VPN using pptp through 1720 router

mflensted · ‎11-21-2001

Hi,

Can someone tell me how to setup our 1720 router to tunnel vpn using pptp (port 1723 and protocol GRE, 47). We are using NAT, and this is what we want:

<external ip> port 1723 (pptp control) forwarded to 192.168.2.2

<external ip> protocol 47 (GRE) forwarded to 192.168.2.2

Everything else going to this ip should be rejected.

Our setup is:

internet <-> 1720 <-> vpn pc

I'm a newbie to cisco routers and have been unable to find a proper document on ciscos site that describes how to do this. So if you have the exact commands that would be a big help.

Thank you

Mads

cmswcc1 · ‎11-21-2001

We are trying to get this same information for our phone company (X.O.). We want to do the exact same thing. So thank you for posting the question.

If I find the information elsewhere I will let you know.

Thanks

Walt..

gscroggin · ‎11-26-2001

Guys,

Trying to do the same thing and think I've got it. I originally thought I had the config right, but it just wouldn't work. Then found out that Cisco IOS NAT only supports PPTP when you do 1 to 1 nat, with an individual IP and no overloading (PAT). This means that you will need more than 1 static IP on the outside from your ISP. I don't have that at this customer yet (hopefully next week), so I have no way of testing the config yet, but this is how it should look (whole thing not included but you should get the idea):

interface FastEthernet0

ip address

ip broadcast-address

ip nat inside

speed auto

!

interface Serial0

ip address

ip nat outside

no fair-queue

service-module t1 timeslots 1-24

!

ip nat pool test prefix-length 24

ip nat inside source list 1 pool test overload

ip nat inside source static tcp

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

no ip http server

!

access-list 1 permit

access-list 100 deny tcp any any

access-list 100 permit tcp any eq 1723 host eq 1723

I'll email this to both of you as well, and if I try it next week and it doesn't work, I'll figure out why and let you know.

garrett

gscroggin · ‎01-18-2002

This is the config that actually works (I am currently using it with no problems). The # signs are where I have removed IP's or other info I really don't want to post...I left the last octet so you could figure out how the interfaces are set up:

Current configuration : 1861 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname #

!

logging rate-limit console 10 except errors

enable password 7 #

!

username # password 7 #

memory-size iomem 25

ip subnet-zero

no ip finger

ip name-server 198.6.1.3

ip name-server 198.6.1.4

!

interface FastEthernet0

ip address # 255.255.0.0

ip broadcast-address #

ip nat inside

speed auto

!

interface Serial0

ip address #.33 255.255.255.224 secondary

ip address #.2 255.255.255.252

ip nat outside

no fair-queue

service-module t1 timeslots 1-24

!

ip nat pool publicusers #.2 #.2 prefix-length 24

ip nat pool pptpusers #.33 #.33 prefix-length 24

ip nat inside source list 1 pool publicusers overload

ip nat inside source list 100 pool pptpusers overload

ip nat inside source static tcp #.22 1723 #.33 1723 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip route #.32 255.255.255.224 Serial0

no ip http server

!

access-list 1 permit #.0 0.0.255.255

access-list 1 permit #.0 0.0.0.255

access-list 100 deny tcp any any

access-list 100 permit tcp any eq 1723 host #.22 eq 1723

access-list 111 permit esp any host #.15 log-input

access-list 111 permit ahp any host #.15 log-input

access-list 111 permit udp any host #.15 eq isakmp

access-list 111 permit tcp any host #.15 eq 389

access-list 111 permit tcp any host #.15 eq 709

access-list 111 permit tcp any host #.15 eq 5080

!

line con 0

exec-timeout 25 0

login local

transport input none

line aux 0

login local

line vty 0 4

exec-timeout 25 0

login local

!

end