Connectivity
Connectivity and managing Your Comcast Business network
Male IT Specialist Holds Laptop and Discusses Work with Female Server Technician. They're Standing in Data Center, Rack Server Cabinet is Open.
Highlighted
New Member

GRE through DPC3939B - Protocol 47?

I have been trying to connect a GRE tunnel between my Cisco routers and am having on luck. I have tried to research what i need to do, but all I can find are the following references:

 

1. forward port 1701 and 1723 from my DPC3939B directly to the router IP inside (currently 10.1.10.100)

2. forward "protocol 47" from my DPC3939B directly to the router IP inside (currently 10.1.10.100)

 

I have added the static port mappings for 1701 and 1723 to the internal IP Address, but I see no "protocol" options in the DPC3939B.  Will I be able to set up the GRE (VPN) network through the Comcast Business gateway?

 

I am connecting a remote Cisco 3825 to an internal Cisco 1841 that sits behing the Comcast gateway.

Cisco 1841 -> Comcast Cisco DPC3939B -> Internet <- Comcast router <- Cisco 3825

 

Any suggestions would be apprecaited. I need to get this working ASAP.

 

Thank you,

 

BlueVine

0 Kudos
1 REPLY 1
Trusted Forum Contributor

Re: GRE through DPC3939B - Protocol 47?

Hello bluevine and welcome,

 

First, if you are using 10.1.10.100 and this is insdie you DHCP server dynamic IP range, then it will not work due to this address is not static by nature. So, I would recommend that you change your DPC3939B LAN DHCP start address to 10.1.10.10 instead of 10.1.10.2. This will give you 10.1.10.2 through 10.1.10.9 to use as psuedo static IP addresses outside the dynamic IP range. Another alternative is change your DPC3939B LAN DHCP ending address to 10.1.10.99, this will put you 10.1.10.100 also outside the dynamic range and it will only be used by your 1841 if programmed in force feed mode. 

 

Lastly, it is imperative that your configuration scenario is clearly understood as the following will clarify and assist you :

 

"1) If RRAS based VPN server is behind a firewall (i.e. a firewall is placed between Internet and RRAS server), then following ports need to be opened (bidirectional) on this firewall to allow VPN traffic to pass through: -

  • For PPTP:
    • IP Protocol=TCP, TCP Port number=1723   <- Used by PPTP control path
    • IP Protocol=GRE (value 47)   <- Used by PPTP data path
  • For L2TP:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path
  • For SSTP:
    • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path
  • For IKEv2:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path

2) If RRAS server is directly connected to Internet, then you need to protect RRAS server from the Internet side (i.e. only allow access to the services on the public interface that isaccessible from the Internet side). This can be done using RRAS static filters or running Windows Firewall on the public interface (or the interface towards the Internet side). In this scenario following ports need to be opened (bidirectional) on RRAS box to allow VPN traffic to pass through

    • For PPTP:
      • IP Protocol=TCP, TCP Port number=1723  <- Used by PPTP control path
      • IP Protocol=GRE (value 47)  <- Used by PPTP data path
    • For L2TP:
      • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv1 (IPSec control path)
      • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
      • IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
      • IP Protocol Type=50  <- Used by data path (ESP)
  • For SSTP:
  • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path
  • For IKEv2:
  • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv2 (IPSec control path)
  • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
  • IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
  • IP Protocol Type=50 <- Used by data path (ESP)

Note: Please DO NOT configure RRAS static filters if you are running on the same server RRAS based NAT router functionality. This is because RRAS static filters are stateless and NAT translation requires a stateful edge firewall like ISA firewall."

 

Hope this helps you out.

0 Kudos