10 Replies Latest reply on Aug 29, 2013 6:22 PM by jgoldberg

    Port forwarding for PPTP on a 3120 not working

    mpopkin New Member

      Hi All,

       

      Is there anything special I need to do to connect to to a PPTP VPN server inside my network?  I have set up port forwarding for TCP 1723, GRE, and UDP ports 500 5500 1701.

       

      Is the 3120 capable of supporting PPTP connections?

       

      I have included my configuration below if that is useful.

       

      Thanks!

       

      !

      !

      ! ADTRAN OS version 18.03.01.00.E

      ! Boot ROM version 17.01.01.00

      ! Platform: NetVanta 3120, part number 1700601G2

      ! Serial number LBADTN0951AE196

      !

      !

      hostname "NetVanta3120"

      enable password xxxxxx

      !

      clock timezone -5-Eastern-Time

      !

      ip subnet-zero

      ip classless

      ip routing

      domain-name "wp.comcast.net"

      domain-proxy

      !

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      logging forwarding priority-level info

      no logging email

      !

      no service password-encryption

      !

      username "admin" password "xxxxxx"

      !

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      no ip firewall alg sip

      !

      aaa on

      ftp authentication LoginUseLocalUsers

      !

      !

      aaa authentication login LoginUseTacacs group tacacs+

      aaa authentication login LoginUseRadius group radius

      aaa authentication login LoginUseLocalUsers local

      aaa authentication login LoginUseLinePass line

      !

      aaa authentication enable default enable

      !

      aaa authentication port-auth default local

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      ip dhcp pool "Private"

        network 192.168.0.0 255.255.255.0

        dns-server 192.168.0.1

        netbios-node-type h-node

        default-router 192.168.0.1

      !

      ip dhcp pool "Fenix"

        network 192.168.1.0 255.255.255.0

        dns-server 192.168.1.208

        default-router 192.168.1.208

      !

      !

      !

      !

      vlan 1

        name "Default"

      !

      vlan 2

        name "VLAN2"

      !

      ip flow top-talkers

      !

      interface eth 0/1

        ip address dhcp

        ip access-policy Public

        media-gateway ip primary

        no shutdown

        no lldp send-and-receive

      !

      !

      interface switchport 0/1

        spanning-tree edgeport

        no shutdown

      !

      interface switchport 0/2

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

        switchport voice vlan 2

      !

      interface switchport 0/3

        no shutdown

      !

      interface switchport 0/4

        no shutdown

      !

      !

      !

      interface vlan 1

        ip address  192.168.0.1  255.255.255.0

        ip access-policy Private

        ip flow ingress

        ip flow egress

        no shutdown

      !

      interface vlan 2

        mac-address 00:A0:C8:50:16:4F

        ip address  192.168.1.208  255.255.255.0

        ip mtu 1500

        ip access-policy Private

        ip flow ingress

        ip flow egress

        no shutdown

      !

      !

      !

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any  any     log

      !

      ip access-list extended web-acl-15

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

      !

      ip access-list extended web-acl-3

        permit ip any  any   

      !

      ip access-list extended wizard-pfwd-2

        permit tcp any  host 10.1.10.10 eq 1723   log

        remark PPTP

        permit gre any  host 10.1.10.10     log

        permit udp any  host 10.1.10.10 eq isakmp    log

        permit udp any  host 10.1.10.10 eq 5500    log

        permit udp any  host 10.1.10.10 eq 1701    log

        permit tcp any  host 10.1.10.10 eq https   log

      !

      ip access-list extended wizard-pfwd-3

        remark VNC

        permit tcp any  host 10.1.10.10 eq 5900   log

      !

      !

      !

      ip policy-class Private

        allow list self self

        nat source list wizard-ics interface eth 0/1 overload

      !

      ip policy-class Public

        allow list web-acl-15 self

        nat destination list wizard-pfwd-2 address 192.168.0.20

        nat destination list wizard-pfwd-3 address 192.168.1.196

      !

      !

      no tftp server

      no tftp server overwrite

      http authentication LoginUseLocalUsers

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      !

      !

      ip sip

      ip sip udp 5060

      ip sip tcp 5060

      !

      !

      line con 0

        login authentication LoginUseLinePass

      !

      line telnet 0 4

        login authentication LoginUseLocalUsers

        password password

        no shutdown

      line ssh 0 4

        login authentication LoginUseLocalUsers

        no shutdown

      !

      sntp server nist.netservicesgroup.com

      !

      end

        • Re: Port forwarding for PPTP on a 3120 not working
          3l3mn8r New Member

          10.1.10.10, is there another router in front of the 3120?  Your ACL's look correct with the concern being the host, typically when the 3120 is terminating the Internet connection you would see this

          permit tcp any  host Public IP eq 1723

           

          If it is in fact another router in front of the 3120 then your WAN interface eth0/1 on the 3120  should be getting this 10.1.10.10.  I would static this interface with 10.1.10.10/sm  instead of DHCP,  it is possible that your eth0/1 interface is getting a different IP than what you are specifying in the pfwd acl's  and then try, also make sure the internet facing router is allowing vpn passthrough to the 10.1.10.10.

           

          Other than that you have what it takes to forward pptp traffic to your server at 192.168.0.20.


          1 of 1 people found this helpful
            • Re: Port forwarding for PPTP on a 3120 not working
              mpopkin New Member

              Hi 3l3mn8r,

               

              yes there's a cable modem that assigns a LAN IP through DHCP to each device connected.

               

              In this case, on the cable modem I set up a 1-to-1 NAT from the public IP Address to the private IP Address of 10.1.10.10

               

              When I check out the dynamic policy-class association table during an outside PPTP connection attempt (it will connect from inside), it looks like everything is forwarding correctly, but it never connects successfully:

               

              ProtocolSource Address/PortDestination Address/PortNat Address/Port
              TCP(6)69.14.xx.xxx / 5108510.1.10.10 / 443...
              TCP(6)69.14.xx.xxx / 5108610.1.10.10 / 443...
              TCP(6)69.14.xx.xxx / 5104610.1.10.10 / 1723192.168.0.20 / 1723
              UDP(17)69.14.xx.xxx / 50010.1.10.10 / 500192.168.0.20 / 500
              GRE(47)69.14.xx.xxx10.1.10.10192.168.0.20
              TCP(6)69.14.xx.xxx / 128510.1.10.10 / 5900192.168.1.196 / 5900

               

              I note that I am able to connect to port 5900 without issue, and I am using the same process.  The last row in the table above is an active connection.

               

              I can try to static the interface, although the modem shows that it currently has assigned 10.1.10.10 to the NetVanta.

               

              Is there anything else I can try?  I can't believe how much trouble this is.

               

               

              Thanks!

               

              -mp

                • Re: Port forwarding for PPTP on a 3120 not working
                  3l3mn8r New Member

                  Your 3120 is correctly configured, the issue is more than likely the routing of your modem. I would contact your ISP, many ISP's will block ports up to 2000.  My suggestion is to put your modem in bridge mode, assign static IP address to the eth0/1 interface, add default route to route table such as

                  0.0.0.0 0.0.0.0 Public default gateway.

                  This design will pass all traffic to your 3120 and take the routing of the modem out of the picture, you want your 3120 doing all routing..  You will also then turn off LAN DHCP on the modem and disable any firewall the unit has.  This is how I setup all my commercial customers.  You can contact your ISP to have them walk you through setting modem in Bridge mode also any google search for your particular modem model will also yield the required infomation.  The only thing you will have to change on the 3120 is the acl's from 10.1.10.10 to your Public IP, your eth0/1 IP/SM, and add a default gateway to your route table.  Are you using a Static IP from ISP or are you using ddns to find your connection.

                    • Re: Port forwarding for PPTP on a 3120 not working
                      mpopkin New Member

                      hi 3l3mn8r,

                       

                      I configured the 3120 to use the public static ip with modem's DHCP disabled and firewall off, but it still won't work for PPTP.  Called Comcast and they said it's wide open and does not block anything.

                       

                      I was able to set up OpenVPN and forward in the port for it, so it looks like I'll have to go that way for the moment, although I am restricted on how many users can connect.

                       

                      Also, I was able to setup VPN on the 3120 and connect from a ShrewSoft client, but it seems to only allow one connection at a time, very strange.

                       

                      Anyway, thanks for your help.

                       

                      -mp

                        • Re: Port forwarding for PPTP on a 3120 not working
                          Employee

                          mpopkin - Forwarding PPTP traffic through the NetVanta is an application that should work and has worked. I realize you have a couple of workarounds working at the moment, but if you are still up for troubleshooting, we can continue to help you out. I'm not sure if you have turned the modem's firewall and DHCP functionalities back on, but my response below is based on the assumption that you have.

                           

                          I agree with 3l3mn8r that your basic configuration looks correct concerning the port forwards. One question I did have is that it looks like the ports you have forwarded include PPTP ports and L2TP/IPSec ports as well. The only port that appears to be missing is UDP 4500 which is used by IPSec for NAT-Traversal. I was not sure if you were attempting to build an L2TP/IPSec tunnel as well, but this port will need to be forwarded if you are.

                           

                          Below are a couple of suggestions that would be helpful to troubleshoot this issue further:

                           

                          1.) It would be helpful to get a packet capture from the PPTP server to see if the traffic being forwarded by the NetVanta is being received by the server at all.

                           

                          2.) It would also be helpful to get a packet capture from the PC attempting to connect to the PPTP server so we can see which ports the PC is using to attempt to open the connection. The other way to check this would be to also setup a 1:1 NAT on the NetVanta, however, you have other port forwards in the picture so this is not an option.

                           

                          Let us know if you get a chance to try the suggestions and the results. Also, please do not hesitate to let us know if you have any questions.

                           

                          Thanks,

                          Noor

                          1 of 1 people found this helpful
                            • Re: Port forwarding for PPTP on a 3120 not working
                              mpopkin New Member

                              Hi Noor,

                               

                              The appliance with the PPTP service only had recommended TCP port 1723 needed to be forwarded.  I added a few more in an attempt to get it connect.

                               

                              I have also added UDP 4500 per your suggestion, but it did not seem to help.

                               

                              Do you have any suggestions for how I would get a packet capture?  Can this all be done through the Adtran or do I need to set up external software to accomplish this?

                               

                              Thanks!

                               

                              -mp

                                • Re: Port forwarding for PPTP on a 3120 not working
                                  Employee

                                  mpopkin - You should only need to forward UDP port 1723 and GRE traffic to the PPTP server for PPTP tunnels.

                                   

                                  As far as a program to use for a packet capture, I would suggst a program called Wireshark. You can install it on your server and/or your PC (if supported). I'm not sure if your PPTP server will allow you download Wireshark onto it. However, if not, then you can set up a port mirror on the switch the PPTP server is plugging into and install Wireshark on a PC and then capture the mirrored packets off the PPTP server..

                                   

                                  Let us know if you have any questions.

                                   

                                  Thanks,

                                  Noor

                              • Re: Port forwarding for PPTP on a 3120 not working
                                3l3mn8r New Member

                                If your modem is not in Bridge mode and even if you enter static IP on the WAN interface of the 3120 PPTP packets will stop at the modem.  I notice you indicated that you disabled the DHCP and firewall on modem but you did not indicate that you had the modem in Bridge mode which is separate from these steps.  Here are the steps.

                                 

                                Put modem in Bridge Mode, disable LAN DHCP and any Firewall on the modem.  Configure Static IP and Subnet mask on WAN Eth 0/1 interface of 3120.   Add route to route table (gateway for your ISP).  Replace 10.1.10.10 with the Static IP for your acl's. Make sure you can get to internet from LAN.  At this point check to see if PPTP works,  if not then run a port scan to see if 1723 is open.  mxtoolbox.com is the scan page I use.  If it is open you may want to start looking at your pptp server.