Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Cisco 871 VPN Pass-Through Setup

Posted on 2010-08-16
Medium Priority
Last Modified: 2012-05-10
I can't seem to get the VPN pass through working on a Cisco 871. I'm using the Cisco CP interface to configure. Here's the current running config, with some of the key IPs masked for anonymity. I need to forward the VPN traffic to server which is running PPTP & L2TP type VPN servers.

Current configuration : 8267 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname router1
logging buffered 51200
logging console critical
enable secret 5 $1$r1cm$SFYzLmOLX5.p59/XG8H0r0
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2302734966
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2302734966
 revocation-check none
 rsakeypair TP-self-signed-2302734966
crypto pki certificate chain TP-self-signed-2302734966
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333032 37333439 3636301E 170D3032 30333031 30303037
  31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33303237
  33343936 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C50D 5FAC0A8E 0A61F1AC 973E6849 6C84876E E11B60D1 577581BD 91EEAE34
  3518ED29 B2B5355A 255745FC DC4AD463 B0532E0B 016A81C4 8BBA0F22 2265DF9D
  92BB4B4E 83E3AD6D 22AF5A5E EF4B83C3 138F1C5B 88E4842B E157A6D6 F12375BA
  487F66B1 E8C29ADB 8DB169F3 C48718D5 6E2F2BF0 E62AAD72 DE63A4E8 1E3DC1FC
  C8F90203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 15726F75 74657231 2E617465 72726173 79732E6C 616E301F
  0603551D 23041830 168014EA 2EDDA4E3 72516C47 292FD673 AAAEE9ED EBEA7530
  1D060355 1D0E0416 0414EA2E DDA4E372 516C4729 2FD673AA AEE9EDEB EA75300D
  06092A86 4886F70D 01010405 00038181 0061322E A268C77D 9C72FE0F 9014DC07
  6518C2AC FD633F3F BA8A72B2 429B5F56 B7FEC49A 245E6E7C 8DDB90D3 5D09C7FB
  41F1EBD2 0DCD24A5 68412C5B CCC74ED5 7992FA33 6475F6F9 C5C41169 E4EBFB49
  BC3F0542 B8EAF363 08AE32F1 8C78E12C 4C31E54A F55316ED 81873079 93FA67EE
  4F853139 93714D15 45E9E779 295CA50D 9C
dot11 syslog
no ip source-route
ip cef
ip port-map user-protocol--1 port tcp 5900
no ip bootp server
ip domain name DOMAINNAME
ip name-server
ip name-server
ip ddns update method sdm_ddns1
username PRIMEUSER privilege 15 secret 5 $1$8/kl$wBW4QJy1d105VOPvOn7pe0
 log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any CCP-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
 class class-default
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
 class type inspect ccp-insp-traffic
 class type inspect CCP-Voice-permit
 class class-default
policy-map type inspect ccp-permit
 class class-default
policy-map type inspect ccp-pol-outToIn
 class type inspect CCP_PPTP
 class type inspect sdm-nat-user-protocol--1-1
 class class-default
  drop log
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
interface Null0
 no ip unreachables
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip ddns update sdm_ddns1
 ip address EXTERNALIP
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
interface Vlan1
 ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
ip forward-protocol nd
ip route GATEWAYIP
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 5900 interface FastEthernet4 10000
ip access-list extended P2P
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any host
 permit gre any any
ip access-list extended VPN
 remark CCP_ACL Category=128
 permit ip any host
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 100 permit ip any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host
no cdp run
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
Question by:Avalerion
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Accepted Solution

anoopkmr earned 1000 total points
ID: 33446791
try the below commands

ip nat inside source static tcp 1723 interface FastEthernet4 1723

ip nat inside source static udp 500 interface FastEthernet4 500
ip nat inside source static udp 1701 interface FastEthernet4 1701
ip nat inside source static tcp 1701 interface FastEthernet4 1701

ip access-list extended SDM_GRE
 permit tcp any any eq 1723
 permit udp any any eq 1701
  permit tcp any any eq 1701
 permit udp any any eq 500

LVL 22

Assisted Solution

by:Jody Lemoine
Jody Lemoine earned 1000 total points
ID: 33551363
PPTP is fairly easy and will only require the 1723 and GRE statements anoopkmr has mentioned above.  L2TP is more complicated because it encapsulates its payload in IPsec ESP packets, which aren't going to be easily handled by a simple port forward.  If you have a second public IP address that you can assign for PPTP/L2TP use, you can add a secondary IP to your PPTP/L2TP server (, for example?) and do something like this:

ip nat inside source static x.x.x.x

ip access-list extended SDM_GRE
 permit tcp any any eq 1723
 permit gre any any
 permit udp any any eq 500
 permit esp any any

Replace x.x.x.x with the second public IP address mentioned above.
LVL 71

Expert Comment

ID: 34459484
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question