Allow Cisco iOS Outbound PPTP Through NVI NAT

Howdy all, it’s been a while but I found this and figured it was well worth sharing. I can’t say I found the answer to this issue online, and once I got it it seemed easy which might be why.

To explain the title further, this is a home or small branch office internet connection with no VPN servers. That needs to connect to the office using the old PPTP format VPN. Hense the PPTP connection is going outbound to a remote server.

Yes PPTP is the worst Virtual Private Network anyone can run, and I really shouldn’t be promoting it’s use, but lets say I’m the Cisco tech and the Windows guys don’t agree or something….

So first you want to add “ip nat enable” to the internal and external interfaces, for those of you who know “ip nat inside/outside”, the enable is smart enough to automatically work out which is which.

This won’t break anything, it just telling the interface to use this technology and which interfaces to use.

interface Dialer0
ip nat enable
!
interface Vlan1
ip nat enable
!
interface Vlan2
ip nat enable
!
interface Vlan3
ip nat enable

Now find you existing “ip nat inside source list” line so we can work out what you are allowing

show run | inc ip nat
ip nat inside source list 1 interface Dialer0 overload

show ip access-list 1
10 access-list 1 permit 172.17.0.0 0.0.255.255

Now in my case I’ve got a standard list, allowing PPTP through it, we need to create and change to an extended list. So I will use 190 for NVI, and you need a second one too for Traditional, so I’ll use 191.

What we need to do is block PPTP traffic in the NVI NAT list, but then allow internal IP’s out. So something like

ip access-list extended 190
10 deny tcp any any eq 1723
20 deny gre any any
30 permit 172.17.0.0 0.0.255.255
ip access-list extended 191
10 permit tcp 172.17.0.0 0.0.255.255 any eq 1723
20 permit gre 172.17.0.0 0.0.255.255 any
30 deny ip any any

So this has the setup ready to apply the final commands, this will put NVI NAT as the default and force port 1723 and GRE traffic to use traditional NAT

ip nat source list 190 interface Dialer0 overload
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 191 interface Dialer0 overload

in this order you should only lose a few packet of data to the internet, though if you get a few errors like

Dynamic mapping in use, do you want to delete all entries? [no]: yes
%Error: Dynamic mapping still in use, cannot remove

You can “clear ip nat trans *” and try again. Sometimes it takes a minute or two so you can try again then, otherwise removing the “ip nat inside/outside” command helps clear to issue, though this will increase down time. Another guarantee method is to shut the external interface, that works every time 🙂

So try you PPTP VPN connection now and you should be away.

Now I did say that this site has not services, but just to take this post all the way, if your doing these change to a major site then you would want to adjust your inbound port forwards, you simple want to remove the inside bit

no ip nat inside source static tcp 172.17.2.25 80 interface Dialer0 80
no ip nat inside source static tcp 172.17.2.25 25 interface Dialer0 25
no ip nat inside source static tcp 172.17.2.25 21 interface Dialer0 21
ip nat source static tcp 172.17.2.25 80 interface Dialer0 80
ip nat source static tcp 172.17.2.25 25 interface Dialer0 25
ip nat source static tcp 172.17.2.25 21 interface Dialer0 21

Just don’t change the PPTP port in, that need Traditional NAT

ip nat inside source static tcp 172.17.2.26 1723 interface Dialer0 1723

These changes should then allow you to use the routers external IP address to be NAT hair pin back to the local services.

Hrmm, just found out my VoIP service isn’t working through this change so, standby for more information.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.