Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't get GRE passthrough to work

Status
Not open for further replies.
Rouslan

Rouslan

Technical User
Sep 7, 2002
27
CA
I am working with a Cisco 831 router and I just can't seem to get GRE pasthrough to work. The intent is to allow a Windows PPTP VPN connection to 192.168.1.200 from outside the network. I set the configuration to resemble the one described at searched for a solution on Google, and tried several variations of options (such as adding "permit ip any any" to the "for_nat" access-list), without success.

When I run pptpsrv.exe and pptpclnt.exe, pptpclnt.exe manages to connect via TCP 1723 but pptpsrv.exe never receives the GRE packets, unless I bypass the router and hook a computer directly to the internet line.

Here is the configuration. The ipsec thing is for a router-to-router VPN (that works), and is unrelated to what I'm trying now.

Code: 
!
version 12.3
service config
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname internet-router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 X
enable password 7 X
!
username rouslan password 7 X
username pathway password 7 X
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.101 192.168.1.255
!
ip dhcp pool mypool
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.1.200 64.201.167.193 
   default-router 192.168.1.1 
!
!
ip domain name daroan-mississauga.ca
ip ftp username me
ip ips po max-events 100
no ftp-server write-enable
!
!
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key X address 209.250.148.149 no-xauth
!
!
crypto ipsec transform-set vpn_net esp-3des esp-sha-hmac 
!
crypto map vpn_to_remote 10 ipsec-isakmp 
 set peer 209.250.148.149
 set security-association lifetime seconds 28800
 set transform-set vpn_net 
 match address vpn_pathway
!
!
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface Ethernet1
 ip address 64.201.165.210 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim dense-mode
 ip nat outside
 ip virtual-reassembly
 duplex auto
 no cdp enable
 crypto map vpn_to_remote
!
interface Ethernet2
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet1
 no ip address
 duplex half
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 100
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.201.165.214
ip route 0.0.0.0 0.0.0.0 Null0 255
!
no ip http server
no ip http secure-server
!
ip nat inside source list for_nat interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.200 21 64.201.165.210 21 extendable
ip nat inside source static tcp 192.168.1.200 1723 64.201.165.210 1723 extendable
ip nat inside source static tcp 192.168.1.200 3389 64.201.165.210 3389 extendable
ip nat inside source static tcp 192.168.1.169 4388 64.201.165.210 4388 extendable
ip nat inside source static tcp 192.168.1.59 4390 64.201.165.210 4390 extendable
ip nat inside source static tcp 192.168.1.200 20000 64.201.165.210 20000 extendable
ip nat inside source static tcp 192.168.1.200 20001 64.201.165.210 20001 extendable
ip nat inside source static tcp 192.168.1.200 20002 64.201.165.210 20002 extendable
ip nat inside source static tcp 192.168.1.200 20003 64.201.165.210 20003 extendable
ip nat inside source static tcp 192.168.1.200 20004 64.201.165.210 20004 extendable
ip nat inside source static tcp 192.168.1.200 20005 64.201.165.210 20005 extendable
ip nat inside source static tcp 192.168.1.9 20396 64.201.165.210 20396 extendable
!
!
ip access-list extended for_nat
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
 permit gre any any
ip access-list extended vpn_pathway
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 2 permit any
access-list 10 permit 192.168.1.0 0.0.0.31
no cdp run
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password 7 X
 login local
 transport preferred all
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
end

What am I missing?
 
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
236
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
315
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
250
bdk76
bdk76
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
457
BIS
BIS
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
174
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top