Avatar of Jamie_Brand
Jamie_Brand
 asked on

Outbound PPTP VPN connection through Cisco 2821

Hi Experts,

Apologies if this topic has been covered many times before, however I need input for my particular configuration.

I am setting up a replacement for our currently ADSL connection.  We have a Cisco 2811 provided by the new ISP which comes preconfigured with no access to the device.  Because we are prohibited from touching the configuration of this device, we are using a Cisco 2821 connected to the 2811 with cat5 (Interface gig0/1).

Below is the current router configuration so far, all seems well (can browse the web etc), but I notice we cannot establish VPN connections outbound, via PPTP.  I can telnet to the VPN servers on 1723, but Windows times out at verifying username/password.

I guess this is something to do with GRE, but the config looks good to me, any ideas?
Building configuration...

Current configuration : 3701 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C2800
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
ip domain name syn.local
ip name-server 192.168.50.10
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
ip inspect name firewall pptp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
username xxxxxxxxxxxxxxxxxxxxxx
username xxxxxxxxxxxxxxxxxxxxxx
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address xxxxxxxxxxxxxxxxxxxxxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description ART
 set peer xxxxxxxxxxxxxxxxxxxxxx
 set transform-set ESP-3DES-SHA 
 match address 103
!
!
!
!
!
!
!
interface Tunnel1
 description Link to ART
 ip address 10.1.2.1 255.255.255.252
 ip mtu 1472
 keepalive 10 3
 tunnel source GigabitEthernet0/1
 tunnel destination xxxxxxxxxxxxxxxxxxxxxx
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.51.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.50.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1
 ip address 77.89.162.98 255.255.255.240
 ip access-group 102 in
 ip nat outside
 ip inspect firewall in
 ip inspect firewall out
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 10.0.0.0 255.255.255.0 10.1.2.2
ip route 192.168.1.0 255.255.255.0 192.168.50.254
ip route 192.168.48.0 255.255.240.0 192.168.50.254
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 pool synnatpool overload
ip nat inside source list 2 pool t2natpool overload
ip nat inside source route-map rmap_1 interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.50.14 77.89.162.104
!
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.51.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.54.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.56.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.59.0 0.0.0.255
access-list 101 deny   ip 192.168.50.0 0.0.0.255 192.168.246.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 101 permit ip 192.168.51.0 0.0.0.255 any
access-list 102 permit tcp 207.126.144.0 0.0.15.255 any eq smtp
access-list 102 permit tcp any any established
access-list 102 permit gre any any
access-list 102 permit icmp any any
access-list 102 permit udp any any
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
!
route-map rmap_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

Open in new window

RoutersVPNInternet Protocol Security

Avatar of undefined
Last Comment
Jamie_Brand

8/22/2022 - Mon
memo_tnt

hi

did you try to remove the IP inspect and ACL 102,, then try

interface GigabitEthernet0/1
no  ip access-group 102 in
 no ip inspect firewall in
 no ip inspect firewall out

Jamie_Brand

ASKER
Hi,

Yes I have tried this with the same result.  Basically I am just looking for input as to whether there is something glaringly wrong with the configuration which would stop GRE, or if it could be something on the ISP configured 2811, to which I have no access.

I am going to try configuring a laptop with a public IP and connect it directly to the 2811 and see if I can get the same problem.
memo_tnt

ya that's a good step ...
since your configuration seems ok ..


Your help has saved me hundreds of hours of internet surfing.
fblack61
Jamie_Brand

ASKER
Tried connecting a laptop directly to the ISP device with a public IP, and I can establish VPN fine.

I'll continue troubleshooting, any advice would be welcome.
Fyathyrio

It appears that I have run into the same problem.

Were you ever able to solve this issue?
ASKER CERTIFIED SOLUTION
Jamie_Brand

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question