Link to home
Start Free TrialLog in
Avatar of cwtang
cwtang

asked on

Cisco Router PPTP Pass-Though With CBAC

Hi,
I am trying to setup pptp connection to connect from the internet to a windows server in my home. I have noticed that if I do not enable cisco cbac, it works without any issue. However once I enable cbac, the server complains that gre is not being passed. Would anyone be able to indicate what might be wrong with the config(router setup using CCP)

Network Diagram for connection is as follows:

Client -->Internet <---> Router (192.168.254.129)<-->Microsoft PPTP Server (192.168.254.138)

Any help would be appreciated.

Thanks.
version 12.4
service nagle
no service pad
service timestamps debug datetime localtime year
service timestamps log datetime localtime show-timezone year
service password-encryption
service compress-config
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging count
logging message-counter syslog
logging buffered 51200 informational
!
no aaa new-model
clock timezone SGP 8
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain lookup source-interface FastEthernet0/1
ip domain name xxxxxx
ip name-server 192.168.254.138
ip name-server xxx.xxx.xxx.xxx
ip port-map user-ASA--2 port udp 460
ip port-map user-ASA--1 port tcp 460
ip ddns update method sdm_ddns1
 HTTP
  add http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com
 
parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com
 
parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com
 
!
crypto pki trustpoint TP-self-signed-933800604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-933800604
 revocation-check none
 rsakeypair TP-self-signed-933800604
!
!
crypto pki certificate chain TP-self-signed-933800604
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 39333338 30303630 34301E17 0D303930 34313831 33353831 
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3933 33383030 
  36303430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  B53C1DE4 B6D02F84 F095F8E0 A144F041 779C101B 44905287 E68E6F0E 4413A43E 
  C03AEBBF 28F2438F 3C134624 945C21F6 33E9B037 DA57F6F8 4D7AC693 0CD05B1C 
  289B9928 0D79C7D8 95ECF68B 3B96DA32 3BDBE8D8 BD94B179 E45EACC0 6E9DC9F2 
  D9CC53F4 E77E85DE B650C699 7BF89EFB 1EB27B34 A9189CEE 86DAC4B7 58D20BBF 
  02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355 
  1D110424 30228220 436F7265 5F486F6D 655F526F 75746572 2E6D7964 672E6479 
  6E646E73 2E6F7267 301F0603 551D2304 18301680 14D31E36 B406D1A1 F8215D57 
  666242B6 2C1E3A9D 25301D06 03551D0E 04160414 D31E36B4 06D1A1F8 215D5766 
  6242B62C 1E3A9D25 300D0609 2A864886 F70D0101 04050003 81810004 70015A39 
  6B6434B9 799B4463 D2517F8F 807B0E14 502C47FA 012EA1BB D0034F0F 6796B439 
  242E45A4 C92948F6 18C436C9 BB47CE3E 07E36DD5 DDBE8649 CFB06E8C FA388066 
  B53B1A44 1C8D9FC2 7F2627CD 3540768C 83B97078 21B32B16 0B30B5B3 53EDF567 
  273DD1B6 28D74033 5696B094 04E8C12F 5C5A2E66 A127FEC0 B3FC33
  	quit
!
!
username Admin privilege 15 password 7 xxxx
archive
 log config
  hidekeys
! 
!
!
!
!
!
class-map type inspect imap match-any ccp-app-imap
 match  invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
 match protocol edonkey signature
 match protocol bittorrent signature
class-map type inspect match-any CCP-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-all sdm-nat-pptp-1
 match access-group name PPTP
 match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
 match  service any 
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
 match  service any 
class-map type inspect match-all sdm-cls-ccp-inspect-1
 match access-group name Free_Access
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
 match  service any 
class-map type inspect match-all ccp-protocol-pop3
 match protocol pop3
class-map type inspect match-all sdm-nat-user-ASA--2-1
 match access-group 103
 match protocol user-ASA--2
class-map type inspect match-all sdm-nat-user-ASA--1-1
 match access-group 102
 match protocol user-ASA--1
class-map type inspect pop3 match-any ccp-app-pop3
 match  invalid-command
class-map type inspect match-all ccp-protocol-p2p
 match class-map ccp-cls-protocol-p2p
class-map type inspect msnmsgr match-any ccp-app-msn
 match  service text-chat 
class-map type inspect ymsgr match-any ccp-app-yahoo
 match  service text-chat 
class-map type inspect match-all ccp-protocol-im
 match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
 match  file-transfer 
 match  text-chat 
 match  search-file-name 
class-map type inspect http match-any ccp-http-blockparam
 match  request port-misuse im
 match  request port-misuse p2p
 match  req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
 match  file-transfer 
class-map type inspect match-all ccp-protocol-imap
 match protocol imap
class-map type inspect aol match-any ccp-app-aol
 match  service text-chat 
class-map type inspect edonkey match-any ccp-app-edonkeychat
 match  search-file-name 
 match  text-chat 
class-map type inspect http match-any ccp-http-allowparam
 match  request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect p2p ccp-action-app-p2p
 class type inspect edonkey ccp-app-edonkeychat
  log
  allow
 class type inspect edonkey ccp-app-edonkeydownload
  log
  allow
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-pptp-1
  inspect 
 class type inspect sdm-nat-user-ASA--1-1
  inspect 
 class type inspect sdm-nat-user-ASA--2-1
  inspect 
 class class-default
  drop
policy-map type inspect im ccp-action-app-im
 class type inspect aol ccp-app-aol
  log
  allow
 class type inspect msnmsgr ccp-app-msn
  log
  allow
 class type inspect ymsgr ccp-app-yahoo
  log
  allow
 class type inspect aol ccp-app-aol-otherservices
  log
  reset
 class type inspect msnmsgr ccp-app-msn-otherservices
  allow
 class type inspect ymsgr ccp-app-yahoo-otherservices
  log
  reset
policy-map type inspect imap ccp-action-imap
 class type inspect imap ccp-app-imap
  log
policy-map type inspect pop3 ccp-action-pop3
 class type inspect pop3 ccp-app-pop3
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect sdm-cls-ccp-inspect-1
  pass
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-protocol-imap
  inspect 
  service-policy imap ccp-action-imap
 class type inspect ccp-protocol-pop3
  inspect 
  service-policy pop3 ccp-action-pop3
 class type inspect ccp-protocol-p2p
  inspect 
  service-policy p2p ccp-action-app-p2p
 class type inspect ccp-protocol-im
  inspect 
  service-policy im ccp-action-app-im
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect CCP-Voice-permit
  inspect 
 class class-default
  pass
policy-map type inspect http ccp-action-app-http
 class type inspect http ccp-http-blockparam
  log
  reset
 class type inspect http ccp-app-httpmethods
  log
  reset
 class type inspect http ccp-http-allowparam
  log
  allow
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Interface_2Wire$ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no keepalive
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 description $FW_INSIDE$
 ip address 192.168.254.129 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 duplex auto
 speed auto
 no mop enabled
!
interface Dialer0
 description $FW_OUTSIDE$
 bandwidth 10240
 ip ddns update hostname xxx.xxx.xxx
 ip ddns update sdm_ddns1
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxx password 7 xxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list Internet interface Dialer0 overload
ip nat inside source static tcp 192.168.254.138 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.254.133 460 interface Dialer0 460
ip nat inside source static udp 192.168.254.133 460 interface Dialer0 460
!
ip access-list extended Free_Access
 remark CCP_ACL Category=128
 permit ip host 192.168.254.157 any
 permit ip host 192.168.254.138 any
ip access-list extended Internet
 permit ip 192.168.254.128 0.0.0.31 any
ip access-list extended PPTP
 permit gre any host 192.168.254.138
 permit tcp any host 192.168.254.138 eq 1723
!
logging server-arp
logging 192.168.254.138
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.254.133
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.254.133
no cdp run
 
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
!
scheduler allocate 20000 1000
end

Open in new window

Avatar of bkepford
bkepford
Flag of United States of America image

The reason is that the user on the other end is trying to attach to this end and you are not inspecting or allowing GRE tunnels through your firewall.
Avatar of cwtang
cwtang

ASKER

Hi,
Not sure if you noticed the following:

class-map type inspect match-all sdm-nat-pptp-1
 match access-group name PPTP
 match protocol pptp

ip access-list extended PPTP
 permit gre any host 192.168.254.138
 permit tcp any host 192.168.254.138 eq 1723

policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-pptp-1
  inspect

The firewall is setup for inspect and gre is allowed based on the match protocol. I have also tried to set the class map to match any instead of match all; results are stil lthe same. The pptp server would complain that gre is not being passed.

If I removed cbac completely on the router and only used nat, instead of both;  pptp connection works fine.

Not sure if it is a config error created by ccp (cisco configuration professional) that would cause the pptp to fail once cbac is enabled? I have also tried using sdm instead of ccp, pptp connection cannot be established as well.
Change this class map to match any instead of match all and see if that helps

class-map type inspect match-all sdm-nat-pptp-1
match access-group name PPTP
match protocol pptp
Avatar of cwtang

ASKER

No, it does not work either.
Ok I went through your config with a fine tooth comb and saw nothing that jumps out at me. What I would do is setup a syslog and then try and connect. This should give us enough information to figure out why your policy is not matching.
Avatar of cwtang

ASKER

After a few unexpected crashes on the routerI(bus errors), I  have decided to roll back the ios image from 12.4.(24)t  to 12.4(23) as I needed stability instead of new enhancements.
Upon roll back to the previous image, pptp is working correctly, althought cbac appears to look much simpler compared to the new ios, I will monitor the issue.
As the equipment is a new purchase, I will log a tac case once my smartnet is ready.

Thanks for the help.
ASKER CERTIFIED SOLUTION
Avatar of bkepford
bkepford
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial