Solved

VPN Error 806 - GRE - Cisco 877

Posted on 2008-10-28
3
2,504 Views
Last Modified: 2012-05-05
Hi
I have a Cisco 877 that is working brilliantly, but for some reason I can't get GRE pass through to work using the SDM interface.

I stopped using Cisco when it was all Pix and CLI stuff and have forgotten everything I learnt back then.

We are using a MS VPN Connection and it stops at verifying username and password and returns a Error 806.

The config doesn't have any GRE items in it, however when I add it to access list 103 (which is the same list as pptp is on) the problem remains.  

Have tried the old 101 list etc, but am of the oppinion I am missing something obvious, so please can you help?

Thanks

Paul
show   run

Building configuration...
 

Current configuration : 10702 bytes

!

! Last configuration change at 16:48:20 PCTime Tue Oct 28 2008 by admin

! NVRAM config last updated at 16:46:59 PCTime Tue Oct 28 2008 by admin

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname gateway

!

boot-start-marker

boot-end-marker

!

no logging buffered

logging console critical

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization ipmobile default group rad_pmip 

aaa accounting network acct_methods start-stop group rad_acct

!

!

aaa session-id common

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-4121383024

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4121383024

 revocation-check none

 rsakeypair TP-self-signed-4121383024

!

!

crypto pki certificate chain TP-self-signed-4121383024

 certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 34313231 33383330 3234301E 170D3038 31303238 31333537 

  32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323133 

  38333032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100AAD5 5C7252BC E3D8040D CB480047 49721546 C7A26DA2 E698E6B3 BE0054FF 

  8354394B EB7CFF7D 93783AE4 F7B6469C 10380D7D 5F13CE7E 6296C3F6 50A4F662 

  57CA779A 31B71D5D BD03F851 9A80E311 46889D18 40366C81 AC5C53AF 6A90BF5C 

  D329D2D1 5EEF7D77 CDF24E59 598D6577 592AEFB1 6FBAD5E4 0772B5AC BCB959D7 

  C82B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 

  551D1104 0B300982 07676174 65776179 301F0603 551D2304 18301680 148F203D 

  A669D85F 848598BB 44EE2621 82103BC8 59301D06 03551D0E 04160414 8F203DA6 

  69D85F84 8598BB44 EE262182 103BC859 300D0609 2A864886 F70D0101 04050003 

  81810017 5AE93345 ADA831E9 632BF911 D36D395F E7508765 F64B3136 1CA1D2AF 

  4B2410FB 093BDCB6 5AB37DFC DB22A0AD 8DB513C6 F91CFAA6 7F1D6692 47D71A9D 

  C8513780 4FCA9281 73D6D4DC A67AB8B1 D4E3A59F 88627F78 FE3D3195 2F863854 

  FB3F1852 A671E22F 1C3A9167 E6F0EDE9 FC99A795 90C759E4 6C755E7E A71D5F6A D9098B

  quit

dot11 syslog

no ip subnet-zero

ip cef

!

!

ip port-map user-protocol--2 port tcp 47

ip port-map user-protocol--1 port tcp 3101

ip port-map user-RWWp port tcp 4501 list 1 description Remote Web Workplace

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip name-server 158.152.1.43

ip name-server 158.152.1.58

!

!

!

username admin privilege 15 secret 5 $1$jPuP$l9waa1b5rqsEb/FqX3Mbg/

! 

!

archive

 log config

  hidekeys

!

!

!

class-map type inspect match-all sdm-nat-user-RWWp-1

 match access-group 106

 match protocol user-RWWp

class-map type inspect match-all sdm-nat-smtp-2

 match access-group 102

 match protocol smtp

class-map type inspect match-all sdm-nat-http-1

 match access-group 101

 match protocol http

class-map type inspect match-all sdm-nat-user-protocol--1-1

 match access-group 105

 match protocol user-protocol--1

class-map type inspect match-all sdm-nat-http-2

 match access-group 101

 match protocol http

class-map type inspect match-all sdm-nat-smtp-1

 match access-group 102

 match protocol smtp

class-map type inspect match-any sdm-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp extended

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-insp-traffic

 match class-map sdm-cls-insp-traffic

class-map type inspect match-all sdm-nat-pptp-1

 match access-group 103

 match protocol pptp

class-map type inspect match-any sbs-services

 match protocol http

 match protocol https

 match protocol smtp

 match protocol imap

 match protocol imaps

 match protocol imap3

class-map type inspect match-all sdm-cls--1

 match class-map sbs-services

 match access-group name sbs-server

class-map type inspect match-all sdm-nat-pptp-2

 match access-group 103

 match protocol pptp

class-map type inspect match-any SDM-Voice-permit

 match protocol h323

 match protocol skinny

 match protocol sip

class-map type inspect match-any sdm-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any sdm-service-sdm-inspect-1

 match protocol http

 match protocol https

 match protocol aol

 match protocol msnmsgr

 match protocol ymsgr

 match protocol appleqtc

class-map type inspect match-all sdm-icmp-access

 match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

 match class-map sdm-service-sdm-inspect-1

class-map type inspect match-all sdm-nat-https-1

 match access-group 104

 match protocol https

!

!

policy-map type inspect sdm-permit-icmpreply

 class type inspect sdm-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-inspect

 class type inspect sdm-insp-traffic

  inspect

 class type inspect sdm-protocol-http

  inspect

 class type inspect SDM-Voice-permit

  inspect

 class class-default

  drop log

policy-map type inspect sdm-permit

 class class-default

policy-map type inspect sdm-policy-sdm-cls--1

 class type inspect sdm-cls--1

  inspect

 class type inspect sdm-nat-http-1

  inspect

 class type inspect sdm-nat-smtp-2

  inspect

 class type inspect sdm-nat-pptp-1

  inspect

 class type inspect sdm-nat-https-1

  inspect

 class type inspect sdm-nat-user-protocol--1-1

  inspect

 class type inspect sdm-nat-user-RWWp-1

  inspect

 class type inspect sdm-nat-http-2

  inspect

 class type inspect sdm-nat-pptp-2

  inspect

 class class-default

policy-map type inspect sdm-permit-dmzservice

 class type inspect sdm-nat-smtp-1

  inspect

 class class-default

  drop

!

zone security dmz-zone

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

 service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone

 service-policy type inspect sdm-permit-dmzservice

zone-pair security sdm-zp-out-self source out-zone destination self

 service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone

 service-policy type inspect sdm-permit-dmzservice

zone-pair security sdm-zp-in-out source in-zone destination out-zone

 service-policy type inspect sdm-inspect

zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone

 service-policy type inspect sdm-policy-sdm-cls--1

!

!

!

interface ATM0

 no ip address

 ip route-cache flow

 no atm ilmi-keepalive

 dsl operating-mode auto 

!

interface ATM0.3 point-to-point

 description $ES_WAN$

 pvc 0/38 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

 switchport mode trunk

!

interface FastEthernet3

!

interface Dot11Radio0

 no ip address

 !

 encryption mode ciphers tkip 

 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

 station-role root

 world-mode dot11d country GB both

!

interface Vlan1

 description $FW_INSIDE$$ES_LAN$

 ip address 192.168.10.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

!

interface Vlan2

 description DMZ$FW_DMZ$

 ip address 192.168.20.1 255.255.255.0

 zone-member security dmz-zone

!

interface Dialer3

 description $FW_OUTSIDE$

 ip address negotiated

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 encapsulation ppp

 ip route-cache flow

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap callin

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer3

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip dns server

ip nat pool Inside 192.168.10.1 192.168.10.254 netmask 255.255.255.0

ip nat inside source list 4 interface Dialer3 overload

ip nat inside source static tcp 192.168.10.100 25 interface Dialer3 25

ip nat inside source static tcp 192.168.10.100 443 interface Dialer3 443

ip nat inside source static tcp 192.168.10.200 3101 interface Dialer3 3101

ip nat inside source static tcp 192.168.10.100 4501 interface Dialer3 4501

ip nat inside source static tcp 192.168.10.100 80 interface Dialer3 80

ip nat inside source static tcp 192.168.10.100 1723 interface Dialer3 1723

!

ip access-list extended sbs-server

 remark SDM_ACL Category=128

 permit ip any host 192.168.10.100

!

logging 192.168.10.100

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 192.168.10.100

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.20.0 0.0.0.255

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 192.168.10.0 0.0.0.255

access-list 4 remark SDM_ACL Category=2

access-list 4 permit 192.168.10.0 0.0.0.255

access-list 100 remark SDM_ACL Category=16

access-list 100 permit ip 192.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=0

access-list 101 permit ip any host 192.168.10.100

access-list 102 remark SDM_ACL Category=0

access-list 102 permit ip any host 192.168.10.100

access-list 103 remark SDM_ACL Category=0

access-list 103 permit ip any host 192.168.10.100

access-list 104 remark SDM_ACL Category=0

access-list 104 permit ip any host 192.168.10.100

access-list 105 remark SDM_ACL Category=0

access-list 105 permit ip any host 192.168.10.200

access-list 106 remark SDM_ACL Category=0

access-list 106 permit ip any host 192.168.10.100

dialer-list 1 protocol ip permit

no cdp run

!

!

radius-server attribute 32 include-in-access-req format %h

radius-server vsa send accounting

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 privilege level 15

 transport input telnet ssh

!

scheduler max-task-time 5000

ntp clock-period 17179590

ntp server 207.46.232.182 source Dialer3 prefer

end
 

gateway#

Open in new window

0
Comment
Question by:paulweeden
  • 2
3 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 22826588
I don't see permit gre any any within any of the ACLs. Furthermore, your outside interface is in the out-zone security zone however the out-zone has no inspection set for PPTP, etc.

Set an ACL on the outside interface for inbound traffic permitting gre packets, then configure some inspection.
0
 

Author Comment

by:paulweeden
ID: 22939002
Hey Quori,

Sorry for going MIA, haven't been able to get my head round this whole access-group thing at the CLI, don;t suppose you have an example config I could review??

Cheers

Paul
0
 

Accepted Solution

by:
paulweeden earned 0 total points
ID: 23175147
Have decided to take a Zyxel router instead of this Cisco one as it was too complex.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now