Re: Configuring a 1605/FW with NAT/CBAC to pass a PPTP Tunnel

johnrandall · ‎10-26-2001

Please can you help.

I would like to configure our 1605 with Firewall feature set (using NAT & CBAC) to pass a PPTN VPN tunnel THROUGH it so that software developers working from home using Win2k can log into a Win2k PC on the office LAN.

I can establish a VPN link on the LAN but have not worked out how to do it through the 1605. I suspect NAT may be the problem but configuring static translations do not seem to help.

I think that I need to enable GRE and port 1723 but I am unable to find an example of how to do it on the web site.

I would prefer not to terminate the tunnel within the 1605 and suspect that the 1605 is not able to cope with Win2k IPSEC/L2TP tunnels.

Can anyone confirm that this is possible and provide a set of IOS commands?

Thanks.

smahbub · ‎11-05-2001

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_2.htm

Open up port 1723 tcp and IP 47/GRE

sfeldne · ‎11-06-2001

I too have been trying to solve this problem and it is a NAT problem, not CBAC or IOSFW. Three static NAT statements must be added to the router and I can only find the syntax for two. The two are statics for UDP and TCP on port 1723. The third one is the problem. I can not find syntax for IP protocol GRE (47). The "ip nat inside source" command only supports TCP and UDP. This is under IOS...

If you go to CBOS or CCOS in the 6xx product, TCP, UDP and IP Protocol Number are supported.

Does anyone know the correct syntax or an alternative way of doing this??

jpassow · ‎11-16-2001

I believe the syntax you are looking for is referenced in the following

Point-to-Point Tunneling Protocol ( PPTP) uses TCP Port 1723 and IP Protocol 47 GRE.

Issue the set nat entry add command using the following syntax:

set nat entry add {internal device address} 0 {outside NAT address} 0 47

set nat entry add {internal device address} 1723 {outside NAT address} 1723 tcp

This was found on the following page http://www.cisco.com/warp/public/794/600pat.html

sfeldne · ‎11-16-2001

Yes, that would be the syntax for a CBOS 6xx router but I can not find the corresponding IOS syntax. From what I can tell, "ip nat inside static" command only supports TCP and UDP -- no other protocol including IP protocol GRE. If I'm just not finding it, that's my problem -- if it's not supported I think it's time for a "new feature request". The title could be "Please make IOS as powerful as CBOS" ;-)

patrickv · ‎11-20-2001

You are absolutly right. VPN implementation on ADSL cisco ADSL devices is a real real pain especially with PAT (overloading) . There is simply no good solution.

I would appreciate implementing something like:

ip nat inside source static [prot number] .....

ADSL is great and ADSL with VPN is even greater, as long as you are not using PAT.

I thought I'd seen the end of the CBOS based routers, but if they can do it, IOS based routers should also be able to do this !!!

Common guys implement this now. This should only take a few hours max.

johnrandall · ‎11-26-2001

I have finally worked out how to do it!

The basic solution is very straightforward (and it is frustrating that it took so long to get to the answer):

The three key IOS commands that I needed were:

ip nat inside source static 192.168.x.x y.y.y.y

access-list 101 permit tcp any host y.y.y.y eq 1723

access-list 101 permit gre any host y.y.y.y

In addition, as I was using Windows 2000 Professional as the RAS, it was necessary to ensure that the "Routing and Remote Access" Service was started and running.