Options
PBR with PPTP is this possible
I have an 1841 with
one adsl interface pointing to the internet to isp1
I have Fa0/1 pointing to isp2
I have one lan interface fa0/0
with ip address 10.1.1.254
Presently I only have one Static nat for
an inside address of 10.1.1.1 which nats to a public address & proxies for mail & PPTP (The 10.1.1.1 is an ISA SERVER). I want to configure PBR so that mail goes to PPTP goes through isp1 & all other traffic through isp2
I have used the following route-maps in an attempt to do this.
ip nat inside source static 10.1.1.1 194.72.X.X route-map outside_nat1 (new nat for VPN)
ip nat inside source static 10.1.1.1 217.36.X.X route-map outside_nat2
(new nat for all other traffic)
route-map outside_nat1 permit 10
match ip address 101
set default interface FastEthernet0/1
access-list 101 permit tcp host 10.1.1.1 eq 1723 any
access-list 101 permit gre host 10.1.1.1 any
route-map outside_nat2 permit 10
match ip address 102
set default interface Dialer0
access-list 102 deny tcp host 10.1.1.1 eq 1723 any
access-list 102 deny gre host 10.1.1.1 any
Interface FastEthernet0/0
ip policy route-map vpn_only
route-map vpn_only permit 10
match ip address 110
set default interface FastEthernet0/1
access-list 110 permit tcp host 10.1.1.1 eq 1723 any
access-list 110 permit gre host 10.1.1.1 any
Using this configuration I can still collect mail from ISP1, but when I try to make the connection for the remote access PPTP vpn via isp2 I can see a nat translation for the address but no GRE connection info & the vpn won't work.
for example, before employing PBR i see the following translations when connected to the vpn
#show ip nat translations
tcp 217.36.X.X:1723 10.1.1.1:1723 195.200.x.x:1485 195.200.x.x:1485
gre 217.36.x.x:7576 10.1.1.1:7576 195.200.x.x:7576 195.200.X.x:7576
gre 217.36.X.X:32768 10.1.1.1:32768 195.200.X.X:32768 195.200.X.X:32768
This includes 1723 for pptp & an entry for gre, however when I use the PBR I only see TCP connection including 1723 for the PPTP, but NO GRE translation. How do I get this to work?
one adsl interface pointing to the internet to isp1
I have Fa0/1 pointing to isp2
I have one lan interface fa0/0
with ip address 10.1.1.254
Presently I only have one Static nat for
an inside address of 10.1.1.1 which nats to a public address & proxies for mail & PPTP (The 10.1.1.1 is an ISA SERVER). I want to configure PBR so that mail goes to PPTP goes through isp1 & all other traffic through isp2
I have used the following route-maps in an attempt to do this.
ip nat inside source static 10.1.1.1 194.72.X.X route-map outside_nat1 (new nat for VPN)
ip nat inside source static 10.1.1.1 217.36.X.X route-map outside_nat2
(new nat for all other traffic)
route-map outside_nat1 permit 10
match ip address 101
set default interface FastEthernet0/1
access-list 101 permit tcp host 10.1.1.1 eq 1723 any
access-list 101 permit gre host 10.1.1.1 any
route-map outside_nat2 permit 10
match ip address 102
set default interface Dialer0
access-list 102 deny tcp host 10.1.1.1 eq 1723 any
access-list 102 deny gre host 10.1.1.1 any
Interface FastEthernet0/0
ip policy route-map vpn_only
route-map vpn_only permit 10
match ip address 110
set default interface FastEthernet0/1
access-list 110 permit tcp host 10.1.1.1 eq 1723 any
access-list 110 permit gre host 10.1.1.1 any
Using this configuration I can still collect mail from ISP1, but when I try to make the connection for the remote access PPTP vpn via isp2 I can see a nat translation for the address but no GRE connection info & the vpn won't work.
for example, before employing PBR i see the following translations when connected to the vpn
#show ip nat translations
tcp 217.36.X.X:1723 10.1.1.1:1723 195.200.x.x:1485 195.200.x.x:1485
gre 217.36.x.x:7576 10.1.1.1:7576 195.200.x.x:7576 195.200.X.x:7576
gre 217.36.X.X:32768 10.1.1.1:32768 195.200.X.X:32768 195.200.X.X:32768
This includes 1723 for pptp & an entry for gre, however when I use the PBR I only see TCP connection including 1723 for the PPTP, but NO GRE translation. How do I get this to work?
Comments
-
Options
rossonieri#1
Member Posts: 799 ■■■□□□□□□□
hello lowfell
so - you have tried what i've told you before
still have problems??
cheers...the More I know, that is more and More I dont know. -
Options
lowfell
Member Posts: 7 ■□□□□□□□□□
rossonieri#1 wrote:hello lowfell
so - you have tried what i've told you before
still have problems??
cheers...
Hello Rossonieri. i beleiveI have tried all ways!
I think I'm close because I can see an ip nat translation for tcp port 1723 for the pptp tunnel, but NO GRE traffic, so is it possible to use PPTP inconjuction with PBR?
I believe I have used your way, but there is also the added element that I need use policy based nat as my ONLY inside address is 10.1.1.1
10.1.1.1 needs to nat to 194.72.X.X for PPTP traffic
10.1.1.1 needs to nat to 217.36.X.X for ALL other traffic -
Optionsrossonieri#1
Member Posts: 799 ■■■□□□□□□□
hello lowfell,
a gre (not PPTP) traffic cant be NAT in anyway. why? because the initial connection is true by using tcp 1723 for remote port - but the receiving party (in your case your network) has to accept any previous tcp handshake - which is will be redirected back to your receiving port.
remember that PBR only redirecting outgoing (internal to external) traffic from the network.
so if you use NAT for outside to inside network - you must allow outer network GREs traffic.
and dont forget to check your ACL (if any) - both for the NAT and interface.
cheers... the More I know, that is more and More I dont know.