The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The PPTP Port Address Translation feature supports the Point-to-Point Tunneling Protocol (PPTP) application layer gateway (ALG) for Port Address Translation (PAT) configuration. PAT configuration requires the PPTP ALG to parse PPTP packets. The PPTP ALG is enabled by default when Network Address Translation (NAT) is configured.
This module provides information about how to configure the PPTP ALG for PAT.
The Point-to-Point Tunneling Protocol (PPTP) application layer gateway (ALG) does not support virtual TCP (vTCP) and TCP segments.
The PPTP ALG will not work in Carrier Grade Network Address Translation (NAT) mode, when the NAT client and server use the same call ID.
The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks.
PPTP establishes a tunnel for each communicating PPTP network server (PNS)-PPTP Access Concentrator (PAC) pair. After the tunnel is set up, PPP packets are exchanged using enhanced generic routing encapsulation (GRE). A call ID present in the GRE header indicates the session to which a particular PPP packet belongs.
Network Address Translation (NAT) translates only the IP address and the port number of a PPTP message. Static and dynamic NAT configurations work with PPTP without the requirement of the PPTP application layer gateway (ALG). However, Port Address Translation (PAT) configuration requires the PPTP ALG to parse the PPTP header and facilitate the translation of call IDs in PPTP control packets. NAT then parses the GRE header and translates call IDs for PPTP data sessions. The PPTP ALG does not translate any embedded IP address in the PPTP payload. The PPTP ALG is enabled by default when NAT is configured.
NAT recognizes PPTP packets that arrive on the default TCP port, 1723, and invokes the PPTP ALG to parse control packets. NAT translates the call ID parsed by the PPTP ALG by assigning a global address or port number. Based on the client and server call IDs, NAT creates two doors based on the request of the PPTP ALG. ( A door is created when there is insufficient information to create a complete NAT-session entry. A door contains information about the source IP address and the destination IP address and port.) Two NAT sessions are created (one with the server call ID and the other with the client call ID) for two-way data communication between the client and server. NAT translates the GRE packet header for data packets that complies with RFC 2673.
PPTP is a TCP-based protocol. Therefore, when NAT recognizes a TCP packet as a PPTP packet, it invokes the PPTP ALG parse-callback function. The PPTP ALG fetches the embedded call ID from the PPTP header and creates a translation token for the header. The PPTP ALG also creates data channels for related GRE tunnels. After ALG parsing, NAT processes the tokens created by the ALG.
The default timer for PPTP is 24 hours. This means that a generic routing encapsulation (GRE) session will live for 24 hours when deploying static and dynamic NAT. Based on your PPTP configuration and scaling requirement, you adjust the PPTP default timer.
Some PPTP clients and servers send keepalive messages to keep GRE sessions alive. You can adjust the NAT session timer for PPTP sessions by using the ip nat translation pptp-timeout command.
The Point-to-Point Tunneling Protocol (PPTP) application layer gateway (ALG) is enabled by default when Network Address Translation (NAT) is configured. Use the no ip nat service pptp command to disable the PPTP ALG. Use the ip nat service pptp command to reenable PPTP ALG translation of applications.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
interface type number Example: |
Enables an interface and enters interface configuration mode. |
| Step 4 |
ip nat inside Example: |
Connects the interface to the inside network, which is subject to NAT. |
| Step 5 |
exit Example: |
Exits interface configuration mode and enters global configuration mode. |
| Step 6 |
interface type number Example: |
Enables an interface and enters interface configuration mode. |
| Step 7 |
ip nat outside Example: |
Connects the interface to the outside network. |
| Step 8 |
exit Example: |
Exits interface configuration mode and enters global configuration mode. |
| Step 9 |
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} Example: |
Defines a pool of IP addresses for NAT translations. |
| Step 10 |
ip nat inside source list {access-list-number | access-list-name} pool name overload Example: |
|
| Step 11 |
ip access-list standard access-list-name Example: |
Defines a standard IP access list by name to enable packet filtering and enters standard access-list configuration mode. |
| Step 12 |
permit host-ip Example: |
Sets conditions in named IP access lists that permit packets. |
| Step 13 |
end Example: |
Exits standard access-list configuration mode and enters privileged EXEC mode. |
Device# configure terminal
Device(config)# interface gigabitethernet 0/0/1
Device(config-if)# ip nat inside
Device(config-if)# exit
Device(config)# interface gigabitethernet 0/1/0
Device(config-if)# ip nat outside
Device(config-if)# exit
Device(config)# ip nat pool pptp-pool 192.168.0.1 192.168.0.234 prefix-length 24
Device(config)# ip nat inside source list pptp-acl pool pptp-pool overload
Device(config)# ip access-list standard pptp-acl
Device(config-std-nacl)# permit 10.1.1.1
Device(config-std-nacl)# end| Related Topic | Document Title |
|---|---|
|
Cisco IOS commands |
|
|
NAT commands |
| Standard/RFC | Title |
|---|---|
|
RFC 2637 |
Point-to-Point Tunneling Protocol (PPTP) |
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
PPTP Port Address Translation Support |
Cisco IOS XE Release 3.9S |
The PPTP Port Address Translation Support feature introduces the Point-to-Point Tunneling Protocol (PPTP) application layer gateway (ALG) for Port Address Translation (PAT) configuration. PAT configuration requires the PPTP ALG to parse PPTP packets. The PPTP ALG is enabled by default when Network Address Translation (NAT) is configured. The following commands were introduced or modified: debug platform hardware qfp feature alg datapath pptp, ip nat service pptp, show platform hardware qfp feature alg statistics pptp. |
Feedback