Allowing incoming VPN connections through a Cisco 2921 to a DD-WRT Device

Question

The Cisco Router is connected to the WAN on Gi0/2 and connected to the 192.168.1.0/24 LAN on Gi0/0.

The DD-WRT Device's IP is 192.168.1.3/24.

I want the DD-WRT Router to handle the incoming VPN connections (PPTP).

On the Cisco device I'm assuming I need an ACL applied on the inbound on Internet interface, TCP (and UDP?) 47 and TCP 1723 allowed from any IP and an inbound NAT setup for TCP 1723 (applied to the WAN IP?)

Running Config

   R1#show run
Building configuration...


Current configuration : 1903 bytes
!
! Last configuration change at 01:16:34 UTC Fri Feb 22 2013

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec
no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

enable secret *************************

enable password ****************************

!

no aaa new-model

!
no ipv6 cef

ip source-route

ip cef

!
!
!
ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.1 192.168.2.99

ip dhcp excluded-address 192.168.2.1 192.168.2.50

!
ip dhcp pool DHCP_POOL

 network 192.168.2.0 255.255.255.0

 default-router 192.168.2.1

 dns-server 8.8.8.8

 domain-name subnet2.local
!
!

multilink bundle-name authenticated

!
!
!
!
!

crypto pki token default removal timeout 0

!
!

voice-card 0

!
!
!
!
!
!
!

license udi pid CISCO2921/K9 sn FTX1703AHBN

hw-module pvdm 0/0

!
!
!
!

redundancy

!
!
!
!
!
!

interface Embedded-Service-Engine0/0

 no ip address

shutdown

!

interface GigabitEthernet0/0

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

 no mop enabled

!

interface GigabitEthernet0/1

 ip address 192.168.2.1 255.255.255.0

 duplex auto

 speed auto
!
interface GigabitEthernet0/2

 ip address ****************

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!
ip forward-protocol nd

!
no ip http server

no ip http secure-server

!
ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 **************

!

access-list 1 permit 192.168.1.0 0.0.0.255

!
!
!

control-plane

!
!
!
!

mgcp profile default

!
!
!
!
!

gatekeeper

 shutdown

!
!
!
line con 0

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 4

 password *******************

 login

 transport input all

!


scheduler allocate 20000 1000
end

Config After Suggested Commands

R1#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

R1#show run

Building configuration...

Current configuration : 2152 bytes ! ! Last configuration change at 01:40:48 UTC Fri Feb 22 2013

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

! hostname R1

!

boot-start-marker

boot-end-marker

! !

enable secret ***********************.

enable password **********************

! no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.1 192.168.2.99

ip dhcp excluded-address 192.168.2.1 192.168.2.50

! ip dhcp pool DHCP_POOL

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 8.8.8.8

domain-name subnet2.local

multilink bundle-name authenticated

crypto pki token default removal timeout 0

voice-card 0

interface Embedded-Service-Engine0/0

no ip address

shutdown

interface GigabitEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

! interface GigabitEthernet0/1

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto ! interface GigabitEthernet0/2

ip address WAN IP XXXXXXXX

ip access-group 110 in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto ! ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip nat inside source static tcp 192.168.1.3 1723 interface GigabitEthernet0/2 17 23

ip route 0.0.0.0 0.0.0.0 108.162.28.169

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip any any

access-list 110 permit gre any host 192.168.1.3 log

access-list 110 permit tcp any host 192.168.1.3 eq 1723

control-plane

mgcp profile default

gatekeeper

shutdown

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password ********************

login

transport input all ! scheduler allocate 20000 1000 end

R1#

Why? Why not just terminate the PPTP VPN on the Cisco router and save yourself a bunch of hassle? — Tom O'Connor, Feb 18 '13 at 23:56
I suppose I could but this is the best guide I found: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml . It doesn't mention anything about setting up the username/passwords though so I'm not sure how to proceed. — Copy Run Start, Feb 19 '13 at 14:50
Do you have an Active Directory or LDAP server to authenticate against? — Tom O'Connor, Feb 19 '13 at 15:46
The username / password bit is mentioned (in a fairly insecure way) in that example from Cisco as `username client password 0 testclient` — Tom O'Connor, Feb 19 '13 at 15:59
I'll see if I can work that example into a better scenario for you in a little bit. — Tom O'Connor, Feb 19 '13 at 15:59
I'd rather not involve our AD server. Thanks dude, no rush, I appreciate it. — Copy Run Start, Feb 19 '13 at 16:47
Basically this is a 90% OSX network and we just got the AD Server this week so it's still in testing stage and being rebooted a lot. We need VPN access for just 3 users and we'd rather have it sooner. — Copy Run Start, Feb 19 '13 at 16:50
Yes. I did `access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface gi0/2 overload interface gi0/0 ip nat inside inter gi0/2 ip nat outside` — Copy Run Start, Feb 20 '13 at 14:49

Tom O'Connor · Accepted Answer · 2013-02-22T01:36:48.257

1

Given:

access-list 1 permit 192.168.1.0 0.0.0.255 
ip nat inside source list 1 interface gi0/2 overload 
interface gi0/0 
  ip nat inside 

inter gi0/2 
  ip nat outside

Then you can forward the port for DDWRT as follows:

ip nat inside source static tcp 192.168.1.3 1723 interface gi0/2 1723

It turns out.. that to forward ports for PPTP, you don't need to open port 47, but protocol 47.

IP Protocol 47 is also known as GRE (Generic Routing Encapsulation).

access-list 101 permit 47 any host 192.168.1.3 log
access-list 101 permit tcp any host 192.168.1.3 eq 1723
access-list 101 permit ip any any

You can apply the ACL to the interface:

int gi0/2
ip access-group 101 in

edit

Was missing the permit ip any any line, which is why you lost LAN access (probably).

edited Feb 22 '13 at 01:36

answered Feb 20 '13 at 15:18

Tom O'Connor

27,480
10
73
148

Thanks man. And since I'm putting the DD-WRT router on the same subnet (192.168.1.3) and no WAN IP on it, it will act only a switch right? (Other than the VPN functions). I just want to make sure it won't interfere with the current routing infrastructure. – Copy Run Start Feb 20 '13 at 15:27
1

Probably won't be a problem. – Tom O'Connor Feb 20 '13 at 16:24
Hey buddy, can you spare an upvote? ;) – Tom O'Connor Feb 20 '13 at 16:25
1

Haha sure I just have to register, I'm still a guest user. – Copy Run Start Feb 20 '13 at 17:15
You should register, and hang about. It's awesome here. – Tom O'Connor Feb 20 '13 at 17:29
I just ran those commands and it took down the internet for all LAN users. I immediately restored to the old config. What could have gone wrong? – Copy Run Start Feb 22 '13 at 00:10
Any one of a number of things. I suggest you paste a redacted (remove passwords manually) output from `show running-config` into an edit on your original Q. – Tom O'Connor Feb 22 '13 at 01:13
Done. This is the running-config without the commands you suggested because I reverted back to the old config. Should I do an output that had your commands entered? – Copy Run Start Feb 22 '13 at 01:26
Just to add a little info: after entering the suggested commands, I could not ping any internet IP from the CLI itself, not just from computers on the LAN. – Copy Run Start Feb 22 '13 at 01:31
1

Looks like there was a line from the ACL missing, 'permit ip any any' and so on. I'd do these changes out of office hours to avoid disruption. – Tom O'Connor Feb 22 '13 at 01:37
1

Yea everybody left at 6 so I'm here alone. Thanks for staying up, it must be well past midnight where you are. – Copy Run Start Feb 22 '13 at 01:38
Same results, no internet. Will post the running-config in OP. – Copy Run Start Feb 22 '13 at 01:44
Shit I think I see my mistake, I didn't do the IP any any to the 110 ACL. Will try now. – Copy Run Start Feb 22 '13 at 01:58

Allowing incoming VPN connections through a Cisco 2921 to a DD-WRT Device

1 Answers1