[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4361
  • Last Modified:

PPTP passthrough enabled on Cisco 857 router for SBS VPN - is this config okay?

Hi all,

I've recently enabled the SBS 2003 Premium (with ISA 2004) VPN in our environment, which is as below:

CISCO 857 ADSL Router (192.168.2.1) -> SBS External NIC (192.168.2.11) -> SBS Internal NIC (192.168.1.11) -> Internal LAN

I had to enable PPTP passthrough which I've never done before on the Cisco router, and I just want to ensure that I've done it correctly. All is working, but I don't want to have opened anything up un-necessarily.

Our config (with certain data having it's values changed for their own safety :)) is as below. 7 lines were added for the VPN passthrough and are marked as below. Are they all necessary? Not sure about all the NAT'ing for example.

If anyone has any recommendations on how to generally tighten up the config, that'd be great, too!

Also - a quick query about this type of VPN. It seems to me that if the client is behind a router/firewall that doesn't passthrough VPN traffic, you can't connect to your remote site, which would make roaming a little tricky. Am I right in assuming that? Are there any tips or tricks for roaming users (using hotel connections, things like that)?

Thanks in advance!


===================================
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname myro01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$gqbB$13s8uZPpto..56q2PnRjN/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name mydomain.local
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4156690054
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4156690054
 revocation-check none
 rsakeypair TP-self-signed-4156690054
!
!
crypto pki certificate chain TP-self-signed-4156690054
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313536 36393030 3534301E 170D3032 30343037 31303235
  35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31353636
  39303035 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BEFF F54B7295 86E81842 064D2D68 61E02DEA FE9BCC6C B9CE52B9 AE1BC191
  BBC5EEBA 5D8FEFFE 40D09490 91DC066A 8870C0F0 F887803E B222987D DC40A2E1
  3CF594CE 4B73A780 7C52AA37 E002135B 1D03D37A 1AE99810 E4528437 3F8F6EDB
  551D1104 19301782 15736C61 6D726F30 312E736C 616D6974 2E6C6F63 616C301F
  0603551D 23041830 16892467 8BDAC7C0 B5C42935 A3C6B400 A1E64473 14AC4630
  1D060355 1D0E0416 0414678B DAC7C0B5 C42935A3 C6B400A1 E6447314 AC46300D
  4A505FF1 71CB96C1 66BBECE6 70E39441 C64B2EBC 77097FCA 1ACF5492 F4458758
  70F70203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  06442A86 4886F70D 01010405 00038181 0046195A 87DC9514 788860A4 B14D8786
  BB4BEC3F 6016D857 ED002685 37FACB7C E543A4A4 1B2F544F B5D44BD4 3D7E1191
  57512DEF A8399433 7A2660E5 FA52C333 7A7E9B9E 3FB4CA51 593F127D 8BA8ED06
  3C335676 19C6A8CB BA761FE4 90F67980 20469499 5085D7E6 421468FE 0AC74D7C
  C88F1ED0 EBC87A59 CCE751D6 295BAA3E 85
  quit
username adminuser privilege 15 secret 5 $1$qy0G$jta9p0THaaw4iurWhWL7U.
!
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username account@myisp.com password 7 0021560716995351
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.2.11 1701 interface Dialer0 1701 // added for VPN
ip nat inside source static udp 192.168.2.11 500 interface Dialer0 500 // added for VPN
ip nat inside source static tcp 192.168.2.11 1723 interface Dialer0 1723 // added for VPN
ip nat inside source static tcp 192.168.2.11 443 interface Dialer0 443
ip nat inside source static tcp 192.168.2.11 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.11 4125 interface Dialer0 4125
ip nat inside source static tcp 192.168.2.11 64556 interface Dialer0 64556
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 permit tcp any host my_static_ip eq 64556
access-list 101 permit tcp any host my_static_ip eq 4125
access-list 101 permit tcp any host my_static_ip eq smtp
access-list 101 permit tcp any host my_static_ip eq 443
access-list 101 permit tcp any host my_static_ip eq 1723 // added for VPN
access-list 101 permit udp any host my_static_ip eq isakmp // added for VPN
access-list 101 permit udp any host my_static_ip eq 1701 // added for VPN
access-list 101 permit gre any host my_static_ip // added for VPN
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
slamit
Asked:
slamit
1 Solution
 
dhoustonieCommented:
Hi it seems okay, you have both gre and port 1723 forwarded to the server.
One recommendation, when posting a config file, do not include the username and secret password as they are reverse engineerable.
Have you tried VPNing in yet?
David
0
 
slamitAuthor Commented:
Hi, yeah, I scrambled the secret before I posted it, so all good on that part. :) Yeah, no problem at all VPNing, was just wanting some expert opinion on the config, anything that's unnecessary, things that can be tightented etc. Thanks!
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now