cwtang
asked on
Cisco Router PPTP Pass-Though With CBAC
Hi,
I am trying to setup pptp connection to connect from the internet to a windows server in my home. I have noticed that if I do not enable cisco cbac, it works without any issue. However once I enable cbac, the server complains that gre is not being passed. Would anyone be able to indicate what might be wrong with the config(router setup using CCP)
Network Diagram for connection is as follows:
Client -->Internet <---> Router (192.168.254.129)<-->Micro soft PPTP Server (192.168.254.138)
Any help would be appreciated.
Thanks.
I am trying to setup pptp connection to connect from the internet to a windows server in my home. I have noticed that if I do not enable cisco cbac, it works without any issue. However once I enable cbac, the server complains that gre is not being passed. Would anyone be able to indicate what might be wrong with the config(router setup using CCP)
Network Diagram for connection is as follows:
Client -->Internet <---> Router (192.168.254.129)<-->Micro
Any help would be appreciated.
Thanks.
version 12.4
service nagle
no service pad
service timestamps debug datetime localtime year
service timestamps log datetime localtime show-timezone year
service password-encryption
service compress-config
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging count
logging message-counter syslog
logging buffered 51200 informational
!
no aaa new-model
clock timezone SGP 8
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain lookup source-interface FastEthernet0/1
ip domain name xxxxxx
ip name-server 192.168.254.138
ip name-server xxx.xxx.xxx.xxx
ip port-map user-ASA--2 port udp 460
ip port-map user-ASA--1 port tcp 460
ip ddns update method sdm_ddns1
HTTP
add http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
crypto pki trustpoint TP-self-signed-933800604
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-933800604
revocation-check none
rsakeypair TP-self-signed-933800604
!
!
crypto pki certificate chain TP-self-signed-933800604
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39333338 30303630 34301E17 0D303930 34313831 33353831
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3933 33383030
36303430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B53C1DE4 B6D02F84 F095F8E0 A144F041 779C101B 44905287 E68E6F0E 4413A43E
C03AEBBF 28F2438F 3C134624 945C21F6 33E9B037 DA57F6F8 4D7AC693 0CD05B1C
289B9928 0D79C7D8 95ECF68B 3B96DA32 3BDBE8D8 BD94B179 E45EACC0 6E9DC9F2
D9CC53F4 E77E85DE B650C699 7BF89EFB 1EB27B34 A9189CEE 86DAC4B7 58D20BBF
02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
1D110424 30228220 436F7265 5F486F6D 655F526F 75746572 2E6D7964 672E6479
6E646E73 2E6F7267 301F0603 551D2304 18301680 14D31E36 B406D1A1 F8215D57
666242B6 2C1E3A9D 25301D06 03551D0E 04160414 D31E36B4 06D1A1F8 215D5766
6242B62C 1E3A9D25 300D0609 2A864886 F70D0101 04050003 81810004 70015A39
6B6434B9 799B4463 D2517F8F 807B0E14 502C47FA 012EA1BB D0034F0F 6796B439
242E45A4 C92948F6 18C436C9 BB47CE3E 07E36DD5 DDBE8649 CFB06E8C FA388066
B53B1A44 1C8D9FC2 7F2627CD 3540768C 83B97078 21B32B16 0B30B5B3 53EDF567
273DD1B6 28D74033 5696B094 04E8C12F 5C5A2E66 A127FEC0 B3FC33
quit
!
!
username Admin privilege 15 password 7 xxxx
archive
log config
hidekeys
!
!
!
!
!
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol bittorrent signature
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-all sdm-nat-pptp-1
match access-group name PPTP
match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-all sdm-cls-ccp-inspect-1
match access-group name Free_Access
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-all sdm-nat-user-ASA--2-1
match access-group 103
match protocol user-ASA--2
class-map type inspect match-all sdm-nat-user-ASA--1-1
match access-group 102
match protocol user-ASA--1
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-pptp-1
inspect
class type inspect sdm-nat-user-ASA--1-1
inspect
class type inspect sdm-nat-user-ASA--2-1
inspect
class class-default
drop
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
allow
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect sdm-cls-ccp-inspect-1
pass
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Interface_2Wire$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no keepalive
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.254.129 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
no mop enabled
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 10240
ip ddns update hostname xxx.xxx.xxx
ip ddns update sdm_ddns1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxx password 7 xxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list Internet interface Dialer0 overload
ip nat inside source static tcp 192.168.254.138 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.254.133 460 interface Dialer0 460
ip nat inside source static udp 192.168.254.133 460 interface Dialer0 460
!
ip access-list extended Free_Access
remark CCP_ACL Category=128
permit ip host 192.168.254.157 any
permit ip host 192.168.254.138 any
ip access-list extended Internet
permit ip 192.168.254.128 0.0.0.31 any
ip access-list extended PPTP
permit gre any host 192.168.254.138
permit tcp any host 192.168.254.138 eq 1723
!
logging server-arp
logging 192.168.254.138
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.254.133
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.254.133
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login local
!
scheduler allocate 20000 1000
end
The reason is that the user on the other end is trying to attach to this end and you are not inspecting or allowing GRE tunnels through your firewall.
ASKER
Hi,
Not sure if you noticed the following:
class-map type inspect match-all sdm-nat-pptp-1
match access-group name PPTP
match protocol pptp
ip access-list extended PPTP
permit gre any host 192.168.254.138
permit tcp any host 192.168.254.138 eq 1723
policy-map type inspect sdm-pol-NATOutsideToInside -1
class type inspect sdm-nat-pptp-1
inspect
The firewall is setup for inspect and gre is allowed based on the match protocol. I have also tried to set the class map to match any instead of match all; results are stil lthe same. The pptp server would complain that gre is not being passed.
If I removed cbac completely on the router and only used nat, instead of both; pptp connection works fine.
Not sure if it is a config error created by ccp (cisco configuration professional) that would cause the pptp to fail once cbac is enabled? I have also tried using sdm instead of ccp, pptp connection cannot be established as well.
Not sure if you noticed the following:
class-map type inspect match-all sdm-nat-pptp-1
match access-group name PPTP
match protocol pptp
ip access-list extended PPTP
permit gre any host 192.168.254.138
permit tcp any host 192.168.254.138 eq 1723
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-pptp-1
inspect
The firewall is setup for inspect and gre is allowed based on the match protocol. I have also tried to set the class map to match any instead of match all; results are stil lthe same. The pptp server would complain that gre is not being passed.
If I removed cbac completely on the router and only used nat, instead of both; pptp connection works fine.
Not sure if it is a config error created by ccp (cisco configuration professional) that would cause the pptp to fail once cbac is enabled? I have also tried using sdm instead of ccp, pptp connection cannot be established as well.
Change this class map to match any instead of match all and see if that helps
class-map type inspect match-all sdm-nat-pptp-1
match access-group name PPTP
match protocol pptp
class-map type inspect match-all sdm-nat-pptp-1
match access-group name PPTP
match protocol pptp
ASKER
No, it does not work either.
Ok I went through your config with a fine tooth comb and saw nothing that jumps out at me. What I would do is setup a syslog and then try and connect. This should give us enough information to figure out why your policy is not matching.
ASKER
After a few unexpected crashes on the routerI(bus errors), I have decided to roll back the ios image from 12.4.(24)t to 12.4(23) as I needed stability instead of new enhancements.
Upon roll back to the previous image, pptp is working correctly, althought cbac appears to look much simpler compared to the new ios, I will monitor the issue.
As the equipment is a new purchase, I will log a tac case once my smartnet is ready.
Thanks for the help.
Upon roll back to the previous image, pptp is working correctly, althought cbac appears to look much simpler compared to the new ios, I will monitor the issue.
As the equipment is a new purchase, I will log a tac case once my smartnet is ready.
Thanks for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.