Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2423
Views
0
Helpful
2
Replies

PPTP and GRE

cschmidt11
Level 1
Level 1

‎02-19-2015 12:56 PM

Hello,

I am having difficulties getting a PPTP VPN connection established.

 

I have one IP address on my WAN interface, using PAT for all my inside private hosts.

Everything works great, even other VPNs that use IPSEC and SSL, they get automatically translated.

 

Devices are interconnected like So:

We can assume the Firewall/router is properly configured on the server side.

 

PC (initiates the PPTP connection) ---> Cisco 2620---> (Internet) --> PPTP Server

..

When the client attempts to initiate the connection, I can see it in the TCP NAT Translation table, on port 1723, and the connection appears to work, but fails, indicating issues with GRE.  (So I am told by the tech I am working with on the other side)

During my research I have gotten many different opinions on how this should work, and I feel I have over complicated things in my mind.

I read that if you are using PAT you are out of luck, or you need to dedicate a separate WAN IP for the PPTP tunnel to use.  This is not ideal for me.

I also read that I could just use a static NAT 1-to-1 mapping

and additionally I read that all I need to do is something along these lines:

 

access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any

 

 

1 person had this problem
Labels:
0 Helpful
2 Replies 2

cschmidt11
Level 1
Level 1

‎03-10-2015 05:43 AM

So, if others have seen this and have a similar issue on similar hardware, using PAT, you can maybe try this...  I think this is a static NAT translation.

ip nat inside source static gre <Internal LAN IP> interface <Outside Facing Interface name> gre

 

We upgraded to a different connection that no longer required use of my Cisco router, so I have not tested this.  It works for other "port forwarding" needs, like connecting to web servers, ssh etc, so if you specify GRE protocol, why wouldn't it work?  Remember that GRE is portless, no port is specified, only IP protocol type.

For more experienced engineers, please forgive any inaccuracies, I am rusty.

 

0 Helpful

darrencanady
Level 1
Level 1
In response to cschmidt11

‎03-10-2015 05:20 PM

Greetings cschmidt11,

Thanks for the input. I've gone through so much documentation (that all pretty much says the same thing) but have the difference of, my issue being on an ASA 5515-X, running software version 8.6(1)2.

The problem with all of the documentation for me is that, the command structure shown in all of the solutions, can't be entered as such, in version 8.6(1)2. 

I've read that running "fixup protocol pptp 1723" forces inspection of the PPTP traffic and also takes care of the GRE portion. However, considering that mine doesn't work, I can't say the preceding is true. I can say though, that this DID work, on a separate ASA 5515-X, running the same version of software, with a Cisco VPN Concentrator behind it. The server in the other environment, where it isn't working is a Windows-based RRAS server.

To me, it seems my biggest issue is with my nat statement. I can't confirm: 1) that I'm entering the right statement and as a result,  2) if the PPTP traffic is therefore being forwarded to the RRAS server. My error message simply states that the server didn't respond. 

In regard to this, below is the scenario and commands I've entered on the ASA thus far:

Scenario

ASA outside interface has public IP that I'll define below as "PUBLIC-IP", but the actual IP was inserted in the config.

PPTP server sits behind the inside interface that I'll define below as "PRIVATE-IP", but the actual IP was inserted in the config.

Both hosts above have been created as network objects and all internal hosts use the outside interface's IP as it's public IP to NAT out

The various commands/actions were

1. Created network objects for the outside interface, PPTP Server and Internet-based traffic:

object network Outside-Interface

host PUBLIC-IP

object network PPTP-Server

host PRIVATE-IP

network object EXTERNAL

subnet 0.0.0.0 0.0.0.0

A global NAT statement that has all internal host using the outside interface's IP. This works: 

nat (inside,outside) source dynamic EXTERNAL interface

For the PPTP VPN section, the following commands have been used:

fixup protocol pptp 1723

access-list R-VPN extended permit tcp any (PUBLIC-IP) eq pptp

access-list R-VPN extended permit gre any host (PUBLIC-IP)

access-group R-VPN in interface outside

(These last 3 based on practically all documentation I've found on the topic)

Finally, I've tried a few variations of this NAT command, which is one of the places I think my issue lies:

nat (inside,outside) source static Outside-Interface Outside-Interface destination static PPTP-Server PPTP-Server

For the above, I've also tried nat (inside,outside) source static Outside-Interface PPTP-Server

I kinda get why the first of the two statements might not work. The latter makes a bit more sense, but still doesn't work.

So, any help based on the above would be greatly appreciated.

0 Helpful
Customers Also Viewed These Support Documents