Link to home
Start Free TrialLog in
Avatar of paulweeden
paulweeden

asked on

VPN Error 806 - GRE - Cisco 877

Hi
I have a Cisco 877 that is working brilliantly, but for some reason I can't get GRE pass through to work using the SDM interface.

I stopped using Cisco when it was all Pix and CLI stuff and have forgotten everything I learnt back then.

We are using a MS VPN Connection and it stops at verifying username and password and returns a Error 806.

The config doesn't have any GRE items in it, however when I add it to access list 103 (which is the same list as pptp is on) the problem remains.  

Have tried the old 101 list etc, but am of the oppinion I am missing something obvious, so please can you help?

Thanks

Paul
show   run
Building configuration...
 
Current configuration : 10702 bytes
!
! Last configuration change at 16:48:20 PCTime Tue Oct 28 2008 by admin
! NVRAM config last updated at 16:46:59 PCTime Tue Oct 28 2008 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging console critical
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip 
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-4121383024
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4121383024
 revocation-check none
 rsakeypair TP-self-signed-4121383024
!
!
crypto pki certificate chain TP-self-signed-4121383024
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34313231 33383330 3234301E 170D3038 31303238 31333537 
  32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323133 
  38333032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100AAD5 5C7252BC E3D8040D CB480047 49721546 C7A26DA2 E698E6B3 BE0054FF 
  8354394B EB7CFF7D 93783AE4 F7B6469C 10380D7D 5F13CE7E 6296C3F6 50A4F662 
  57CA779A 31B71D5D BD03F851 9A80E311 46889D18 40366C81 AC5C53AF 6A90BF5C 
  D329D2D1 5EEF7D77 CDF24E59 598D6577 592AEFB1 6FBAD5E4 0772B5AC BCB959D7 
  C82B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 
  551D1104 0B300982 07676174 65776179 301F0603 551D2304 18301680 148F203D 
  A669D85F 848598BB 44EE2621 82103BC8 59301D06 03551D0E 04160414 8F203DA6 
  69D85F84 8598BB44 EE262182 103BC859 300D0609 2A864886 F70D0101 04050003 
  81810017 5AE93345 ADA831E9 632BF911 D36D395F E7508765 F64B3136 1CA1D2AF 
  4B2410FB 093BDCB6 5AB37DFC DB22A0AD 8DB513C6 F91CFAA6 7F1D6692 47D71A9D 
  C8513780 4FCA9281 73D6D4DC A67AB8B1 D4E3A59F 88627F78 FE3D3195 2F863854 
  FB3F1852 A671E22F 1C3A9167 E6F0EDE9 FC99A795 90C759E4 6C755E7E A71D5F6A D9098B
  quit
dot11 syslog
no ip subnet-zero
ip cef
!
!
ip port-map user-protocol--2 port tcp 47
ip port-map user-protocol--1 port tcp 3101
ip port-map user-RWWp port tcp 4501 list 1 description Remote Web Workplace
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 158.152.1.43
ip name-server 158.152.1.58
!
!
!
username admin privilege 15 secret 5 $1$jPuP$l9waa1b5rqsEb/FqX3Mbg/
! 
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-nat-user-RWWp-1
 match access-group 106
 match protocol user-RWWp
class-map type inspect match-all sdm-nat-smtp-2
 match access-group 102
 match protocol smtp
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 105
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-http-2
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 102
 match protocol smtp
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 103
 match protocol pptp
class-map type inspect match-any sbs-services
 match protocol http
 match protocol https
 match protocol smtp
 match protocol imap
 match protocol imaps
 match protocol imap3
class-map type inspect match-all sdm-cls--1
 match class-map sbs-services
 match access-group name sbs-server
class-map type inspect match-all sdm-nat-pptp-2
 match access-group 103
 match protocol pptp
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
 match protocol http
 match protocol https
 match protocol aol
 match protocol msnmsgr
 match protocol ymsgr
 match protocol appleqtc
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match class-map sdm-service-sdm-inspect-1
class-map type inspect match-all sdm-nat-https-1
 match access-group 104
 match protocol https
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  drop log
policy-map type inspect sdm-permit
 class class-default
policy-map type inspect sdm-policy-sdm-cls--1
 class type inspect sdm-cls--1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-smtp-2
  inspect
 class type inspect sdm-nat-pptp-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-user-RWWp-1
  inspect
 class type inspect sdm-nat-http-2
  inspect
 class type inspect sdm-nat-pptp-2
  inspect
 class class-default
policy-map type inspect sdm-permit-dmzservice
 class type inspect sdm-nat-smtp-1
  inspect
 class class-default
  drop
!
zone security dmz-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
 service-policy type inspect sdm-policy-sdm-cls--1
!
!
!
interface ATM0
 no ip address
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.3 point-to-point
 description $ES_WAN$
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 switchport mode trunk
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip 
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 world-mode dot11d country GB both
!
interface Vlan1
 description $FW_INSIDE$$ES_LAN$
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
interface Vlan2
 description DMZ$FW_DMZ$
 ip address 192.168.20.1 255.255.255.0
 zone-member security dmz-zone
!
interface Dialer3
 description $FW_OUTSIDE$
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip dns server
ip nat pool Inside 192.168.10.1 192.168.10.254 netmask 255.255.255.0
ip nat inside source list 4 interface Dialer3 overload
ip nat inside source static tcp 192.168.10.100 25 interface Dialer3 25
ip nat inside source static tcp 192.168.10.100 443 interface Dialer3 443
ip nat inside source static tcp 192.168.10.200 3101 interface Dialer3 3101
ip nat inside source static tcp 192.168.10.100 4501 interface Dialer3 4501
ip nat inside source static tcp 192.168.10.100 80 interface Dialer3 80
ip nat inside source static tcp 192.168.10.100 1723 interface Dialer3 1723
!
ip access-list extended sbs-server
 remark SDM_ACL Category=128
 permit ip any host 192.168.10.100
!
logging 192.168.10.100
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.10.100
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.20.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=16
access-list 100 permit ip 192.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.10.100
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.10.100
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.10.100
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.10.100
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.10.200
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.10.100
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179590
ntp server 207.46.232.182 source Dialer3 prefer
end
 
gateway#

Open in new window

Avatar of Quori
Quori
Flag of Australia image
I don't see permit gre any any within any of the ACLs. Furthermore, your outside interface is in the out-zone security zone however the out-zone has no inspection set for PPTP, etc.

Set an ACL on the outside interface for inbound traffic permitting gre packets, then configure some inspection.
Avatar of paulweeden
paulweeden

ASKER

Hey Quori,

Sorry for going MIA, haven't been able to get my head round this whole access-group thing at the CLI, don;t suppose you have an example config I could review??

Cheers

Paul
ASKER CERTIFIED SOLUTION
Avatar of paulweeden
paulweeden
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial