RE: cisco IOS firewall terminating pptp

["Andrew Shore" <andrew.shore () holistecs com>]

Mark,

Thanks for the help.

The resolution was in fact not the NATTING (bit of a red herring) but
the PIX at the customer site (which they had not told me about)

Regards

Andy

-----Original Message-----
From: Mark Lewis [mailto:mark () mjlnet com] 
Sent: 24 November 2004 22:44
To: Andrew Shore
Cc: sec-basic list; Sec.Focus FW
Subject: FW: cisco IOS firewall terminating pptp

Andrew,

*From your brief description*, it seems likely that you are running into
an
issue with the PPTP data tunnel (PPTP, as you may know consists of a
control
channel which uses TCP port  1723, and a data tunnel that uses Enhanced
GRE).

The issue is as follows: the remote access client (say an XP box) and
your
IOS box negotiate  PPTP tunnel setup on the control channel (using PPTP
SCCRQ, SCCTP, OCRQ, and OCRP messages).

Because the control channel runs over TCP, NAT/PAT boxes typically don't
have a problem with it. But because the data tunnel (which transports
end
user traffic over PPP) runs over GRE (IP  port 47), NAT/*PAT* boxes may
have
problems translating data tunnel packets.

The upshot is that the control channel sets up the PPTP tunnel, but then
data tunnel transport fails, and the whole PPTP tunnel goes down.

You can verify if this is happening in your case by using the 'debug
vpdn
l2x-packets'/'debug  vpdn l2x-events' and 'debug ppp negotiation' on
your
ios box [but check cpu load 1st using 'show proc cpu'!]. If you see the
SCCRQ/SCCRP/OCRQ/OCRP control channel messages, but PPP negotiation
fails
then the issue described here is likely the one you are running into.
PPP
messages are the first traffic frames sent over the data tunnel, so if
you
don't see them (or just one or two), then it's *likely* that there is
indeed
a problem translating data tunnel messages (though it could also
*possibly*
be a simple PPP  negotiation/ios virtual template issue).

If you are really curious, you can also watch PPP negotiation from the
Microsoft client side by enabling PPP logging (see Microsoft KB article
234014 at www.microsoft.com).


Anyway, Cisco IOS supports 'regular' 1-1 NAT, but support for PAT with
PPTP
was only added in IOS 12.1(4)T. So, double check that you have a version
of
IOS that supports PPTP & PAT (no explicit command is necessary to enable
support).

See the following website for a Cisco explanation:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_e
xamp
le09186a00800949c0.shtml

Phew! Hope that helps...

Mark

Author: http://www.amazon.com/exec/obidos/tg/detail/-/1587051044/




> -- Original Message --
> Subject: cisco IOS firewall terminating pptp
> Date: Mon, 22 Nov 2004 16:44:08 -0000
> From: "Andrew Shore" <andrew.shore () holistecs com>
> To: <firewalls () securityfocus com>
>
>
> Guys,
>
> I have a cisco ISO firewall router terminating pptp vpn for remote
access.
> This works fine for dial-up users and users using adsl modems as the
source
> address is not natted. However, if the source address is natted the VPN
fails
> to connect.
>
> I know that on the PIX there is an IP NAT TRANSLATE command with gets
over
> this problem but I can not find an equivalent command for IOS.
>
> Any help greatfully received.
>
> Andy


___________________________________________________________

FREE weekend phone calls! NO monthly fee, NO contract!

http://www.tiscali.co.uk/services/smarttalk/?StartupCode=OL063&srccode=C
OD_5
63