Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1355
Views
0
Helpful
1
Replies

1:1 NAT setup

ZharkoAtkovski
Community Member

‎09-16-2010 09:37 AM - edited ‎03-11-2019 11:41 AM

Hello,

Being a newbie I need a step by step guidance on how to setup an 1:1 NAT on cisco 876 router.

The reason I need this is because i'm trying to connect to a internal windows vpn server from the internet, so one of your guys advised to do that.

I'm pasting both of mine and his posts just to give you a clearer picture on what I actually need:

"Hello Guys,

Here is the layout that I currently have:

VPN Server (Windows 2008) --> Cisco 876  --> Internet (dynamic ip address) --> Client (My home PC)

So I'm having trouble connecting to the vpn server from my home pc, it actually hangs on "Verifying username and password" and then it just drops because of the timeout.

I googled for the solution and all I could find was that I need to open port 1723 and allow GRE (protocol 47) through the Cisco router.

So I managed to forward port 1723 to the required server, but I can't seem to do that for the GRE.

So can somebody please give me step by step instructions on how to do this, and for that matter how to make the whole thing work.

Note that I'm very new to cisco routers and firewalls, so I'm still not familiar with most of the commands for the router."

--------------------------------------------

Hi,

Unfortunately PPTP does not work with PAT for the server on port TCP/1723. This is because GRE is used in this connection and since GRE itself does not have any port numbers, we will need a NAT (1:1) for the server and not a PAT on TCP port 1723. I suppose that's the reason why it's not working in your case.


The payload when GRE comes into play is going to be something like below:

_______ ________

|            |             |

|   IP      |    GRE  |

|_______|_______|

So as can be seen, the port forwarding that you have configured for the PPTP server on TCP 1723 will not help due to the fact that the router can not find the port number field in the GRE header (though it can find the IP address field in the IP header). Hence, we will need a 1:1 NAT for this server.

-------------------------------------

Thanks

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎09-16-2010 09:47 AM

To setup a static NAT on a router

ip nat inside source static

also if you have any access-lists on the interfaces ie. inside and outside interfaces you will need to allow GRE through eg.

access-list 101 permit gre

If you don't have an acl applied to the interface then dont worry about it.

Edit - obviously you also need "ip nat inside" and "ip nat outside" on the relevant interfaces but it sounds like you already have that.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card