Howdy all, it’s been a while but I found this and figured it was well worth sharing. I can’t say I found the answer to this issue online, and once I got it it seemed easy which might be why.<\/p>\n
To explain the title further, this is a home or small branch office internet connection with no VPN servers. That needs to connect to the office using the old PPTP format VPN. Hense the PPTP connection is going outbound to a remote server.<\/p>\n
Yes PPTP is the worst Virtual Private Network anyone can run, and I really shouldn’t be promoting it’s use, but lets say I’m the Cisco tech and the Windows guys don’t agree or something….<\/p>\n
So first you want to add “ip nat enable” to the internal and external interfaces, for those of you who know “ip nat inside\/outside”, the enable is smart enough to automatically work out which is which.<\/p>\n
This won’t break anything, it just telling the interface to use this technology and which interfaces to use. show ip access-list 1 What we need to do is block PPTP traffic in the NVI NAT list, but then allow internal IP’s out. So something like So try you PPTP VPN connection now and you should be away.<\/p>\n Now I did say that this site has not services, but just to take this post all the way, if your doing these change to a major site then you would want to adjust your inbound port forwards, you simple want to remove the inside bit Hrmm, just found out my VoIP service isn’t working through this change so, standby for more information.<\/p>\n","protected":false},"excerpt":{"rendered":" Howdy all, it’s been a while but I found this and figured it was well worth sharing. I can’t say I found the answer to this issue online, and once I got it it seemed easy which might be why. To explain the title further, this is a home or small branch office internet connection … <\/p>\n
\n
\ninterface Dialer0
\nip nat enable
\n!
\ninterface Vlan1
\nip nat enable
\n!
\ninterface Vlan2
\nip nat enable
\n!
\ninterface Vlan3
\nip nat enable
\n<\/code>
\nNow find you existing “ip nat inside source list” line so we can work out what you are allowing
\n
\nshow run | inc ip nat
\nip nat inside source list 1 interface Dialer0 overload<\/p>\n
\n 10 access-list 1 permit 172.17.0.0 0.0.255.255
\n<\/code>
\nNow in my case I’ve got a standard list, allowing PPTP through it, we need to create and change to an extended list. So I will use 190 for NVI, and you need a second one too for Traditional, so I’ll use 191.<\/p>\n
\n
\nip access-list extended 190
\n 10 deny tcp any any eq 1723
\n 20 deny gre any any
\n 30 permit 172.17.0.0 0.0.255.255
\nip access-list extended 191
\n 10 permit tcp 172.17.0.0 0.0.255.255 any eq 1723
\n 20 permit gre 172.17.0.0 0.0.255.255 any
\n 30 deny ip any any
\n<\/code>
\nSo this has the setup ready to apply the final commands, this will put NVI NAT as the default and force port 1723 and GRE traffic to use traditional NAT
\n
\nip nat source list 190 interface Dialer0 overload
\nno ip nat inside source list 1 interface Dialer0 overload
\nip nat inside source list 191 interface Dialer0 overload
\n<\/code>
\nin this order you should only lose a few packet of data to the internet, though if you get a few errors like
\n
\nDynamic mapping in use, do you want to delete all entries? [no]: yes
\n%Error: Dynamic mapping still in use, cannot remove
\n<\/code>
\nYou can “clear ip nat trans *” and try again. Sometimes it takes a minute or two so you can try again then, otherwise removing the “ip nat inside\/outside” command helps clear to issue, though this will increase down time. Another guarantee method is to shut the external interface, that works every time \ud83d\ude42<\/p>\n
\n
\nno ip nat inside source static tcp 172.17.2.25 80 interface Dialer0 80
\nno ip nat inside source static tcp 172.17.2.25 25 interface Dialer0 25
\nno ip nat inside source static tcp 172.17.2.25 21 interface Dialer0 21
\nip nat source static tcp 172.17.2.25 80 interface Dialer0 80
\nip nat source static tcp 172.17.2.25 25 interface Dialer0 25
\nip nat source static tcp 172.17.2.25 21 interface Dialer0 21
\n<\/code>
\nJust don’t change the PPTP port in, that need Traditional NAT
\n
\nip nat inside source static tcp 172.17.2.26 1723 interface Dialer0 1723
\n<\/code>
\nThese changes should then allow you to use the routers external IP address to be NAT hair pin back to the local services.<\/p>\n