Re: Cisco 7201: PPTP Passthrough support

Sergey_Yakovets_2 · ‎02-17-2011

Hi everyone,

I have an issue with PPTP tunnels behind a 7201 router which does NAT Overloading for inside LAN hosts.

Users in LAN are unable to establish outgoing PPTP connections to some outside Internet servers.

I had this network up and running with older Cisco3745 with c3745-adventerprisek9-mz.124-12.bin

And I didn't have such issues. No specific NAT configuration were exist, just a ACL with NAT overload statement for outside interface.

Now I have Cisco 7201 router with c7200p-advipservicesk9-mz.124-24.T3.bin IOS image.

I've been wondering if PPTP Passthrough feature is supported in this IOS version\platform.

If yes, I would like to know how to enable it, cause on 3745 I did't make any specific tuning to NAT overloading to have PPTP work.

Thanks in advance for any suggestions.

Phillip Remaker · ‎02-18-2011

PPTP has to forward both TCP protocol 1723 and GRE (IP protocol 43) - watch out if you have NAT at both sides of the link.

See http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

Sergey_Yakovets_2 · ‎02-18-2011

Hi Phillip,

Thanks for your feedback, but in my case I have NAT only on my side of the link.

I think the issue is related to NAT inside VRF.

More on that here: https://supportforums.cisco.com/message/3296167#3296167

Please, someone close\delete this discussion in WAN R&S section, cause I've opened

another one in Security\Firewalling which is more correct place for it. Thanks.

Sergey_Yakovets_2 · ‎02-20-2011

Does anyone have an idea how to fix this issue? Thanks.

Phillip Remaker · ‎02-20-2011

Is the 7201 doing anything like MPLS-VPN? If so, perhaps CSCtj61284 or CSCsg70334 might apply? Need more details about your situation to comment usefully.

Sergey_Yakovets_2 · ‎02-22-2011

Hi Phillip,

Yes, I use VRF-Lite to isolate this network segment from global routing table.

My config looks like this:

interface GigabitEthernet0/0.13
encapsulation dot1Q 13
ip vrf forwarding Internet

ip address y.y.y.1 255.255.255.224 secondary

ip address y.y.y.2 255.255.255.224 secondary
ip address x.x.x.x 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/0.17
encapsulation dot1Q 17
ip vrf forwarding Internet
ip address z.z.z.z 255.255.255.0
ip nat inside

!

ip nat pool POOL_1 y.y.y.1 y.y.y.1 netmask 255.255.255.224

ip nat pool POOL_2 y.y.y.2 y.y.y.2 netmask 255.255.255.224
ip nat inside source list NAT_1 pool POOL_1 vrf Internet overload

ip nat inside source list NAT_2 pool POOL_2 vrf Internet overload

With NAT overload config I have an issue with PPTP tunnels: users are unable to create tunnels to VPN server located somewhere on the Internet.

If I change NAT config to static 1:1 configuration for some selected LAN hosts - the problem disappears.

Any suggestions are welcome. Thanks.

Sergey_Yakovets_2 · ‎02-28-2011

Hi Phillip,

Any suggestions? Thanks in advance.

Phillip Remaker · ‎03-01-2011

Personally, I am out of ideas. Your best course of action at this point is to open a TAC case.