Hi All,
Is there anything special I need to do to connect to to a PPTP VPN server inside my network? I have set up port forwarding for TCP 1723, GRE, and UDP ports 500 5500 1701.
Is the 3120 capable of supporting PPTP connections?
I have included my configuration below if that is useful.
Thanks!
!
!
! ADTRAN OS version 18.03.01.00.E
! Boot ROM version 17.01.01.00
! Platform: NetVanta 3120, part number 1700601G2
! Serial number LBADTN0951AE196
!
!
hostname "NetVanta3120"
enable password xxxxxx
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip routing
domain-name "wp.comcast.net"
domain-proxy
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "xxxxxx"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
aaa on
ftp authentication LoginUseLocalUsers
!
!
aaa authentication login LoginUseTacacs group tacacs+
aaa authentication login LoginUseRadius group radius
aaa authentication login LoginUseLocalUsers local
aaa authentication login LoginUseLinePass line
!
aaa authentication enable default enable
!
aaa authentication port-auth default local
!
!
!
no dot11ap access-point-control
!
!
!
ip dhcp pool "Private"
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1
netbios-node-type h-node
default-router 192.168.0.1
!
ip dhcp pool "Fenix"
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.208
default-router 192.168.1.208
!
!
!
!
vlan 1
name "Default"
!
vlan 2
name "VLAN2"
!
ip flow top-talkers
!
interface eth 0/1
ip address dhcp
ip access-policy Public
media-gateway ip primary
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
spanning-tree edgeport
no shutdown
!
interface switchport 0/2
spanning-tree edgeport
no shutdown
switchport access vlan 2
switchport voice vlan 2
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address 192.168.0.1 255.255.255.0
ip access-policy Private
ip flow ingress
ip flow egress
no shutdown
!
interface vlan 2
mac-address 00:A0:C8:50:16:4F
ip address 192.168.1.208 255.255.255.0
ip mtu 1500
ip access-policy Private
ip flow ingress
ip flow egress
no shutdown
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-15
permit tcp any any eq https log
permit tcp any any eq ssh log
!
ip access-list extended web-acl-3
permit ip any any
!
ip access-list extended wizard-pfwd-2
permit tcp any host 10.1.10.10 eq 1723 log
remark PPTP
permit gre any host 10.1.10.10 log
permit udp any host 10.1.10.10 eq isakmp log
permit udp any host 10.1.10.10 eq 5500 log
permit udp any host 10.1.10.10 eq 1701 log
permit tcp any host 10.1.10.10 eq https log
!
ip access-list extended wizard-pfwd-3
remark VNC
permit tcp any host 10.1.10.10 eq 5900 log
!
!
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
allow list web-acl-15 self
nat destination list wizard-pfwd-2 address 192.168.0.20
nat destination list wizard-pfwd-3 address 192.168.1.196
!
!
no tftp server
no tftp server overwrite
http authentication LoginUseLocalUsers
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
ip sip
ip sip udp 5060
ip sip tcp 5060
!
!
line con 0
login authentication LoginUseLinePass
!
line telnet 0 4
login authentication LoginUseLocalUsers
password password
no shutdown
line ssh 0 4
login authentication LoginUseLocalUsers
no shutdown
!
sntp server nist.netservicesgroup.com
!
end
10.1.10.10, is there another router in front of the 3120? Your ACL's look correct with the concern being the host, typically when the 3120 is terminating the Internet connection you would see this
permit tcp any host Public IP eq 1723
If it is in fact another router in front of the 3120 then your WAN interface eth0/1 on the 3120 should be getting this 10.1.10.10. I would static this interface with 10.1.10.10/sm instead of DHCP, it is possible that your eth0/1 interface is getting a different IP than what you are specifying in the pfwd acl's and then try, also make sure the internet facing router is allowing vpn passthrough to the 10.1.10.10.
Other than that you have what it takes to forward pptp traffic to your server at 192.168.0.20.
Hi 3l3mn8r,
yes there's a cable modem that assigns a LAN IP through DHCP to each device connected.
In this case, on the cable modem I set up a 1-to-1 NAT from the public IP Address to the private IP Address of 10.1.10.10
When I check out the dynamic policy-class association table during an outside PPTP connection attempt (it will connect from inside), it looks like everything is forwarding correctly, but it never connects successfully:
Protocol | Source Address/Port | Destination Address/Port | Nat Address/Port |
TCP(6) | 69.14.xx.xxx / 51085 | 10.1.10.10 / 443 | ... |
TCP(6) | 69.14.xx.xxx / 51086 | 10.1.10.10 / 443 | ... |
TCP(6) | 69.14.xx.xxx / 51046 | 10.1.10.10 / 1723 | 192.168.0.20 / 1723 |
UDP(17) | 69.14.xx.xxx / 500 | 10.1.10.10 / 500 | 192.168.0.20 / 500 |
GRE(47) | 69.14.xx.xxx | 10.1.10.10 | 192.168.0.20 |
TCP(6) | 69.14.xx.xxx / 1285 | 10.1.10.10 / 5900 | 192.168.1.196 / 5900 |
I note that I am able to connect to port 5900 without issue, and I am using the same process. The last row in the table above is an active connection.
I can try to static the interface, although the modem shows that it currently has assigned 10.1.10.10 to the NetVanta.
Is there anything else I can try? I can't believe how much trouble this is.
Thanks!
-mp
Your 3120 is correctly configured, the issue is more than likely the routing of your modem. I would contact your ISP, many ISP's will block ports up to 2000. My suggestion is to put your modem in bridge mode, assign static IP address to the eth0/1 interface, add default route to route table such as
0.0.0.0 0.0.0.0 Public default gateway.
This design will pass all traffic to your 3120 and take the routing of the modem out of the picture, you want your 3120 doing all routing.. You will also then turn off LAN DHCP on the modem and disable any firewall the unit has. This is how I setup all my commercial customers. You can contact your ISP to have them walk you through setting modem in Bridge mode also any google search for your particular modem model will also yield the required infomation. The only thing you will have to change on the 3120 is the acl's from 10.1.10.10 to your Public IP, your eth0/1 IP/SM, and add a default gateway to your route table. Are you using a Static IP from ISP or are you using ddns to find your connection.
hi 3l3mn8r,
I configured the 3120 to use the public static ip with modem's DHCP disabled and firewall off, but it still won't work for PPTP. Called Comcast and they said it's wide open and does not block anything.
I was able to set up OpenVPN and forward in the port for it, so it looks like I'll have to go that way for the moment, although I am restricted on how many users can connect.
Also, I was able to setup VPN on the 3120 and connect from a ShrewSoft client, but it seems to only allow one connection at a time, very strange.
Anyway, thanks for your help.
-mp
- Forwarding PPTP traffic through the NetVanta is an application that should work and has worked. I realize you have a couple of workarounds working at the moment, but if you are still up for troubleshooting, we can continue to help you out. I'm not sure if you have turned the modem's firewall and DHCP functionalities back on, but my response below is based on the assumption that you have.
I agree with that your basic configuration looks correct concerning the port forwards. One question I did have is that it looks like the ports you have forwarded include PPTP ports and L2TP/IPSec ports as well. The only port that appears to be missing is UDP 4500 which is used by IPSec for NAT-Traversal. I was not sure if you were attempting to build an L2TP/IPSec tunnel as well, but this port will need to be forwarded if you are.
Below are a couple of suggestions that would be helpful to troubleshoot this issue further:
1.) It would be helpful to get a packet capture from the PPTP server to see if the traffic being forwarded by the NetVanta is being received by the server at all.
2.) It would also be helpful to get a packet capture from the PC attempting to connect to the PPTP server so we can see which ports the PC is using to attempt to open the connection. The other way to check this would be to also setup a 1:1 NAT on the NetVanta, however, you have other port forwards in the picture so this is not an option.
Let us know if you get a chance to try the suggestions and the results. Also, please do not hesitate to let us know if you have any questions.
Thanks,
Noor
Hi Noor,
The appliance with the PPTP service only had recommended TCP port 1723 needed to be forwarded. I added a few more in an attempt to get it connect.
I have also added UDP 4500 per your suggestion, but it did not seem to help.
Do you have any suggestions for how I would get a packet capture? Can this all be done through the Adtran or do I need to set up external software to accomplish this?
Thanks!
-mp
If your modem is not in Bridge mode and even if you enter static IP on the WAN interface of the 3120 PPTP packets will stop at the modem. I notice you indicated that you disabled the DHCP and firewall on modem but you did not indicate that you had the modem in Bridge mode which is separate from these steps. Here are the steps.
Put modem in Bridge Mode, disable LAN DHCP and any Firewall on the modem. Configure Static IP and Subnet mask on WAN Eth 0/1 interface of 3120. Add route to route table (gateway for your ISP). Replace 10.1.10.10 with the Static IP for your acl's. Make sure you can get to internet from LAN. At this point check to see if PPTP works, if not then run a port scan to see if 1723 is open. mxtoolbox.com is the scan page I use. If it is open you may want to start looking at your pptp server.
- You should only need to forward UDP port 1723 and GRE traffic to the PPTP server for PPTP tunnels.
As far as a program to use for a packet capture, I would suggst a program called Wireshark. You can install it on your server and/or your PC (if supported). I'm not sure if your PPTP server will allow you download Wireshark onto it. However, if not, then you can set up a port mirror on the switch the PPTP server is plugging into and install Wireshark on a PC and then capture the mirrored packets off the PPTP server..
Let us know if you have any questions.
Thanks,
Noor
Thanks for your help. I am going to table this issue for now. Looks like I will eventually need a more robust VPN solution, and I don't think it will involve PPTP.
I know this is an old post, but 3l3mn8r is right, you are double NATting from the internet to your vpn server. Plug the pptp server directly into the cable modem and do the port forward (less secure, if the CM even supports GRE) or put the modem into bridge mode (if you have static ip's (or are terminating your vpn onto a dynDNS hostname).