cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
282
Views
0
Helpful
4
Replies

GRE defaulting to a different IP address with a /30

stevem
Level 1
Level 1

When entering the commands to open the proper ports for PPTP VPN (1723 & 47/GRE) through the PDM on my pix 506E the gre defaults to a different IP address with a /30 attached to it. Could this be the reason why I cannot tunnel in from remote sites? If so how do I make the pix accept the proper IP address?

access-list internet permit tcp any host 2x.xxx.84.2 eq smtp

access-list internet permit tcp any host 2x.xxx.84.2 eq 1494

access-list internet permit tcp any host 2x.xxx.84.2 eq 1604

access-list internet permit udp any host 2x.xxx.84.2 eq 1604

access-list internet permit tcp any host 2x.xxx.84.2 eq 1723

access-list internet permit gre any 2x.xxx.84.0 255.255.255.252 <--defaults to

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

What do you mean "the gre defaults to a different IP address with a /30 attached to it"? Exactly what command are you entering? Can you cut/paste your command entry and the resulting configuration of the PIX (just a "sho access-list" will suffice) so we can see what's going on? What version of PIX code is this?

Are you sure you're not missing the "host" keyword in front of the IP address in the ACL (although I still don't see why it would do this)?

Ahhh, my bad. Was just an issue with using the PDM that it would default to a .0 after selecting GRE in the drop down box.

None of this may make sense but I think I've figured that out.

Still unable to log in via PPTP. Getting error 721 at remote desk.

Anyone familiar with this issue? I posted my config in a earlier discussion and was told it was OK so not sure where to go from here.

721 is I think, that the PPTP server cannot be found or you got no response. I haven't seen your earlier config but with this access-list you have defined you will need a corresponding static command, so make sure you have something like:

> static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

where x.x.x.x is the outside IP address that the PPTP clients are connecting to (this is also the address defined in your access-list), and y.y.y.y is the actual inside address of the PPTP server.

Other than that, add an access-list allowing ICMP through and can you then ping the server from the client, just to verify connectivity.

Will do re the Ping

here are my static routes, do I need to add one for GRE (port 47) or just for port 1723 (pptp)?

static (inside,outside) tcp 2x.xxx.84.2 smtp 10.1.0.1 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 2x.xxx.84.2 1494 10.1.0.2 1494 netmask 255.255.255.255 0 0

static (inside,outside) tcp 2x.xxx.84.2 1604 10.1.0.2 1604 netmask 255.255.255.255 0 0

static (inside,outside) udp 2x.xxx.84.2 1604 10.1.0.2 1604 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1723 10.1.0.1 1723 netmask 255.255.255