[pptp-server] DSL connection with Cisco 675 and NAT

Vlad Strezhnev vlast at eetc.com
Sat Jan 27 15:36:38 CST 2001 

Release Notes for CBOS 2.2.0 for Cisco 675 DSL modem/router 
states that it supports wildcard static NAT entries.

Here is my *positive* experience proving that it is valid for pptp-
based VPNs, at least in "W2K client - Linux server" and "Linux 
client - Linux server" cases. 

After Qwest DSL was installed I was able to connect from home to 
my corporate PoPToP (behind Linux firewall) with out-of-the box 
Cisco 675 configuration and W2K workstation.
However it was possible only after multiple retries because of 
infamous 619 (port not connected) errors. Strangely, this problem 
was becoming worse until recently the connection became 
impossible at all - constant 619 errors.
Was it due to my consequent W2K security updates or not - is an 
open question. May be not. After all stopped working, I tried to 
connect with Linux pptp client and also failed with "connection 
timed out error". (But then again, it might be because Linux pptp 
client does not have those "security issues" that were being fixed 
in Windows "Internet Connection Wizard".)

My monitoring of pptp connections on CBOS terminal revealed that 
in its shipped configuration NAT was mapping GRE to router's 
internal gateway address 10.0.0.1.

After I added one static NAT entry:

set nat entry add 10.0.0.2 0 47
write
rebout

the problem was solved.

(Okay, okay, I did made the notorious mistake and initially entered 

set nat entry add 10.0.0.2 47 gre

which was a shame, because from the days of ipchains 
configuration I knew very well that "47" is not a portnum but a 
protocolname.
Apparently CBOS was so "surprised" with this wrong entry that it 
still keeps it in its NVRAM alongside the right one and  refuses all 
my attempts to delete it.) 

Anyway, everything works now both from Linux and W2K.
When pptp connection is active CBOS terminal correctly shows 
GRE mapping to 10.0.0.2.

Moreover, when I experimented with Linux box (IP 10.0.0.2) which 
also has VMware and virtual W2K (IP 10.0.0.3), I was able to 
alternatively connect with W2K pptp client.
In that case CBOS "show nat" command displayed both static 
NAT entry for 10.0.0.2 and dynamic NAT entry for 10.0.0.3.

Happy end.

More information about the pptp-server mailing list