paulweeden
asked on
VPN Error 806 - GRE - Cisco 877
Hi
I have a Cisco 877 that is working brilliantly, but for some reason I can't get GRE pass through to work using the SDM interface.
I stopped using Cisco when it was all Pix and CLI stuff and have forgotten everything I learnt back then.
We are using a MS VPN Connection and it stops at verifying username and password and returns a Error 806.
The config doesn't have any GRE items in it, however when I add it to access list 103 (which is the same list as pptp is on) the problem remains.
Have tried the old 101 list etc, but am of the oppinion I am missing something obvious, so please can you help?
Thanks
Paul
I have a Cisco 877 that is working brilliantly, but for some reason I can't get GRE pass through to work using the SDM interface.
I stopped using Cisco when it was all Pix and CLI stuff and have forgotten everything I learnt back then.
We are using a MS VPN Connection and it stops at verifying username and password and returns a Error 806.
The config doesn't have any GRE items in it, however when I add it to access list 103 (which is the same list as pptp is on) the problem remains.
Have tried the old 101 list etc, but am of the oppinion I am missing something obvious, so please can you help?
Thanks
Paul
show run
Building configuration...
Current configuration : 10702 bytes
!
! Last configuration change at 16:48:20 PCTime Tue Oct 28 2008 by admin
! NVRAM config last updated at 16:46:59 PCTime Tue Oct 28 2008 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging console critical
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-4121383024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4121383024
revocation-check none
rsakeypair TP-self-signed-4121383024
!
!
crypto pki certificate chain TP-self-signed-4121383024
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313231 33383330 3234301E 170D3038 31303238 31333537
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323133
38333032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AAD5 5C7252BC E3D8040D CB480047 49721546 C7A26DA2 E698E6B3 BE0054FF
8354394B EB7CFF7D 93783AE4 F7B6469C 10380D7D 5F13CE7E 6296C3F6 50A4F662
57CA779A 31B71D5D BD03F851 9A80E311 46889D18 40366C81 AC5C53AF 6A90BF5C
D329D2D1 5EEF7D77 CDF24E59 598D6577 592AEFB1 6FBAD5E4 0772B5AC BCB959D7
C82B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07676174 65776179 301F0603 551D2304 18301680 148F203D
A669D85F 848598BB 44EE2621 82103BC8 59301D06 03551D0E 04160414 8F203DA6
69D85F84 8598BB44 EE262182 103BC859 300D0609 2A864886 F70D0101 04050003
81810017 5AE93345 ADA831E9 632BF911 D36D395F E7508765 F64B3136 1CA1D2AF
4B2410FB 093BDCB6 5AB37DFC DB22A0AD 8DB513C6 F91CFAA6 7F1D6692 47D71A9D
C8513780 4FCA9281 73D6D4DC A67AB8B1 D4E3A59F 88627F78 FE3D3195 2F863854
FB3F1852 A671E22F 1C3A9167 E6F0EDE9 FC99A795 90C759E4 6C755E7E A71D5F6A D9098B
quit
dot11 syslog
no ip subnet-zero
ip cef
!
!
ip port-map user-protocol--2 port tcp 47
ip port-map user-protocol--1 port tcp 3101
ip port-map user-RWWp port tcp 4501 list 1 description Remote Web Workplace
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 158.152.1.43
ip name-server 158.152.1.58
!
!
!
username admin privilege 15 secret 5 $1$jPuP$l9waa1b5rqsEb/FqX3Mbg/
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-nat-user-RWWp-1
match access-group 106
match protocol user-RWWp
class-map type inspect match-all sdm-nat-smtp-2
match access-group 102
match protocol smtp
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 105
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-http-2
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 103
match protocol pptp
class-map type inspect match-any sbs-services
match protocol http
match protocol https
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
class-map type inspect match-all sdm-cls--1
match class-map sbs-services
match access-group name sbs-server
class-map type inspect match-all sdm-nat-pptp-2
match access-group 103
match protocol pptp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
match protocol http
match protocol https
match protocol aol
match protocol msnmsgr
match protocol ymsgr
match protocol appleqtc
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match class-map sdm-service-sdm-inspect-1
class-map type inspect match-all sdm-nat-https-1
match access-group 104
match protocol https
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
drop log
policy-map type inspect sdm-permit
class class-default
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-smtp-2
inspect
class type inspect sdm-nat-pptp-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-RWWp-1
inspect
class type inspect sdm-nat-http-2
inspect
class type inspect sdm-nat-pptp-2
inspect
class class-default
policy-map type inspect sdm-permit-dmzservice
class type inspect sdm-nat-smtp-1
inspect
class class-default
drop
!
zone security dmz-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
service-policy type inspect sdm-policy-sdm-cls--1
!
!
!
interface ATM0
no ip address
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.3 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport mode trunk
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country GB both
!
interface Vlan1
description $FW_INSIDE$$ES_LAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan2
description DMZ$FW_DMZ$
ip address 192.168.20.1 255.255.255.0
zone-member security dmz-zone
!
interface Dialer3
description $FW_OUTSIDE$
ip address negotiated
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip dns server
ip nat pool Inside 192.168.10.1 192.168.10.254 netmask 255.255.255.0
ip nat inside source list 4 interface Dialer3 overload
ip nat inside source static tcp 192.168.10.100 25 interface Dialer3 25
ip nat inside source static tcp 192.168.10.100 443 interface Dialer3 443
ip nat inside source static tcp 192.168.10.200 3101 interface Dialer3 3101
ip nat inside source static tcp 192.168.10.100 4501 interface Dialer3 4501
ip nat inside source static tcp 192.168.10.100 80 interface Dialer3 80
ip nat inside source static tcp 192.168.10.100 1723 interface Dialer3 1723
!
ip access-list extended sbs-server
remark SDM_ACL Category=128
permit ip any host 192.168.10.100
!
logging 192.168.10.100
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.10.100
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.20.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=16
access-list 100 permit ip 192.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.10.100
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.10.100
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.10.100
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.10.100
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.10.200
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.10.100
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179590
ntp server 207.46.232.182 source Dialer3 prefer
end
gateway#
ASKER
Hey Quori,
Sorry for going MIA, haven't been able to get my head round this whole access-group thing at the CLI, don;t suppose you have an example config I could review??
Cheers
Paul
Sorry for going MIA, haven't been able to get my head round this whole access-group thing at the CLI, don;t suppose you have an example config I could review??
Cheers
Paul
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Set an ACL on the outside interface for inbound traffic permitting gre packets, then configure some inspection.