cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7105
Views
15
Helpful
7
Replies

PPTP VPN Through Cisco IOS Router

goulin
Level 1
Level 1

Hi All,

Just wondering whether there was any trick to getting PPTP to work through a Cisco router.  It was actually working at one point, but I can't remember what's been changed over time... regardless, it no longer works.

Current configuration has:

* CBAC applied outbound and inbound on the Internet interface (I needed to add it inbound to fix an issue with passive FTP not working to an FTP server hosted behind this router)

* CBAC is inspecting, amongst other things, PPTP

* ACL applied inbound on Internet interface, GRE and TCP 1723 allowed from any IP

* No other ACLs on the router

* IOS 15.0(1)

* Inbound NAT setup for TCP 1723 (currently using the WAN IP)

One thing I saw when troubleshooting was "IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!" - but I think this is an erroneous log (router also has Cisco VPN configuration as well).

The server is definitely ok - we're able to connect via PPTP VPN from the local LAN to the server.  So I am thinking it is a NAT issue of some sort, since I can't see anything being dropped by the firewall.

Anyone able to point me in the right direction?

Thanks

1 Accepted Solution

Accepted Solutions

Hi,

Thanks for attaching the "sh run". Could you change the following:

ip nat inside source static tcp 10.77.99.11 1723 ccc.ccc.ccc.ccc 1723 route-map nonat extendable

to this:

ip nat inside source static tcp 10.77.99.11 1723 ccc.ccc.ccc.ccc 1723 extendable

It would be safe to make this change of removing the route map if no one connects to the PPTP server through VPN.

Let me know.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks!

View solution in original post

7 Replies 7

Anu M Chacko
Cisco Employee
Cisco Employee

Hi,

Could you confirm if you have one-to-one NAT configured for the PPTP traffic? Also, could you post the output of "sh run" here?

It would be a good idea to collect the output of "sh log" after enabling "ip inspect log drop". 

Let me know.

Regards,

Anu

HI,

Below is my show run (sanitized).  I have tried a one-to-one NAT, and that didn't work... at the moment, I have it configured to port forward TCP 1723 to the PPTP server, as well as overloading all outbound traffic to the same IP, and have other services (eg SMTP etc) inbound to other servers.

I tried connecting with 'ip inspect log drop-pkt' enabled and it didn't work and there were no drops on the router.

Thanks

Hi,

Thanks for attaching the "sh run". Could you change the following:

ip nat inside source static tcp 10.77.99.11 1723 ccc.ccc.ccc.ccc 1723 route-map nonat extendable

to this:

ip nat inside source static tcp 10.77.99.11 1723 ccc.ccc.ccc.ccc 1723 extendable

It would be safe to make this change of removing the route map if no one connects to the PPTP server through VPN.

Let me know.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks!

Hi Anu,

Thanks for your help so far.  You're right about the route-map - can be removed since there is no need to connect via the VPN to that server for PPTP.  Anyhow, removed this, and now I am getting a different error:

039932: Aug 21 2:53:17.799: %FW-6-DROP_PKT: Dropping Other session ccc.ccc.ccc.ccc:20770 10.77.99.11:1723  due to  Stray Segment with ip ident 2101 tcpflags 0x5010 seq.no 2248634701 ack 614063446

So there is something being dropped by the CBAC firewall... I notice I get the same error whether I enter correct or incorrect credentials for the PPTP VPN - will check with the server guys to make sure they haven't disabled/changed my account, but I believe I am getting an erroneous error message (using Windows 7 PPTP client to connect, and get "Error 629: The connection was closed by the remote computer".

I tried disabling CBAC and any ACLs, and I am still not able to connect.

The other thing I was thinking was that there might be a firewall on the server itself which is causing me an issue.  I will check with the server guys to see if there is a firewall enabled.

Thanks

Hi,

Sure. Keep me posted!

Regards,

Anu

Hi Anu,

Thanks for your help.  As an update, since changing the NAT statement, we are having some success in connecting via PPTP, in that one user can connect from their laptop.  However, I cannot connect from my Windows 7 laptop with my username/password.  So, either way, it is no longer a router issue and more a user issue (either my user account, or my laptop).

Once again, thanks for your help!

Hi,

That's great! I'm glad I could help.

Have a good Day.

Regards,

Anu