Go Premium for a chance to win a PS4. Enter to Win


VPN Error 806 - GRE - Cisco 877

Posted on 2008-10-28
Medium Priority
Last Modified: 2012-05-05
I have a Cisco 877 that is working brilliantly, but for some reason I can't get GRE pass through to work using the SDM interface.

I stopped using Cisco when it was all Pix and CLI stuff and have forgotten everything I learnt back then.

We are using a MS VPN Connection and it stops at verifying username and password and returns a Error 806.

The config doesn't have any GRE items in it, however when I add it to access list 103 (which is the same list as pptp is on) the problem remains.  

Have tried the old 101 list etc, but am of the oppinion I am missing something obvious, so please can you help?


show   run
Building configuration...
Current configuration : 10702 bytes
! Last configuration change at 16:48:20 PCTime Tue Oct 28 2008 by admin
! NVRAM config last updated at 16:46:59 PCTime Tue Oct 28 2008 by admin
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname gateway
no logging buffered
logging console critical
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip 
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-4121383024
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4121383024
 revocation-check none
 rsakeypair TP-self-signed-4121383024
crypto pki certificate chain TP-self-signed-4121383024
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34313231 33383330 3234301E 170D3038 31303238 31333537 
  32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323133 
  38333032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100AAD5 5C7252BC E3D8040D CB480047 49721546 C7A26DA2 E698E6B3 BE0054FF 
  8354394B EB7CFF7D 93783AE4 F7B6469C 10380D7D 5F13CE7E 6296C3F6 50A4F662 
  57CA779A 31B71D5D BD03F851 9A80E311 46889D18 40366C81 AC5C53AF 6A90BF5C 
  D329D2D1 5EEF7D77 CDF24E59 598D6577 592AEFB1 6FBAD5E4 0772B5AC BCB959D7 
  C82B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 
  551D1104 0B300982 07676174 65776179 301F0603 551D2304 18301680 148F203D 
  A669D85F 848598BB 44EE2621 82103BC8 59301D06 03551D0E 04160414 8F203DA6 
  69D85F84 8598BB44 EE262182 103BC859 300D0609 2A864886 F70D0101 04050003 
  81810017 5AE93345 ADA831E9 632BF911 D36D395F E7508765 F64B3136 1CA1D2AF 
  4B2410FB 093BDCB6 5AB37DFC DB22A0AD 8DB513C6 F91CFAA6 7F1D6692 47D71A9D 
  C8513780 4FCA9281 73D6D4DC A67AB8B1 D4E3A59F 88627F78 FE3D3195 2F863854 
  FB3F1852 A671E22F 1C3A9167 E6F0EDE9 FC99A795 90C759E4 6C755E7E A71D5F6A D9098B
dot11 syslog
no ip subnet-zero
ip cef
ip port-map user-protocol--2 port tcp 47
ip port-map user-protocol--1 port tcp 3101
ip port-map user-RWWp port tcp 4501 list 1 description Remote Web Workplace
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server
ip name-server
username admin privilege 15 secret 5 $1$jPuP$l9waa1b5rqsEb/FqX3Mbg/
 log config
class-map type inspect match-all sdm-nat-user-RWWp-1
 match access-group 106
 match protocol user-RWWp
class-map type inspect match-all sdm-nat-smtp-2
 match access-group 102
 match protocol smtp
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 105
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-http-2
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 102
 match protocol smtp
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 103
 match protocol pptp
class-map type inspect match-any sbs-services
 match protocol http
 match protocol https
 match protocol smtp
 match protocol imap
 match protocol imaps
 match protocol imap3
class-map type inspect match-all sdm-cls--1
 match class-map sbs-services
 match access-group name sbs-server
class-map type inspect match-all sdm-nat-pptp-2
 match access-group 103
 match protocol pptp
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
 match protocol http
 match protocol https
 match protocol aol
 match protocol msnmsgr
 match protocol ymsgr
 match protocol appleqtc
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match class-map sdm-service-sdm-inspect-1
class-map type inspect match-all sdm-nat-https-1
 match access-group 104
 match protocol https
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-insp-traffic
 class type inspect sdm-protocol-http
 class type inspect SDM-Voice-permit
 class class-default
  drop log
policy-map type inspect sdm-permit
 class class-default
policy-map type inspect sdm-policy-sdm-cls--1
 class type inspect sdm-cls--1
 class type inspect sdm-nat-http-1
 class type inspect sdm-nat-smtp-2
 class type inspect sdm-nat-pptp-1
 class type inspect sdm-nat-https-1
 class type inspect sdm-nat-user-protocol--1-1
 class type inspect sdm-nat-user-RWWp-1
 class type inspect sdm-nat-http-2
 class type inspect sdm-nat-pptp-2
 class class-default
policy-map type inspect sdm-permit-dmzservice
 class type inspect sdm-nat-smtp-1
 class class-default
zone security dmz-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
 service-policy type inspect sdm-policy-sdm-cls--1
interface ATM0
 no ip address
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
interface ATM0.3 point-to-point
 description $ES_WAN$
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
 switchport mode trunk
interface FastEthernet3
interface Dot11Radio0
 no ip address
 encryption mode ciphers tkip 
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 world-mode dot11d country GB both
interface Vlan1
 description $FW_INSIDE$$ES_LAN$
 ip address
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
interface Vlan2
 description DMZ$FW_DMZ$
 ip address
 zone-member security dmz-zone
interface Dialer3
 description $FW_OUTSIDE$
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
no ip forward-protocol nd
ip route Dialer3
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip dns server
ip nat pool Inside netmask
ip nat inside source list 4 interface Dialer3 overload
ip nat inside source static tcp 25 interface Dialer3 25
ip nat inside source static tcp 443 interface Dialer3 443
ip nat inside source static tcp 3101 interface Dialer3 3101
ip nat inside source static tcp 4501 interface Dialer3 4501
ip nat inside source static tcp 80 interface Dialer3 80
ip nat inside source static tcp 1723 interface Dialer3 1723
ip access-list extended sbs-server
 remark SDM_ACL Category=128
 permit ip any host
access-list 1 remark SDM_ACL Category=1
access-list 1 permit
access-list 2 remark SDM_ACL Category=2
access-list 2 permit
access-list 3 remark SDM_ACL Category=2
access-list 3 permit
access-list 4 remark SDM_ACL Category=2
access-list 4 permit
access-list 100 remark SDM_ACL Category=16
access-list 100 permit ip any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host
dialer-list 1 protocol ip permit
no cdp run
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
scheduler max-task-time 5000
ntp clock-period 17179590
ntp server source Dialer3 prefer

Open in new window

Question by:paulweeden
  • 2
LVL 13

Expert Comment

ID: 22826588
I don't see permit gre any any within any of the ACLs. Furthermore, your outside interface is in the out-zone security zone however the out-zone has no inspection set for PPTP, etc.

Set an ACL on the outside interface for inbound traffic permitting gre packets, then configure some inspection.

Author Comment

ID: 22939002
Hey Quori,

Sorry for going MIA, haven't been able to get my head round this whole access-group thing at the CLI, don;t suppose you have an example config I could review??



Accepted Solution

paulweeden earned 0 total points
ID: 23175147
Have decided to take a Zyxel router instead of this Cisco one as it was too complex.

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month8 days, 5 hours left to enroll

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question