VPN over NAT/PAT on 1720

[FishinSGT]

Is it possible,

I am still searching for an answer, I am trying to VPN to one of my clients microsoft 2000 server running VPN across a Private address.

What the error is:
error 721: from Microsoft, I found error 721 is linking back to GRE and that PPTP needs to ride on the gre protocol.


What I have done so Far:
enabled NAT with port forwarding of port 1723 tcp and I did udp as well just to see if it would be happy to no avail.

What I am looking for the Answer on or to know if I can even do it:
I have found ways to enable protocol 47 (GRE) on the 600 series and the PIX firewalls but can find no mention of it on the 1720's however I did find mention that the 1720's support IPSEC, GRE, L2TP.

here is a copy of my configuration.

Any Ideas short of get an ISP that will give you two IP Addresses so you can just do a one to one nat to the server will be greatly appreciated.

Side Note: I Only have One Valid IP address and CANNOT for NO amount of Money get another one... I have no Idea Why.
and it is Frame-Relay not DSL which is what I originally thought when I heard this:

version 12.0
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname name
!
logging monitor emergencies
enable secret 0
enable password 7
!
memory-size iomem 25
ip subnet-zero
no ip source-route
ip domain-name newsouth.net
ip name-server 1.1.1.1
ip name-server 1.1.1.2
!
interface Serial0
bandwidth 256
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 21-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address 172.16.12.154 255.255.255.252
no ip directed-broadcast
ip nat outside
no cdp enable
frame-relay interface-dlci 5
!
interface Serial1
ip address 10.0.0.1 255.255.255.252
no ip directed-broadcast
ip nat inside
encapsulation ppp
no fair-queue
!
interface FastEthernet0
ip address 192.168.1.254 255.255.255.0
no ip directed-broadcast
ip nat inside
half-duplex
!
ip nat inside source list 1 interface Serial0.1 overload
ip nat inside source static udp 192.168.1.1 88 172.16.12.154 88 extendable
ip nat inside source static udp 192.168.1.1 1723 172.16.12.154 1723 extendable
ip nat inside source static tcp 192.168.1.1 1723 172.16.12.154 1723 extendable
ip nat inside source static tcp 192.168.1.1 1433 172.16.12.154 1433 extendable
ip nat inside source static tcp 192.168.1.1 21 172.16.12.154 21 extendable
ip nat inside source static tcp 192.168.1.1 25 172.16.12.154 25 extendable
ip nat inside source static tcp 192.168.1.1 80 172.16.12.154 80 extendable
ip nat inside source static tcp 192.168.1.1 3389 172.16.12.154 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.12.153
ip route 192.168.2.0 255.255.255.0 10.0.0.2
no ip http server
!
access-list 1 permit any
banner motd ^C
**** This is a secure host! ****
**** Unauthorized access is prohibited! ****
^C
!
line con 0
password 7
login
transport input none
line aux 0
line vty 0 4
password 7
login
!
end

the Address and names, blah, blah, blah have been changed to private but the 172.16.x.x is the one that replaced the one public.

ANY Input into this is greatly appreciated.
Duane

 

[wybnormal]

I found this:

Q. What ports should I open on a firewall in order to accommodate PPTP tunnels?
A. The ports you should open are:
TCP/1723
TCP/139
UDP/Netbios-NS
UDP/Netbios-DGM
IP/47 GRE

source:

http://www.cisco.com/en/US/tech/tk648/tk369/technologies_q_and_a_item09186a00800946ef.shtml#Q2

What bothers me is the Netbios ports being opened.. I'm trying to find out why those posts need to be open.. if it's for after the tunnel is made which would make sense or is it part of PPTP

I also noticed there are specific versions of the IOS that will support PPTP correctly. Which version of IOS do you have on this router?

MikeS Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[FishinSGT]

Mike,

Thanks for your answer, this is what is frustrating me thought and I was hoping you could shed some light on it:

IP/47 GRE What is the command to enable this.

I have tried for example:
ip nat inside source static gre 192.168.1.1 172.16.12.154 to no avail. Also ip nat inside source static ip 192.168.1.1 0 172.16.12.154 0 47 I found this type of configuration for the 600 and recieved multiple 'you can't do that " ^ " from the IOS.

The version IOS is 12.0(8) Ip Plus for a 1720.

I have since then read something about creating a "gre" tunnel using the IOS tunneling protocol, unfortunately other than "Interface tunnel 0" I dont even know where to begin to make this go.

Thank you for your help,
Duane

 

[wybnormal]

According to Cisco's IOS Feature Navigator.. you need 12.2(8) at least to get solid PPTP support

'The Point to Point Tunneling Protocol (PPTP) with Microsoft Point-to-Point Encryption (MPPE) feature enables Cisco Virtual Private Networks (VPNs) to use PPTP as the tunneling protocol.'

IOS levels
12.2(11)T3

12.2(11)T2

12.2(11)T1

12.2(11)T

12.2(8)T5

12.2(8)T4

12.2(8)T1

MikeS Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu