11-21-2001 01:28 AM - edited 02-21-2020 11:30 AM
Hi,
Can someone tell me how to setup our 1720 router to tunnel vpn using pptp (port 1723 and protocol GRE, 47). We are using NAT, and this is what we want:
<external ip> port 1723 (pptp control) forwarded to 192.168.2.2
<external ip> protocol 47 (GRE) forwarded to 192.168.2.2
Everything else going to this ip should be rejected.
Our setup is:
internet <-> 1720 <-> vpn pc
I'm a newbie to cisco routers and have been unable to find a proper document on ciscos site that describes how to do this. So if you have the exact commands that would be a big help.
Thank you
Mads
11-21-2001 02:08 PM
We are trying to get this same information for our phone company (X.O.). We want to do the exact same thing. So thank you for posting the question.
If I find the information elsewhere I will let you know.
Thanks
Walt..
11-26-2001 01:58 PM
Guys,
Trying to do the same thing and think I've got it. I originally thought I had the config right, but it just wouldn't work. Then found out that Cisco IOS NAT only supports PPTP when you do 1 to 1 nat, with an individual IP and no overloading (PAT). This means that you will need more than 1 static IP on the outside from your ISP. I don't have that at this customer yet (hopefully next week), so I have no way of testing the config yet, but this is how it should look (whole thing not included but you should get the idea):
interface FastEthernet0
ip address
ip broadcast-address
ip nat inside
speed auto
!
interface Serial0
ip address
ip nat outside
no fair-queue
service-module t1 timeslots 1-24
!
ip nat pool test
ip nat inside source list 1 pool test overload
ip nat inside source static tcp
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 1 permit
access-list 100 deny tcp any any
access-list 100 permit tcp any eq 1723 host
I'll email this to both of you as well, and if I try it next week and it doesn't work, I'll figure out why and let you know.
garrett
01-18-2002 01:08 PM
This is the config that actually works (I am currently using it with no problems). The # signs are where I have removed IP's or other info I really don't want to post...I left the last octet so you could figure out how the interfaces are set up:
Current configuration : 1861 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname #
!
logging rate-limit console 10 except errors
enable password 7 #
!
username # password 7 #
memory-size iomem 25
ip subnet-zero
no ip finger
ip name-server 198.6.1.3
ip name-server 198.6.1.4
!
!
!
!
interface FastEthernet0
ip address # 255.255.0.0
ip broadcast-address #
ip nat inside
speed auto
!
interface Serial0
ip address #.33 255.255.255.224 secondary
ip address #.2 255.255.255.252
ip nat outside
no fair-queue
service-module t1 timeslots 1-24
!
ip nat pool publicusers #.2 #.2 prefix-length 24
ip nat pool pptpusers #.33 #.33 prefix-length 24
ip nat inside source list 1 pool publicusers overload
ip nat inside source list 100 pool pptpusers overload
ip nat inside source static tcp #.22 1723 #.33 1723 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route #.32 255.255.255.224 Serial0
no ip http server
!
access-list 1 permit #.0 0.0.255.255
access-list 1 permit #.0 0.0.0.255
access-list 100 deny tcp any any
access-list 100 permit tcp any eq 1723 host #.22 eq 1723
access-list 111 permit esp any host #.15 log-input
access-list 111 permit ahp any host #.15 log-input
access-list 111 permit udp any host #.15 eq isakmp
access-list 111 permit tcp any host #.15 eq 389
access-list 111 permit tcp any host #.15 eq 709
access-list 111 permit tcp any host #.15 eq 5080
!
line con 0
exec-timeout 25 0
login local
transport input none
line aux 0
login local
line vty 0 4
exec-timeout 25 0
login local
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide