PPTP and Cisco

TC Wolsey twolsey at realtech.com
Thu Oct 14 11:03:54 EDT 1999 

> Cynthia Tercero <cynthia at xerox.com.ni> 10/13/99 12:34PM >>>
>
>Hi,
>
>I'm trying to configure a communication to a VPN using PPTP, I'm a client
>of the system. But, we have a firewall configure through Access-list in
>our Cisco router.
>
>We've added an entry to permit tcp from any host to our subnet at port
>261, 1747 and 47. But when the system is trying to pass the username and
>password to the VPN at Cisco terminal monitor appears something like this:
>
>list 333 denied 47 tcp xxx.xxx.xxx.xx -> xxx.xx.xx.xx, 22 packets
>
>Does any body which one could be the cause of this message?.
>
>At the Microsoft site appears the following paragraph but I really don't
>know how to configure the IP protocol in order to use ID 47 and don't know
>if the above message has some relation with this issue.
>
>
>"Using PPTP with Firewalls and Routers
>PPTP traffic uses TCP port 1723, and IP protocol uses ID 47, as assigned
>by the Internet Assigned Numbers Authority (IANA). PPTP can be used with
>most firewalls and routers by enabling traffic destined for port 1723 to
>be routed through the firewall or router."   
>
>Thank you for your answers!.
>
>Cynthia 

I see this posted here pretty often. From the VPN list FAQ Q6:

So no, the VPN list moderator doesn't think that PPTP is a reasonable VPN solution, at least from the
security point of view. Your mileage may vary.

Maybe some of the stuff below can be included in the FAQ, so posts like this can be referred there. At least that way anybody that needs the answer to the access-list question has to read the brief protocol analysis to get it. Is this the responsible thing to do, or am I being overly harsh here? Anyway, Cynthia, if after reading the VPN FAQ you still wish to use PPTP (or maybe you have read it and made this decision already) here is what you are looking for.

>From a deployment I did recently.... (replace XXX with IP address of the PPTP box)

interface Serial0/0
 description Internet interface
 ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252
 ip access-group inet_inbound in

ip access-list extended inet_inbound
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit tcp any host XXX.XXX.XXX.XXX eq 1723
 permit gre any host XXX.XXX.XXX.XXX
 --more stuff here as needed

--tcw

PS. After reading my post, it may seem contradictory. Actually I work for a integrator, and sometimes clients take risks that I do not recommend. :-(





****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list