Home > Work With My Routers > Cisco Routers > Modify Security for an Internal VPN Server

Modify Security for an Internal VPN Server

     Introduction
     Requirements
     Modify Security for a VPN Server
          Add an ACL Rule for VPN Traffic
          Create an Address Translation Rule for VPN Traffic
     Next Step
     Troubleshoot the Procedure
     Related Information

Download PDF

Introduction

This document explains how to modify your router security settings so that you can use an internal VPN server.

Requirements

You must have completed the security configuration of your router in Set Up Internet Security on a Cisco Router.
Completed worksheets from the Site Survey:
- LAN Addressing Worksheet
- Internet Worksheet
- Internet Services Worksheet

Modify Security for a VPN Server

If you have a Microsoft PPTP VPN server inside your network, you can modify the security settings to allow VPN traffic. To modify your firewall to allow Microsoft PPTP VPN traffic, follow these steps:

Note: You do not need to make any changes to allow internal users to access a VPN outside your network.

Add an ACL Rule for VPN Traffic

To create a firewall rule to allow Microsoft PPTP VPN traffic, follow these steps:

Open a web browser and type http://router-IP-address in the Address field. The router's IP address is the IP address that you entered in the LAN Addressing Worksheet (field L6A).

Note: For further information about how to launch SDM, refer to Configure Your Router with Security Device Manager.
Click Configure.
Click the Firewall and ACL tab.
Click Edit Firewall Policy/ACL.
In the From interface, select your WAN interface and in the To interface select your LAN interface. Click Go.
Choose Returning Traffic.
Follow these steps to allow PPTP VPN traffic on TCP port 1723:
1. Next to Services, click Add > Insert After.
2. Next to Select an action, choose Permit.
3. Under Source Host/Network, choose Any IP Address.
4. Under Destination Host/Network, choose Any IP Address.
5. Under Protocol and Service, choose TCP.
6. Under Destination Port, replace the word any with 1723. Click OK to select the service, then click OK to confirm the rule.
Follow these steps to allow PPTP VPN traffic on IP port 47:
1. Next to Services, click Add > Insert After.
2. Next to Select an action, choose Permit.
3. Under Source Host/Network, choose Any IP Address.
4. Under Destination Host/Network, choose Any IP Address.
5. Under Protocol and Service, choose IP.
6. Under IP Protocol, click the details button (...) and select gre (47). Click OK to select the service, then click OK to confirm the rule.

Create an Address Translation Rule for VPN Traffic

To create an address translation rule to allow Microsoft PPTP VPN traffic, follow these steps:

Follow these steps to add an address translation rule for TCP port 1723:
1. Click the NAT tab.
2. Click Add to add a new translation rule.
3. At the Add Address Translation Rule screen, choose Static. Next to Direction, choose From inside to outside.
4. Under Inside Interface(s), enter the internal IP address of your server that you entered in field F5 of the Internet Services worksheet.
5. Under Outside Interface(s), enter the public IP address of your WAN connection.
6. Under IP Address, check Redirect Port. Choose TCP and enter port 1723 in the Original Port and Translated Port fields.
7. Click OK to confirm.
Click File > Write to Startup Config to save your configuration.