• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2793
  • Last Modified:

Cisco 881 VPN Pass Through

Hello,
We cannot get a VPN pass-through to work on a Cisco 881. We used the Cisco CP Express Wizard to open some common ports for incoming mail, OWA etc, which all work fine. However, if we open port 1723, this does not seem to work. Are we forgetting something?
Active config:

Using 7027 out of 262136 bytes
!
! Last configuration change at 09:41:48 PCTime Mon Dec 21 2009 by cisco
! NVRAM config last updated at 09:41:51 PCTime Mon Dec 21 2009 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$79Ue$NeJllePFFKZDaIF6DuUW41
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3367286295
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3367286295
 revocation-check none
 rsakeypair TP-self-signed-3367286295
!
!
crypto pki certificate chain TP-self-signed-3367286295
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
no ip source-route
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name freeway.local
no ipv6 cef
!
!
!
!
username Aucuba privilege 15 secret 5 $1$FOff$0iUtXiJaJ7dgfu46hx0sw0
!
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 102
 match protocol smtp
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 104
 match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all sdm-nat-https-1
 match access-group 103
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-pptp-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 83.80.23.20 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 172.16.206.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 83.80.23.17
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 172.16.206.1 80 interface FastEthernet4 80
ip nat inside source static tcp 172.16.206.1 25 interface FastEthernet4 25
ip nat inside source static tcp 172.16.206.1 443 interface FastEthernet4 443
ip nat inside source static tcp 172.16.206.1 1723 interface FastEthernet4 1723
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.16.206.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 83.80.23.16 0.0.0.7 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 172.16.206.1
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 172.16.206.1
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 172.16.206.1
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 172.16.206.1
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
0
WNouwens
Asked:
WNouwens
  • 3
  • 2
1 Solution
 
Jody LemoineNetwork ArchitectCommented:
The configuration looks good for the most part.  Just for testing, try removing the access list 104 requirement on the PPTP firewall rule:

class-map type inspect match-all sdm-nat-pptp-1
 no match access-group 104

If that clears things up, we know we have an ACL problem.  If not, we can return to the firewall troubleshooting.
0
 
WNouwensAuthor Commented:
Hello,
That does not seem to do anything. Note that we know a bit of networking but little of Cisco..:-(
We tried to apply the next scenario to allow PPTP from any outside client to the internal PPTP VPN server. However the "static" command is -for instance- not accepted.

In this configuration example, the PPTP server is 192.168.201.5 (static to 10.48.66.106 inside), and the PPTP client is at 192.168.201.25 .

access-list acl-out permit gre host 192.168.201.25  host 192.168.201.5
access-list acl-out permit tcp host 192.168.201.25  host 192.168.201.5  eq 1723
static (inside,outside) 192.168.201.5  10.48.66.106 netmask 255.255.255.255 0 0
access-group acl-out in interface outside

The situation is a bit problematic; we can only test this functionality at the client side. However, we will now take the Cisco to our office to program it and then return to test.
Any suggestions would be appreciated.
Thanks, Wouter
0
 
Jody LemoineNetwork ArchitectCommented:
You're trying to run PIX/ASA commands on a Cisco router, which is akin to using Windows commands on Linux.  There is a distant relationship between the two, but not enough that you can apply one's commands to the other.

Your Cisco 881 is using zone-based firewalling, which is completely different from what those commands were designed to configure on the ASA/PIX.

I little further research leads me to understand that the zone-based firewall on IOS doesn't handle the GRE portion of PPTP with the "match protocol pptp" statement.  Perhaps this will work better.

ip access-list extended GRE
 permit gre any any  
class-map type inspect match-any PPTP
 match protocol pptp  
 match access-group name GRE
class-map type inspect match-all sdm-nat-pptp-1  
 match access-group 104
 match class-map PPTP
0
 
WNouwensAuthor Commented:
Hello Thanks for you response. We tried your solution, but it does not work. We have now set up a local test situation with a PPTP VPN server; however it does not connect. We did a factory default reset, configured port forwaring again and applied your changes. This is the resulting config;
CiscoGW#write terminal
Building configuration...

Current configuration : 5074 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoGW
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$GEip$/JW/nPQIymFNSy1M0G92h1
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3367286295
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3367286295
revocation-check none
rsakeypair TP-self-signed-3367286295
!
!
crypto pki certificate chain TP-self-signed-3367286295
certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333637 32383632 3935301E 170D3130 30313131 30383530
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33363732
  38363239 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EA3F AAC21F0C 4EE41999 9ADD6BF1 8A46E722 645AED36 1BE57EEA 8CD96CB8
  E46D3EA4 F27B127C CF4791A6 CD1BCA00 C4A8D3F2 2E01453E 6AB2DA83 10DB32C1
  BBA364C7 59713676 BE84368B AE9174AB 44F88A11 10218CEA E82C9B99 11A1D87A
  6A73E54B DBDA4A3F EF191C99 D574BFA9 9F250C45 38936226 9409528A B2781767
  32610203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 15436973 636F4757 2E667265 65776179 2E6C6F63 616C301F
  0603551D 23041830 16801471 5D61EDA7 7B25EBE4 2114AC80 C21D6134 8B79E230
  1D060355 1D0E0416 0414715D 61EDA77B 25EBE421 14AC80C2 1D61348B 79E2300D
  06092A86 4886F70D 01010405 00038181 00AF31F0 5EE3747A 52AC6FA8 E67F7A68
  7CFE6C54 C264685F A99ECCDE DD1F3660 D3F233AB B50217E6 328C1A1C 9CDB5503
  202EE4B1 9F06BBE2 F75D1EEB 53C2F074 69C80F57 34876564 226B1BD9 EFB82CBB
  5094B477 50FB5F3F 1EF33B76 33E07D63 0B8D9743 62C603F5 E55BE0AF 9D8FD60E
  D2E7BE0F 04574B53 40E0FE60 07B792CC 5C
        quit
ip source-route
ip dhcp excluded-address 172.16.206.1 172.16.206.89
ip dhcp excluded-address 172.16.206.141 172.16.206.254
!
ip dhcp pool ccp-pool1
   import all
   network 172.16.206.0 255.255.255.0
   dns-server 172.16.206.1
   default-router 172.16.206.254
!
!
ip cef
ip domain name freeway.local
ip name-server 172.16.206.1
no ipv6 cef
!
!
!
!
username aucuba privilege 15 secret 5 $1$pwmW$B8tHX21Y5hKS3wg5m00uZ/
!
!
!
archive
log config
  hidekeys
!
!
!
class-map type inspect match-any PPTP
match protocol pptp
match access-group name GRE
class-map type inspect match-all sdm-nat-pptp-1
match access-group 104
match class-map PPTP
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address 10.0.10.140 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
ip address 172.16.206.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.10.138
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 172.16.206.1 1723 interface FastEthernet4 1723
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 172.16.206.1 80 interface FastEthernet4 80
ip nat inside source static tcp 172.16.206.1 25 interface FastEthernet4 25
ip nat inside source static tcp 172.16.206.1 443 interface FastEthernet4 443
!
ip access-list extended GRE
permit gre any any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.16.206.0 0.0.0.255
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
0
 
WNouwensAuthor Commented:
Your answer was correct; we tested your solution with another (Draytek) router as a PPTP VPN server, which caused the VPN not to work. Without the router it works fine.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now