FW: cisco IOS firewall terminating pptp

["Mark Lewis" <mark () mjlnet com>]

Andrew,

*From your brief description*, it seems likely that you are running into an
issue with the PPTP data tunnel (PPTP, as you may know consists of a control
channel which uses TCP port  1723, and a data tunnel that uses Enhanced
GRE).

The issue is as follows: the remote access client (say an XP box) and your
IOS box negotiate  PPTP tunnel setup on the control channel (using PPTP
SCCRQ, SCCTP, OCRQ, and OCRP messages).

Because the control channel runs over TCP, NAT/PAT boxes typically don't
have a problem with it. But because the data tunnel (which transports end
user traffic over PPP) runs over GRE (IP  port 47), NAT/*PAT* boxes may have
problems translating data tunnel packets.

The upshot is that the control channel sets up the PPTP tunnel, but then
data tunnel transport fails, and the whole PPTP tunnel goes down.

You can verify if this is happening in your case by using the 'debug vpdn
l2x-packets'/'debug  vpdn l2x-events' and 'debug ppp negotiation' on your
ios box [but check cpu load 1st using 'show proc cpu'!]. If you see the
SCCRQ/SCCRP/OCRQ/OCRP control channel messages, but PPP negotiation fails
then the issue described here is likely the one you are running into. PPP
messages are the first traffic frames sent over the data tunnel, so if you
don't see them (or just one or two), then it's *likely* that there is indeed
a problem translating data tunnel messages (though it could also *possibly*
be a simple PPP  negotiation/ios virtual template issue).

If you are really curious, you can also watch PPP negotiation from the
Microsoft client side by enabling PPP logging (see Microsoft KB article
234014 at www.microsoft.com).


Anyway, Cisco IOS supports 'regular' 1-1 NAT, but support for PAT with PPTP
was only added in IOS 12.1(4)T. So, double check that you have a version of
IOS that supports PPTP & PAT (no explicit command is necessary to enable
support).

See the following website for a Cisco explanation:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_examp
le09186a00800949c0.shtml

Phew! Hope that helps...

Mark

Author: http://www.amazon.com/exec/obidos/tg/detail/-/1587051044/




> -- Original Message --
> Subject: cisco IOS firewall terminating pptp
> Date: Mon, 22 Nov 2004 16:44:08 -0000
> From: "Andrew Shore" <andrew.shore () holistecs com>
> To: <firewalls () securityfocus com>
>
>
> Guys,
>
> I have a cisco ISO firewall router terminating pptp vpn for remote access.
>
> This works fine for dial-up users and users using adsl modems as the source
> address is not natted. However, if the source address is natted the VPN
fails
> to connect.
>
> I know that on the PIX there is an IP NAT TRANSLATE command with gets over
> this problem but I can not find an equivalent command for IOS.
>
> Any help greatfully received.
>
> Andy


___________________________________________________________

FREE weekend phone calls! NO monthly fee, NO contract!

http://www.tiscali.co.uk/services/smarttalk/?StartupCode=OL063&srccode=COD_5
63