cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mpopkin
New Contributor

Port forwarding for PPTP on a 3120 not working

Hi All,

Is there anything special I need to do to connect to to a PPTP VPN server inside my network?  I have set up port forwarding for TCP 1723, GRE, and UDP ports 500 5500 1701.

Is the 3120 capable of supporting PPTP connections?

I have included my configuration below if that is useful.

Thanks!

!

!

! ADTRAN OS version 18.03.01.00.E

! Boot ROM version 17.01.01.00

! Platform: NetVanta 3120, part number 1700601G2

! Serial number LBADTN0951AE196

!

!

hostname "NetVanta3120"

enable password xxxxxx

!

clock timezone -5-Eastern-Time

!

ip subnet-zero

ip classless

ip routing

domain-name "wp.comcast.net"

domain-proxy

!

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

no service password-encryption

!

username "admin" password "xxxxxx"

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

no ip firewall alg sip

!

aaa on

ftp authentication LoginUseLocalUsers

!

!

aaa authentication login LoginUseTacacs group tacacs+

aaa authentication login LoginUseRadius group radius

aaa authentication login LoginUseLocalUsers local

aaa authentication login LoginUseLinePass line

!

aaa authentication enable default enable

!

aaa authentication port-auth default local

!

!

!

no dot11ap access-point-control

!

!

!

ip dhcp pool "Private"

  network 192.168.0.0 255.255.255.0

  dns-server 192.168.0.1

  netbios-node-type h-node

  default-router 192.168.0.1

!

ip dhcp pool "Fenix"

  network 192.168.1.0 255.255.255.0

  dns-server 192.168.1.208

  default-router 192.168.1.208

!

!

!

!

vlan 1

  name "Default"

!

vlan 2

  name "VLAN2"

!

ip flow top-talkers

!

interface eth 0/1

  ip address dhcp

  ip access-policy Public

  media-gateway ip primary

  no shutdown

  no lldp send-and-receive

!

!

interface switchport 0/1

  spanning-tree edgeport

  no shutdown

!

interface switchport 0/2

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

  switchport voice vlan 2

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

!

!

interface vlan 1

  ip address  192.168.0.1  255.255.255.0

  ip access-policy Private

  ip flow ingress

  ip flow egress

  no shutdown

!

interface vlan 2

  mac-address 00:A0:C8:50:16:4F

  ip address  192.168.1.208  255.255.255.0

  ip mtu 1500

  ip access-policy Private

  ip flow ingress

  ip flow egress

  no shutdown

!

!

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended web-acl-15

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

!

ip access-list extended web-acl-3

  permit ip any  any   

!

ip access-list extended wizard-pfwd-2

  permit tcp any  host 10.1.10.10 eq 1723   log

  remark PPTP

  permit gre any  host 10.1.10.10     log

  permit udp any  host 10.1.10.10 eq isakmp    log

  permit udp any  host 10.1.10.10 eq 5500    log

  permit udp any  host 10.1.10.10 eq 1701    log

  permit tcp any  host 10.1.10.10 eq https   log

!

ip access-list extended wizard-pfwd-3

  remark VNC

  permit tcp any  host 10.1.10.10 eq 5900   log

!

!

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

!

ip policy-class Public

  allow list web-acl-15 self

  nat destination list wizard-pfwd-2 address 192.168.0.20

  nat destination list wizard-pfwd-3 address 192.168.1.196

!

!

no tftp server

no tftp server overwrite

http authentication LoginUseLocalUsers

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

ip sip

ip sip udp 5060

ip sip tcp 5060

!

!

line con 0

  login authentication LoginUseLinePass

!

line telnet 0 4

  login authentication LoginUseLocalUsers

  password password

  no shutdown

line ssh 0 4

  login authentication LoginUseLocalUsers

  no shutdown

!

sntp server nist.netservicesgroup.com

!

end

Labels (3)
0 Kudos
10 Replies
Anonymous
Not applicable

Re: Port forwarding for PPTP on a 3120 not working

10.1.10.10, is there another router in front of the 3120?  Your ACL's look correct with the concern being the host, typically when the 3120 is terminating the Internet connection you would see this

permit tcp any  host Public IP eq 1723

If it is in fact another router in front of the 3120 then your WAN interface eth0/1 on the 3120  should be getting this 10.1.10.10.  I would static this interface with 10.1.10.10/sm  instead of DHCP,  it is possible that your eth0/1 interface is getting a different IP than what you are specifying in the pfwd acl's  and then try, also make sure the internet facing router is allowing vpn passthrough to the 10.1.10.10.

Other than that you have what it takes to forward pptp traffic to your server at 192.168.0.20.


mpopkin
New Contributor

Re: Port forwarding for PPTP on a 3120 not working

Hi 3l3mn8r,

yes there's a cable modem that assigns a LAN IP through DHCP to each device connected.

In this case, on the cable modem I set up a 1-to-1 NAT from the public IP Address to the private IP Address of 10.1.10.10

When I check out the dynamic policy-class association table during an outside PPTP connection attempt (it will connect from inside), it looks like everything is forwarding correctly, but it never connects successfully:

ProtocolSource Address/PortDestination Address/PortNat Address/Port
TCP(6)69.14.xx.xxx / 5108510.1.10.10 / 443...
TCP(6)69.14.xx.xxx / 5108610.1.10.10 / 443...
TCP(6)69.14.xx.xxx / 5104610.1.10.10 / 1723192.168.0.20 / 1723
UDP(17)69.14.xx.xxx / 50010.1.10.10 / 500192.168.0.20 / 500
GRE(47)69.14.xx.xxx10.1.10.10192.168.0.20
TCP(6)69.14.xx.xxx / 128510.1.10.10 / 5900192.168.1.196 / 5900

I note that I am able to connect to port 5900 without issue, and I am using the same process.  The last row in the table above is an active connection.

I can try to static the interface, although the modem shows that it currently has assigned 10.1.10.10 to the NetVanta.

Is there anything else I can try?  I can't believe how much trouble this is.

Thanks!

-mp

Anonymous
Not applicable

Re: Port forwarding for PPTP on a 3120 not working

Your 3120 is correctly configured, the issue is more than likely the routing of your modem. I would contact your ISP, many ISP's will block ports up to 2000.  My suggestion is to put your modem in bridge mode, assign static IP address to the eth0/1 interface, add default route to route table such as

0.0.0.0 0.0.0.0 Public default gateway.

This design will pass all traffic to your 3120 and take the routing of the modem out of the picture, you want your 3120 doing all routing..  You will also then turn off LAN DHCP on the modem and disable any firewall the unit has.  This is how I setup all my commercial customers.  You can contact your ISP to have them walk you through setting modem in Bridge mode also any google search for your particular modem model will also yield the required infomation.  The only thing you will have to change on the 3120 is the acl's from 10.1.10.10 to your Public IP, your eth0/1 IP/SM, and add a default gateway to your route table.  Are you using a Static IP from ISP or are you using ddns to find your connection.

mpopkin
New Contributor

Re: Port forwarding for PPTP on a 3120 not working

hi 3l3mn8r,

I configured the 3120 to use the public static ip with modem's DHCP disabled and firewall off, but it still won't work for PPTP.  Called Comcast and they said it's wide open and does not block anything.

I was able to set up OpenVPN and forward in the port for it, so it looks like I'll have to go that way for the moment, although I am restricted on how many users can connect.

Also, I was able to setup VPN on the 3120 and connect from a ShrewSoft client, but it seems to only allow one connection at a time, very strange.

Anyway, thanks for your help.

-mp

Anonymous
Not applicable

Re: Port forwarding for PPTP on a 3120 not working

- Forwarding PPTP traffic through the NetVanta is an application that should work and has worked. I realize you have a couple of workarounds working at the moment, but if you are still up for troubleshooting, we can continue to help you out. I'm not sure if you have turned the modem's firewall and DHCP functionalities back on, but my response below is based on the assumption that you have.

I agree with that your basic configuration looks correct concerning the port forwards. One question I did have is that it looks like the ports you have forwarded include PPTP ports and L2TP/IPSec ports as well. The only port that appears to be missing is UDP 4500 which is used by IPSec for NAT-Traversal. I was not sure if you were attempting to build an L2TP/IPSec tunnel as well, but this port will need to be forwarded if you are.

Below are a couple of suggestions that would be helpful to troubleshoot this issue further:

1.) It would be helpful to get a packet capture from the PPTP server to see if the traffic being forwarded by the NetVanta is being received by the server at all.

2.) It would also be helpful to get a packet capture from the PC attempting to connect to the PPTP server so we can see which ports the PC is using to attempt to open the connection. The other way to check this would be to also setup a 1:1 NAT on the NetVanta, however, you have other port forwards in the picture so this is not an option.

Let us know if you get a chance to try the suggestions and the results. Also, please do not hesitate to let us know if you have any questions.

Thanks,

Noor

mpopkin
New Contributor

Re: Port forwarding for PPTP on a 3120 not working

Hi Noor,

The appliance with the PPTP service only had recommended TCP port 1723 needed to be forwarded.  I added a few more in an attempt to get it connect.

I have also added UDP 4500 per your suggestion, but it did not seem to help.

Do you have any suggestions for how I would get a packet capture?  Can this all be done through the Adtran or do I need to set up external software to accomplish this?

Thanks!

-mp

Anonymous
Not applicable

Re: Port forwarding for PPTP on a 3120 not working

If your modem is not in Bridge mode and even if you enter static IP on the WAN interface of the 3120 PPTP packets will stop at the modem.  I notice you indicated that you disabled the DHCP and firewall on modem but you did not indicate that you had the modem in Bridge mode which is separate from these steps.  Here are the steps.

Put modem in Bridge Mode, disable LAN DHCP and any Firewall on the modem.  Configure Static IP and Subnet mask on WAN Eth 0/1 interface of 3120.   Add route to route table (gateway for your ISP).  Replace 10.1.10.10 with the Static IP for your acl's. Make sure you can get to internet from LAN.  At this point check to see if PPTP works,  if not then run a port scan to see if 1723 is open.  mxtoolbox.com is the scan page I use.  If it is open you may want to start looking at your pptp server.

Anonymous
Not applicable

Re: Port forwarding for PPTP on a 3120 not working

- You should only need to forward UDP port 1723 and GRE traffic to the PPTP server for PPTP tunnels.

As far as a program to use for a packet capture, I would suggst a program called Wireshark. You can install it on your server and/or your PC (if supported). I'm not sure if your PPTP server will allow you download Wireshark onto it. However, if not, then you can set up a port mirror on the switch the PPTP server is plugging into and install Wireshark on a PC and then capture the mirrored packets off the PPTP server..

Let us know if you have any questions.

Thanks,

Noor

mpopkin
New Contributor

Re: Port forwarding for PPTP on a 3120 not working

Thanks for your help.  I am going to table this issue for now.  Looks like I will eventually need a more robust VPN solution, and I don't think it will involve PPTP.

jgoldberg
New Contributor II

Re: Port forwarding for PPTP on a 3120 not working

I know this is an old post, but 3l3mn8r is right, you are double NATting from the internet to your vpn server. Plug the pptp server directly into the cable modem and do the port forward (less secure, if the CM even supports GRE) or put the modem into bridge mode (if you have static ip's (or are terminating your vpn onto a dynDNS hostname).