1. Home
  2. Cisco Systems
  3. Help with internet router config to allow pptp

Help with internet router config to allow pptp

What needs to happen here in this config to allow pptp traffic to a Microsoft Windows Server for VPN??

I'm still trying to get an understanding of access-lists so I assume thats whats wrong.

Can anybody provide me with some more info?

The VPN server is 10.1.10.13

config below:

Building configuration...

Current configuration : 1967 bytes ! version 12.1 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname internet ! enable secret 5 $1$GLMh$KrHl9uwEToppQmOqIbspp. enable password 7 0822455D0A16 ! ! ! ! ! memory-size iomem 25 ip subnet-zero no ip source-route ! no ip bootp server ! ! ! interface Serial0 description Dedicated link to the Internet bandwidth 1536 ip address xxx.xxx.xxx.xxx 255.255.255.252 ip access-group 101 in ip access-group 102 out ip nat outside encapsulation ppp no fair-queue service-module t1 timeslots 1-24 ! interface FastEthernet0 bandwidth 100000 ip address 10.1.10.254 255.255.255.0 ip nat inside speed auto full-duplex ! router rip network 10.0.0.0 neighbor 10.2.10.0 neighbor 10.7.10.0 ! ip nat pool nat-pool xxx.xxx.xxx.21 xxx.xxx.xxx.22 netmask

255.255.255.248 ip nat inside source list 1 pool nat-pool overload ip nat inside source static 10.1.10.10 xxx.xxx.xxx.18 ip nat inside source static 10.1.10.11 xxx.xxx.xxx.17 ip nat inside source static 10.1.10.101 xxx.xxx.xxx.19 ip nat inside source static 10.1.10.13 xxx.xxx.xxx.20 ip classless ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193 ip route 10.1.10.0 255.255.255.0 10.1.10.249 ip route 10.2.10.0 255.255.255.0 10.1.10.253 ip route 10.5.10.0 255.255.255.0 10.1.10.253 ip route 10.6.10.0 255.255.255.0 10.1.10.253 ip route 10.7.10.0 255.255.255.0 10.1.10.253 ip route 10.8.10.0 255.255.255.0 10.1.10.253 ip route 10.9.10.0 255.255.255.0 10.1.10.253 ip route 192.39.0.0 255.255.0.0 10.1.10.5 ip route 192.168.1.0 255.255.255.0 10.1.10.249 ip route 192.168.2.0 255.255.255.0 10.1.10.249 ip route 192.168.3.0 255.255.255.0 10.1.10.249 ip route 192.168.4.0 255.255.255.0 10.1.10.249 ip route 192.168.7.0 255.255.255.0 10.1.10.249 no ip http server ! access-list 1 permit 10.0.0.0 0.255.255.255

! line con 0 line aux 0 line vty 0 4 password 7 03144C19031E login ! no scheduler allocate end

Reply to
Todd
Loading thread data ...

Hi,

I see a couple of problems right away, firstly the subnet mask on your Serial interface is incorrect, you have it set to 255.255.255.252 which means you have only 2 public IP addresses, but looking at your IP NAT entries you must have at least 6 public addresses assigned to you.

The serial interface has two access-lists assigned to it: "ip access-group

101 in" and "ip access-group 102 out" the matching access-lists are not shown in your config - did you remove them from the post for security reasons or are they missing from your config.?

Have you permitted 'gre' in your access-list - I can't remember if this is needed or not.

PPTP will not work through a lot of NAT devices unless the device performing NAT supports PPTP NAT Traversal. For example a PC on a dial-up account may work fine, but if that same PC is then used behind a firewall the PPTP tunnel will fail unless the firewall has been configured to support it. Your IOS version 12.1 may be okay as long as it is version 12.1(5)T or higher. If not you may need an IOS upgrade

"Debug access-list 101 pptp" may be a useful command to try if access-list

101 is in place.

Let us know what you find.

Regards,

Martin

Reply to
Martin Kayes

Hi, thanks for your reply. Actually, I've got the Serial interface address, and a bank of public addresses. Which is why the subnet looks wrong. But they are just different addresses. Do these addresses need to be bound to serial0 as well?

I'm reading and trying to understand and learn as much as I can but sometimes things aren't totally clear.

Reply to
Todd

Hi,

Looking at your config, the serial connection is direct to the Internet. In which case the mask is wrong - it must be the correct mask for the range of addresses that you have e.g.

8 addresses= 255.255.255.248 16 addresses= 255.255.255.240 32 addresses= 255.255.255.224 etc

Without this the router will think that your NAT addresses are elsewhere - ie behind another router or firewall

If you have some other device between your router and the Internet then let me know how it is setup.

Regards,

Martin

Reply to
Martin Kayes

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.