Re: pptp into a natted network?

From: Ilker Temir (itemir@cisco.com)
Date: Tue Feb 12 2002 - 09:42:36 EST


Then you can put an access-group on the interface to block the rest of the
traffic.

Ilker

On Tue, 12 Feb 2002, Jim Jones, Jr. wrote:

> yup, you're right... but that allows all traffic to that ip... i only want
> to allow tcp1723 and gre...
>
> thanks,
>
>
> Jim Jones, Jr.
> Partner
> OcuSafe, LLC
> www.ocusafe.com
> Attractive, Reliable, Affordable Protection.
>
> ----- Original Message -----
> From: "Ilker Temir" <itemir@cisco.com>
> To: "Jim Jones, Jr." <jimjones@oct.net>
> Cc: <cisco-nsp@puck.nether.net>
> Sent: Tuesday, February 12, 2002 8:22 AM
> Subject: Re: pptp into a natted network?
>
>
> : Although I am not a specialist on pptp it should work. Following
> successfully
> : translates GRE.
> :
> : 192.168.2.1 should be the public IP and 172.16.1.5 should be the private
> IP of
> : your server.
> :
> : Thanks,
> :
> : Ilker
> :
> : interface FastEthernet0/0
> : ip address 172.16.1.1 255.255.255.0
> : ip nat inside
> : interface Serial0/0
> : ip address 192.168.1.2 255.255.255.252
> : ip nat outside
> : ip nat inside source list 12 interface Serial0/0 overload
> : ip nat inside source static 172.16.1.5 192.168.2.1
> :
> : ....
> : *Mar 5 01:19:50.607: NAT*: s=172.16.1.5->192.168.2.1, d=192.168.1.1 [2]
> : *Mar 5 01:19:50.643: NAT*: o: gre (192.168.1.1, 0) -> (192.168.2.1, 0)
> [23]
> : *Mar 5 01:19:50.643: NAT*: s=192.168.1.1, d=192.168.2.1->172.16.1.5 [23]
> : *Mar 5 01:19:50.647: NAT*: i: gre (172.16.1.5, 0) -> (192.168.1.1, 0) [3]
> : *Mar 5 01:19:50.647: NAT*: s=172.16.1.5->192.168.2.1, d=192.168.1.1 [3]
> : *Mar 5 01:19:50.687: NAT*: o: gre (192.168.1.1, 0) -> (192.168.2.1, 0)
> [24]
> : *Mar 5 01:19:50.687: NAT*: s=192.168.1.1, d=192.168.2.1->172.16.1.5 [24]
> : *Mar 5 01:19:50.691: NAT*: i: gre (172.16.1.5, 0) -> (192.168.1.1, 0) [4]
> : *Mar 5 01:19:50.691: NAT*: s=172.16.1.5->192.168.2.1, d=192.168.1.1 [4]
> : ....
> :
> :
> : On Tue, 12 Feb 2002, Jim Jones, Jr. wrote:
> :
> : > Yup, tried that, but i can't figure out the static mapping of GRE !
> : >
> : > thanks,
> : >
> : >
> : > Jim Jones, Jr.
> : > Partner
> : > OcuSafe, LLC
> : > www.ocusafe.com
> : > Attractive, Reliable, Affordable Protection.
> : >
> : > ----- Original Message -----
> : > From: "Ilker Temir" <itemir@cisco.com>
> : > To: "Jim Jones, Jr." <jimjones@oct.net>
> : > Cc: <cisco-nsp@puck.nether.net>
> : > Sent: Tuesday, February 12, 2002 6:51 AM
> : > Subject: Re: pptp into a natted network?
> : >
> : >
> : > : Do you have available public IP address ? If so, try static mapping.
> : > :
> : > : Ilker
> : > :
> : > : On Tue, 12 Feb 2002, Jim Jones, Jr. wrote:
> : > :
> : > : > Exactly... but how do you forward the GRE... the 1723 is easy...
> : > : >
> : > : > Thanks,
> : > : >
> : > : >
> : > : > Jim Jones, Jr.
> : > : > Partner
> : > : > OcuSafe, LLC
> : > : > www.ocusafe.com
> : > : > Attractive, Reliable, Affordable Protection.
> : > : >
> : > : > ----- Original Message -----
> : > : > From: "Roisman, Dani" <droisman@soe.sony.com>
> : > : > To: "'Jim Jones, Jr.'" <jimjones@oct.net>
> : > : > Sent: Tuesday, February 12, 2002 6:31 AM
> : > : > Subject: RE: pptp into a natted network?
> : > : >
> : > : >
> : > : > > don't know if you got an answer yet,
> : > : > >
> : > : > > but by my experience, pptp uses TCP port 1723 and GRE (IP Protocol
> : > 47).
> : > : > >
> : > : > > so I would assume if you forward tcp port 1723 and gre to your
> pptp
> : > : > server,
> : > : > > you will probably be golden.
> : > : > >
> : > : > > ----
> : > : > > Dani
> : > : > >
> : > : > >
> : > : > > > -----Original Message-----
> : > : > > > From: Jim Jones, Jr. [mailto:jimjones@oct.net]
> : > : > > > Sent: Tuesday, February 12, 2002 3:48 AM
> : > : > > > To: cisco-nsp@puck.nether.net
> : > : > > > Subject: Re: pptp into a natted network?
> : > : > > >
> : > : > > >
> : > : > > > I think that I am trying to do the exact opposite. This
> : > : > > > example shows the
> : > : > > > pptp server outside the natted network... and the clients
> : > : > > > inside. I would
> : > : > > > like to do this with the pptp server inside the private
> : > : > > > network and the
> : > : > > > clients out on the 'net.
> : > : > > >
> : > : > > > Thanks,
> : > : > > >
> : > : > > >
> : > : > > >
> : > : > > > Jim Jones, Jr.
> : > : > > > Partner
> : > : > > > OcuSafe, LLC
> : > : > > > www.ocusafe.com
> : > : > > > Attractive, Reliable, Affordable Protection.
> : > : > > >
> : > : > > > ----- Original Message -----
> : > : > > > From: "Roman Volkov" <rv@kht.ru>
> : > : > > > To: "Jim Jones, Jr." <jimjones@oct.net>
> : > : > > > Cc: <cisco-nsp@puck.nether.net>
> : > : > > > Sent: Monday, February 11, 2002 11:55 PM
> : > : > > > Subject: Re: pptp into a natted network?
> : > : > > >
> : > : > > >
> : > : > > > > > I have a customer with a cisco 2621 running nat and they
> : > : > > > need to allow
> : > : > > > > > certian addresses into their pptp server... any clues? I
> : > : > > > haven't been
> : > : > > > able
> : > : > > > > > to find anything on cisco's website...
> : > : > > > >
> : > : > > > > see throught
> : > : > > > > http://www.cisco.com/warp/public/471/pptp_pat.html
> : > : > > > > you must have IOS 12.1(4)T or newer for it
> : > : > > > >
> : > : > > > > > Jim Jones, Jr.
> : > : > > > > > Partner
> : > : > > > > > OcuSafe, LLC
> : > : > > > > > www.ocusafe.com
> : > : > > > > > Attractive, Reliable, Affordable Protection.
> : > : > > > >
> : > : > > > > --
> : > : > > > > Roman Volkov, CCNA, <rv@kht.ru> - http://home.kht.ru/~rv
> : > : > > > > Khabarovsk TTS, http://net.kht.ru
> : > : > > > > Russia
> : > : > > > >
> : > : > > >
> : > : > >
> : > : >
> : > :
> : > :
> : >
> :
> :
> :
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:33 EDT