Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
7
Replies

PPTP VPN connection IOS FW (2620)

srganote1
Level 1
Level 1

‎07-26-2004 01:50 PM - edited ‎02-21-2020 01:16 PM

I have a 2620 router using the IOS Firewall (12.3). I have a particular PC that connects to a customer's VPN. They are using PPTP and say all I need to allow is PPTP traffic (TCP port 1723). However, when I open 1723 for incoming traffic it does not work (all outgoing is allowed) - my attempt to connect times out as if either their server is not there or it cannot talk back to my PC. Any help would be appreciated - I know this is a vague description but I didn't want to be too lengthy.

Labels:
0 Helpful
7 Replies 7

nkhawaja
Cisco Employee
Cisco Employee

‎07-26-2004 08:00 PM

Hi,

May be there is some other port needed as well. You need to collect the syslog messages out from this router. They will shed more light on whats is happening. btw if say you open up all ports for incoming traffic, does it work?

Thanks

Nadeem

0 Helpful

srganote1
Level 1
Level 1
In response to nkhawaja

‎07-27-2004 06:15 AM

How do I get the syslog messages (sorry untrained user)? I can't open all ports for incoming traffic (not an option) - all ports are open on outgoing traffic.

Thanks,

Suzanne

0 Helpful

srganote1
Level 1
Level 1
In response to nkhawaja

‎07-28-2004 04:25 PM

I kept my TCP ports restricted but added an

access-list 101 permit ip any host nn.nn.nn.nn(ip addr of the pc that needs the vpn) - that works

Thanks

0 Helpful

jeff.bankston
Level 1
Level 1

‎07-27-2004 02:57 AM

make sure you explicitly permit GRE outbound to the customer site. On my 2621 firewall, I have the inspection rules set for out on the inside interface, and in for the outside interface. I found that any other config broke PPTP thru the IOS firewall.

-Jeff

0 Helpful

scoclayton
Level 7
Level 7
In response to jeff.bankston

‎07-27-2004 07:37 AM

I think Jeff is on the right path here but I will add a slightly different angle on this. You need to make sure you allow GRE back into your network via the ACL applied inbound on your outside interface (I am making some assumptions here). CBAC does not inspect GRE traffic so it does not poke the dynamic hole in the ACL to allow the return traffic in. The TCP traffic should be handled by your inspect. Can you post a sanitized version of your config?

Scott

0 Helpful

shawn
Level 1
Level 1
In response to scoclayton

‎10-22-2004 02:48 PM

Add this to your ACL.

access-list 101 permit gre any any

Shawn

0 Helpful

aungureanu
Level 1
Level 1
In response to shawn

‎10-22-2004 07:15 PM

Allow 47 and 1723 for pptp

0 Helpful
Customers Also Viewed These Support Documents