Cisco – Allowing incoming VPN connections through a Cisco 2921 to a DD-WRT Device

The Cisco Router is connected to the WAN on Gi0/2 and connected to the 192.168.1.0/24 LAN on Gi0/0.

The DD-WRT Device's IP is 192.168.1.3/24.

I want the DD-WRT Router to handle the incoming VPN connections (PPTP).

On the Cisco device I'm assuming I need an ACL applied on the inbound on Internet interface, TCP (and UDP?) 47 and TCP 1723 allowed from any IP and an inbound NAT setup for TCP 1723 (applied to the WAN IP?)

Running Config

   R1#show run
Building configuration...


Current configuration : 1903 bytes
!
! Last configuration change at 01:16:34 UTC Fri Feb 22 2013

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec
no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

enable secret *************************

enable password ****************************

!

no aaa new-model

!
no ipv6 cef

ip source-route

ip cef

!
!
!
ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.1 192.168.2.99

ip dhcp excluded-address 192.168.2.1 192.168.2.50

!
ip dhcp pool DHCP_POOL

 network 192.168.2.0 255.255.255.0

 default-router 192.168.2.1

 dns-server 8.8.8.8

 domain-name subnet2.local
!
!

multilink bundle-name authenticated

!
!
!
!
!

crypto pki token default removal timeout 0

!
!

voice-card 0

!
!
!
!
!
!
!

license udi pid CISCO2921/K9 sn FTX1703AHBN

hw-module pvdm 0/0

!
!
!
!

redundancy

!
!
!
!
!
!

interface Embedded-Service-Engine0/0

 no ip address

shutdown

!

interface GigabitEthernet0/0

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

 no mop enabled

!

interface GigabitEthernet0/1

 ip address 192.168.2.1 255.255.255.0

 duplex auto

 speed auto
!
interface GigabitEthernet0/2

 ip address ****************

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!
ip forward-protocol nd

!
no ip http server

no ip http secure-server

!
ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 **************

!

access-list 1 permit 192.168.1.0 0.0.0.255

!
!
!

control-plane

!
!
!
!

mgcp profile default

!
!
!
!
!

gatekeeper

 shutdown

!
!
!
line con 0

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 4

 password *******************

 login

 transport input all

!


scheduler allocate 20000 1000
end

Config After Suggested Commands

R1#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

R1#show run

Building configuration…

Current configuration : 2152 bytes
!
! Last configuration change at 01:40:48 UTC Fri Feb 22 2013

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!
hostname R1

boot-start-marker

boot-end-marker

!
!

enable secret ***********************.

enable password **********************

!
no aaa new-model

no ipv6 cef

ip source-route

ip cef

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.1 192.168.2.99

ip dhcp excluded-address 192.168.2.1 192.168.2.50

!
ip dhcp pool DHCP_POOL

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 8.8.8.8

domain-name subnet2.local

multilink bundle-name authenticated

crypto pki token default removal timeout 0

voice-card 0

interface Embedded-Service-Engine0/0

no ip address

shutdown

interface GigabitEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!
interface GigabitEthernet0/1

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto
!
interface GigabitEthernet0/2

ip address WAN IP XXXXXXXX

ip access-group 110 in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto
!
ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat inside source list 1 interface GigabitEthernet0/2 overload

ip nat inside source static tcp 192.168.1.3 1723 interface GigabitEthernet0/2 17
23

ip route 0.0.0.0 0.0.0.0 108.162.28.169

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip any any

access-list 110 permit gre any host 192.168.1.3 log

access-list 110 permit tcp any host 192.168.1.3 eq 1723

control-plane

mgcp profile default

gatekeeper

shutdown

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password ********************

transport input all
!
scheduler allocate 20000 1000
end

R1#

Best Answer

Given:

access-list 1 permit 192.168.1.0 0.0.0.255 
ip nat inside source list 1 interface gi0/2 overload 
interface gi0/0 
  ip nat inside 

inter gi0/2 
  ip nat outside

Then you can forward the port for DDWRT as follows:

ip nat inside source static tcp 192.168.1.3 1723 interface gi0/2 1723

It turns out.. that to forward ports for PPTP, you don't need to open port 47, but protocol 47.

IP Protocol 47 is also known as GRE (Generic Routing Encapsulation).

access-list 101 permit 47 any host 192.168.1.3 log
access-list 101 permit tcp any host 192.168.1.3 eq 1723
access-list 101 permit ip any any

You can apply the ACL to the interface:

int gi0/2
ip access-group 101 in

edit

Was missing the permit ip any any line, which is why you lost LAN access (probably).

Best Answer

Related Solutions

Cisco ios config

Cisco IOS: Segregating VLANS

Related Topic