cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7690
Views
0
Helpful
10
Replies

RVS4000 Blocking PPTP passthrough/GRE 47 IP packets

jdanie01
Level 1
Level 1

We have a PPTP VPN on a MSFT 2003 server, which was working fine with a Linksys BEFSR41 in place. Replaced with a RVS4000, enabled PPTP passthrough, and forwarded port TCP 1723 traffic to server, and now when we attempt the above mentioned VPN, we get error 806, which is related to not being able to pass the GRE packets. Has anyone else seen/corrected this issue yet? Have the newest version of firmware loaded in the router. Any assistance would be greatly appreciated. Thanks!

Joe

10 Replies 10

David Hornstein
Level 7
Level 7

Hi Joe,

PPTP pass through from the LAN to Internet is supported.  That what is meant by passthru, not Internet to a server on private LAN side.

You will note, if you go to the firwall tab and then look under single port forwarding,  there are only two options for protocols, TCP and UDP and not user defined protocol number.  In your case there has to be an option for protocol 47 (GRE).

I had thought that you could not have a PPTP server behind a small business router, maybe a traditional Cisco or SR520 or ASA,  but the following community forum question and answer made me think twice.

I have not tried this on my RVS4000, because I don't have a PPTP server. But it sure would be interesting to see if the following link may work with the RVS4000.  If it does work,  it's a most interesting work around.  If you have the patience maybe you can give it a go. I would be interested to hear the results.

regards Dave

https://www.myciscocommunity.com/message/16037#16037

Thanks for the response Dave. When he is saying to edit the config file, would I use notepad for that? I will give that a shot, and let you know the results.

Thanks!

Joe

Hmmmm, well, I did as recommended, but when I go to edit the file, there is no mention of 6 or 7 as stated, just 47. When I search for GRE, I get the name of the port forward (GREudp and GREtcp), and they have the IP address:1:47:47. Have not actually tried the VPN yet, since I added the port forward portion suggested in the thread. Hopefully will get a chance later today.

Joe

No go, still same error. Got anything else to try?

daviddun
Level 3
Level 3

Good Afternoon,

I worked with a similar type case and the end result turned into being the server, This router will allow all this traffic to pass thru by factory default.  Be sure that you have the latest firmware on the router.

After you get the firmware upgrade and you reset the router to factory default, then contact Microsoft support to get help configuring the server.

Have a great day :)

Hi Dave. Pretty sure it's not the server, because if I replace the rvs4000 with the old BEFSR41, the VPN works properly. This is the newest version of firmware for the router, it's the one with the new Cisco interface, very nice overall!

Thanks!

Joe

Hi Joe,

Just finished upgrading my RVS4000 to the new publicly available code and enabled the DMZ function.

I managed to get to my server behind my RVS4000 from the internet.  Must admit, it's slick software.

Try setting your PPTP server at a fixed private IP address on the LAN, and the  set the DMZ address in the RVS4000 to that of the server. see figure below

(obiously set gateway and dns information on the server :-) )

rvs4000.JPG

regards Dave

Dave,

That works, however, I can't really leave my SBS server exposed to the internet. That's basically what that does, right?

Thanks!

Joe

Hi Joe,

I guess, if you have a SBS server you may also have at least, a managed Layer 2 switch on the LAN.

It might then be an easy task, I hope,  to add some access list functionality to the switch to allow only certain traffic from the Internet  to the SBS server.

But you need to at least have the following allowed items from the Internet in your Access List.

1.  tcp port 1723

2.  Protocol 47 or GRE

Or maybe even use the access list functionality built within the SBS server.

Give it a try

regards Dave

Thanks for the suggestions Dave, I'll take a look at those possibilities.

Thanks!

Joe