The Cisco Router is connected to the WAN on Gi0/2 and connected to the 192.168.1.0/24 LAN on Gi0/0.
The DD-WRT Device's IP is 192.168.1.3/24.
I want the DD-WRT Router to handle the incoming VPN connections (PPTP).
On the Cisco device I'm assuming I need an ACL applied on the inbound on Internet interface, TCP (and UDP?) 47 and TCP 1723 allowed from any IP and an inbound NAT setup for TCP 1723 (applied to the WAN IP?)
Running Config
R1#show run
Building configuration...
Current configuration : 1903 bytes
!
! Last configuration change at 01:16:34 UTC Fri Feb 22 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret *************************
enable password ****************************
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.1 192.168.2.50
!
ip dhcp pool DHCP_POOL
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
domain-name subnet2.local
!
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1703AHBN
hw-module pvdm 0/0
!
!
!
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address ****************
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 **************
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *******************
login
transport input all
!
scheduler allocate 20000 1000
end
Config After Suggested Commands
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1#show run
Building configuration…
Current configuration : 2152 bytes
!
! Last configuration change at 01:40:48 UTC Fri Feb 22 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret ***********************.
enable password **********************
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.1 192.168.2.50
!
ip dhcp pool DHCP_POOL
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
domain-name subnet2.local
multilink bundle-name authenticated
crypto pki token default removal timeout 0
voice-card 0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address WAN IP XXXXXXXX
ip access-group 110 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 192.168.1.3 1723 interface GigabitEthernet0/2 17
23
ip route 0.0.0.0 0.0.0.0 108.162.28.169
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 110 permit gre any host 192.168.1.3 log
access-list 110 permit tcp any host 192.168.1.3 eq 1723
control-plane
mgcp profile default
gatekeeper
shutdown
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********************
login
transport input all
!
scheduler allocate 20000 1000
end
R1#
Best Answer
Given:
Then you can forward the port for DDWRT as follows:
It turns out.. that to forward ports for PPTP, you don't need to open port 47, but protocol 47.
IP Protocol 47 is also known as GRE (Generic Routing Encapsulation).
You can apply the ACL to the interface:
edit
Was missing the
permit ip any any
line, which is why you lost LAN access (probably).