[pptp-server] DSL connection with Cisco 675 and NAT
Vlad Strezhnev
vlast at eetc.com
Sat Jan 27 15:36:38 CST 2001
Release Notes for CBOS 2.2.0 for Cisco 675 DSL modem/router
states that it supports wildcard static NAT entries.
Here is my *positive* experience proving that it is valid for pptp-
based VPNs, at least in "W2K client - Linux server" and "Linux
client - Linux server" cases.
After Qwest DSL was installed I was able to connect from home to
my corporate PoPToP (behind Linux firewall) with out-of-the box
Cisco 675 configuration and W2K workstation.
However it was possible only after multiple retries because of
infamous 619 (port not connected) errors. Strangely, this problem
was becoming worse until recently the connection became
impossible at all - constant 619 errors.
Was it due to my consequent W2K security updates or not - is an
open question. May be not. After all stopped working, I tried to
connect with Linux pptp client and also failed with "connection
timed out error". (But then again, it might be because Linux pptp
client does not have those "security issues" that were being fixed
in Windows "Internet Connection Wizard".)
My monitoring of pptp connections on CBOS terminal revealed that
in its shipped configuration NAT was mapping GRE to router's
internal gateway address 10.0.0.1.
After I added one static NAT entry:
set nat entry add 10.0.0.2 0 47
write
rebout
the problem was solved.
(Okay, okay, I did made the notorious mistake and initially entered
set nat entry add 10.0.0.2 47 gre
which was a shame, because from the days of ipchains
configuration I knew very well that "47" is not a portnum but a
protocolname.
Apparently CBOS was so "surprised" with this wrong entry that it
still keeps it in its NVRAM alongside the right one and refuses all
my attempts to delete it.)
Anyway, everything works now both from Linux and W2K.
When pptp connection is active CBOS terminal correctly shows
GRE mapping to 10.0.0.2.
Moreover, when I experimented with Linux box (IP 10.0.0.2) which
also has VMware and virtual W2K (IP 10.0.0.3), I was able to
alternatively connect with W2K pptp client.
In that case CBOS "show nat" command displayed both static
NAT entry for 10.0.0.2 and dynamic NAT entry for 10.0.0.3.
Happy end.
More information about the pptp-server
mailing list