Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
0
Replies

PPTP Passthrough Issues

nix-patheon
Level 1
Level 1

‎10-23-2013 01:31 AM - edited ‎03-04-2019 09:23 PM

Hi all,

I'm  having issues establishing PPTP sessions through my wireless network  out to a remote PPTP server. Traffic leaves the network ok, I can verify this showing the traffic being translated on the router from my internal subnet to the public address of the outside interface tcp port 1723. But I cannot see traffic returning. Remote admin team have verified that they can see the requests coming in but their error logs show:

"A connection between the VPN server and the VPN client x.x.x.x has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47)."

This is the exact same message received client side, and it is not very helpful.

The topology of the network is as follows:

WAN Router |----| ASA |----| Layer 3 Switch |----| Controller

ASA has no NAT configured, it is just sat inline at the moment (awaiting swapout). Two inbound access rules have been created though:

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit ip any any

I think that the  issue is at the remote end, as I haven't been able to see any traffic hit my ACL for permitting GRE traffic, but would appreciate any feedback ref my  config (10.201.24-28.x range is wlan subnet):

interface GigabitEthernet0/0/0

description WAN Link - Circuit Ref

ip address x.x.x.231 255.255.255.254

ip access-group INGRESS_FILTER in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

negotiation auto

!

interface GigabitEthernet0/0/1

description Link to wlan-fw-01

ip address 192.168.1.1 255.255.255.252

ip nat inside

negotiation auto

!

ip nat inside source list WLAN_NAT_EXT interface GigabitEthernet0/0/0 overload

ip forward-protocol nd

!

ip route 0.0.0.0 0.0.0.0 x.x.x.230

ip route 10.201.24.0 255.255.248.0 192.168.1.2

!

ip access-list extended INGRESS_FILTER

deny   ip 10.0.0.0 0.255.255.255 any log

deny   ip 172.16.0.0 0.15.255.255 any log

deny   ip 192.168.0.0 0.0.255.255 any log

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 192.0.2.0 0.0.0.255 any log

deny   ip 255.0.0.0 0.255.255.255 any log

deny   ip 224.0.0.0 7.255.255.255 any log

deny   ip host 0.0.0.0 any log

deny   ip host 255.255.255.255 any log

deny   ip 169.254.0.0 0.0.255.255 any log

deny   ip 10.201.24.0 0.0.3.255 any log

deny   ip 10.201.28.0 0.0.0.255 any log

deny   ip 10.201.30.128 0.0.0.127 any log

deny   tcp any any eq telnet 22 log

permit tcp any 10.201.24.0 0.0.3.255 established log

permit tcp any 10.201.28.0 0.0.0.255 established log

permit udp any eq domain 10.201.24.0 0.0.3.255 log

permit udp any eq domain 10.201.28.0 0.0.0.255 log

permit gre any any

permit ip any any

ip access-list extended WLAN_NAT_EXT

permit gre any any

permit ip any any

Thank you.

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents