Re: PPTP and NAT

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Bill Grant (not.available_at_online)
Date: 07/27/04 

Date: Tue, 27 Jul 2004 17:06:00 +1000

   If you get an error 721 it is probably caused by GRE being blocked. Since
the tunnelled data has a GRE header, anything blocking GRE in either
direction causes a failure. So check that GRE is not blocked by either
firewall. Even a personal firewall on the client can do it.

"TwistedPair" <twistedpair@mail.com> wrote in message
news:#8mb5E2cEHA.3108@TK2MSFTNGP11.phx.gbl...
> Hmm . . . Yeah, that is definitely a good point. But now that I know it
can
> be done, I need to figure out why it isn't working for me. I am doing
port
> forwarding from my firewall into the VPN server. A client on the outside
> connects to the firewall, and gets to the "verifying username and
password"
> and it times out, and errors out. I have done a ton of searching for ways
> to resolve the issue. The only things I found was to be sure that I am
> forwarding TCP port 1723, and IP GRE protocol 47. Would there be anything
> else I am missing?
>
> Thanks,
> Pair
>
>
> "Phillip Windell" <@.> wrote in message
> news:O4BpDO1cEHA.1644@tk2msftngp13.phx.gbl...
> > I need to clairify something besides my other post. You are not NATing
> > anything twice. The "second" NAT is occuring on the *decapsulated*
traffic
> > after it is no longer part of the VPN Session. VPN only goes as far as
the
> > "termination point" of the Tunnel,...beyond that VPN no longer exists.
The
> > data stream is decapsulated at the end of the Tunnel and is just normal
> LAN
> > traffic from that point.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> > "TwistedPair" <twistedpair@mail.com> wrote in message
> > news:uUrnSB1cEHA.3616@TK2MSFTNGP10.phx.gbl...
> > > Hi All,
> > > Here is the scenario:
> > >
> > > PPTP Server -> Firewall -> Internet -> Firewall -> Client
> > > 192.168.x.x
> > > 192.168.y.y
> > >
> > > I want to be able to NAT PPTP from one internal net to another after
it
> > had
> > > been NAT'ed to and from the Internet. Can this protocol cope with
this
> > > scenario?
> > >
> > > Thanks,
> > > Pair
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: VPN/Remote Access
    ... The event log on the vpn server shows the connection being established but cannot be completed and suggests the same GRE issue. ... I updated the firmware on the hardware firewall to the latest version but that didn't help. ... I don't want to go buy a new firewall only to learn it was something on the offsite client network that wasn't passing the GRE. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN/Remote Access
    ... passing the GRE no matter that it said it was set to "vpn passthrough". ... So I ditched it and went back to a software firewall on the server. ... the one I was really trying to fix -- allow vpn access from a client ... It now appears that the client's network is also blocking the GRE. ...
    (microsoft.public.windows.server.sbs)
  • Re: error 721 the remote computer did not respond...
    ... And ask them how can you forward GRE to a computer from your LAN. ... Here it says that it supports VPN pass-through. ... with a very basic firewall connecting from ISA to the Internet. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.isa)
  • Re: Error 720 connecting to server via VPN
    ... Actually I've just tired that firewall rules and it didn't work. ... VPN client is not configured to allow Generic Routing Encapsulation (GRE) ... Should I setup a firewall rules to allow port 47? ... Port 1723 is allowed in my router for any WAN users to the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 RRAS
    ... Usually when it fails at verifying password, it means GRE 47 is not ... open/configure at the firewall. ... >>From an internal LAN client I can VPN connect to the server. ... I see nothing in the logs that a connection was ...
    (microsoft.public.windows.server.sbs)