GMT

Thank you for your reply, Prapanch, and insight into the problem. However, this can't be right - the SR520 is not capable of forwarding the GRE protocol into an internal server? The simplest and cheapest routers can do that function. A Netopia the SR520 replaced did it easily. If that is truly the case, it is a serious shortcoming of this device and I will have to return it to the distributor and go buy a competing product to install at the customer site, which is something I don't want to do.

Anyone else have some ideas about this. Please, note that this is not an attempt to "port forward" GRE. GRE is a protocol. The SR520 just needs to forward all traffic for GRE into a single internal IP address.

Tony

Re: SR520 PPTP Pass Through Configuration

praprama — Fri, 12 Nov 2010 04:02:10 GMT

Hi Tony,

The router will be able to forward GRE packets to the inside host. The problem comes with PPTP which works with TCP 1723 and GRE.

In your configuration, the PPTP server is behind the firewall and hence you have configured the below:

ip nat inside source static tcp 192.168.133.15 1723 interface FastEthernet4 1723

Now with this configuration, if the router receives a GRE packet on the outside interface, it will not know how to NAT that packet. This because of the fact that GRE has no port numbers like TCP. This is not a shortcoming of this router but is an issue in general.

Regards,

Prapanch

Re: SR520 PPTP Pass Through Configuration

txlombardi_2 — Fri, 12 Nov 2010 13:22:35 GMT

Prapanch

Thank you for your followup reply. I understand the technical aspects of getting GRE passed through the firewall. GRE actually hits the interface but is blocked there. You can see it happening when you do a "show ip nat translations pptp." Below is the actual nat translation from the firewall.

Pro Inside global                            Inside local                  Outside local                  Outside global
gre 96.254.126.75:20611   192.168.133.15:20611 72.91.252.39:20611    72.91.252.39:20611
gre 96.254.126.75:65506   192.168.133.15:65506 72.91.252.39:65506    72.91.252.39:65506

At this point, an access list is needed. That is the problem I am having because of my unfamiliarity with the "zone" configuration. As you can see below, it is possible to get GRE through a firewall. The snipit is from an ASA5505, which I configured at another customer's office. This works and they use the PPTP passthrough VPN all the time.

static (inside,outside) tcp interface pop3 192.168.2.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.2.10 www netmask 255.255.255.255
static (inside,outside) tcp interface 4125 192.168.2.10 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.2.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.2.10 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 4343 192.168.2.10 4343 netmask 255.255.255.255
static (inside,outside) tcp interface 8059 192.168.2.10 8059 netmask 255.255.255.255
static (inside,outside) tcp Mail smtp 192.168.2.10 smtp netmask 255.255.255.255
static (inside,outside) tcp RDP 3389 192.168.2.10 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail https 192.168.2.10 https netmask 255.255.255.255

access-list outside_in extended permit tcp any interface outside eq pptp
access-list outside_in extended permit udp any interface outside eq 1723
access-list outside_in extended permit gre any any

Again, I appreciate your help. I guess I just don't fully understand the issue. This type of configuration has never been a problem on the lowly Linksys router, Netopias, WatchGuard, and many of the other Cisco firewalls and routers. I've contacted my distributor about returning the device.

Tony

Re: SR520 PPTP Pass Through Configuration

praprama — Fri, 12 Nov 2010 15:23:42 GMT

Hey Tony,

On ASAs i have seen this work with inspection for pptp but on routers i have seen this not work more often than it working.

But in any case, for the GRE traffic do you see drops in the logs? Try adding the below config lines and see if it helps!!

access-list 111 permit gre any any

class-map type inspect PPTP_GRE

match access-group 111

policy-map type inspect sdm-inspect-voip-in

class type inspect PPTP_GRE

inspect

After adding this config as well, please check the logs to see if you see any drops. Let me know how it goes!!

Regards,

Prapanch

Re: SR520 PPTP Pass Through Configuration

txlombardi_2 — Tue, 23 Nov 2010 21:08:02 GMT

Prapanch,

Sorry for the delayed response to your last post. I have not had a chance to go back to the client site to try your suggestion to create a hole for GRE to pass through to an internal server, but I intend to do so next week. In the mean time, I would like to point out a link to the technical specifications on the SR 520. If you read through the specs, you will see that the Cisco literature clearly states that the SR 520 supports PPTP pass-through. It is my belief, once you configure it to pass-through PPTP, GRE should be automatic when using the CCA for configuration. It appears to me there is an issue with the CCA tool or the SR 520 IOS and it would be appropriate at this point to escalate the matter to the next level of support. Can you do that and if not, what is the procedure for me to do it without a Smartnet contract?

Please, let me know your thoughts on this as soon as possible. I have a sale for another of these appliances, which I am holding until this is resolved favorably. If it is not, I am going to have to go to WatchGuard, which I don't want to do.

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9305/data_sheet_c78-484356.html

Tony