Version 12.4(25d). 2821 router and 2811 router.
I can make the vpn connection from inside the network but from outside the network it fails to authenticate.
Config on the non-working 2821
! Default PPTP VPDN group
description pptp vpn
ip address 10.55.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip tcp adjust-mss 1420
peer default ip address pool pptp-vpn
ppp encrypt mppe 128
ppp authentication ms-chap ms-chap-v2
ip local pool pptp-vpn 10.55.1.2 10.55.1.3
description outside interface
encapsulation dot1Q 888
ip address 100.100.100.102 255.255.255.192 secondary
ip address 100.100.100.101 255.255.255.192
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
no cdp enable
ip access-list extended firewall
permit gre any host 100.100.100.102
permit tcp any host 100.100.100.102 eq 1723
deny ip any any log
This exact same configuration on the 2811 (difference being that the 2811 is only using one IP address on the outside interface, and it does not have the ip inspect command). works fine from inside and outside of the network.
If I try and use the primary ip on the 2821 I don't even see any gre matches on the firewall access list.
Is there something with the ip inspect command that doesn't work? I have tried adding pptp to the inspect list and that just makes it worse.
Does it work if you connect to 100.100.100.101 (Update the Inbound ACL accordingly) i.e. the Primary Address ? As opposed to .102, which is the secondary address.
There might be an issue with termination on a secondary IP.
Let us know the results.
No, I have the same results if I use the primary or secondary ip, yet from the inside of the network it works fine. There is one more difference and that is that the 2821 has it's outside ip's on a sub interface and not on a physical interface. Can a pptp connection not terminate on a sub interface?
When you say inside, you are still connecting to the IP configured on the Same Router but on the Internal Interface ?
No. Subinterface shouldn't make a difference.
Can you attempt and get the debug as below ?
debug ppp authentication
debug ppp negotiation
debug vpdn event
debug vpdn error
If I attempt those debugs I still see nothing on the console. Not a hint of any connection except and increment on the acl for port 1723.
You should see something in the debugs. At this time I would recommend opening a TAC case so we can work with you on a WebEx session.