Solved

Cisco 871 VPN Pass-Through Setup

Posted on 2010-08-16
4
847 Views
Last Modified: 2012-05-10
I can't seem to get the VPN pass through working on a Cisco 871. I'm using the Cisco CP interface to configure. Here's the current running config, with some of the key IPs masked for anonymity. I need to forward the VPN traffic to server 10.0.0.2 which is running PPTP & L2TP type VPN servers.

Current configuration : 8267 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$r1cm$SFYzLmOLX5.p59/XG8H0r0
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2302734966
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2302734966
 revocation-check none
 rsakeypair TP-self-signed-2302734966
!
!
crypto pki certificate chain TP-self-signed-2302734966
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333032 37333439 3636301E 170D3032 30333031 30303037
  31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33303237
  33343936 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C50D 5FAC0A8E 0A61F1AC 973E6849 6C84876E E11B60D1 577581BD 91EEAE34
  3518ED29 B2B5355A 255745FC DC4AD463 B0532E0B 016A81C4 8BBA0F22 2265DF9D
  92BB4B4E 83E3AD6D 22AF5A5E EF4B83C3 138F1C5B 88E4842B E157A6D6 F12375BA
  487F66B1 E8C29ADB 8DB169F3 C48718D5 6E2F2BF0 E62AAD72 DE63A4E8 1E3DC1FC
  C8F90203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 15726F75 74657231 2E617465 72726173 79732E6C 616E301F
  0603551D 23041830 168014EA 2EDDA4E3 72516C47 292FD673 AAAEE9ED EBEA7530
  1D060355 1D0E0416 0414EA2E DDA4E372 516C4729 2FD673AA AEE9EDEB EA75300D
  06092A86 4886F70D 01010405 00038181 0061322E A268C77D 9C72FE0F 9014DC07
  6518C2AC FD633F3F BA8A72B2 429B5F56 B7FEC49A 245E6E7C 8DDB90D3 5D09C7FB
  41F1EBD2 0DCD24A5 68412C5B CCC74ED5 7992FA33 6475F6F9 C5C41169 E4EBFB49
  BC3F0542 B8EAF363 08AE32F1 8C78E12C 4C31E54A F55316ED 81873079 93FA67EE
  4F853139 93714D15 45E9E779 295CA50D 9C
        quit
dot11 syslog
no ip source-route
ip cef
!
!
ip port-map user-protocol--1 port tcp 5900
no ip bootp server
ip domain name DOMAINNAME
ip name-server 10.0.0.2
ip name-server 151.197.0.39
ip ddns update method sdm_ddns1
 HTTP
  add http://DYNDNSCRED@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://DYNDNSCRED@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
!
!
!
username PRIMEUSER privilege 15 secret 5 $1$8/kl$wBW4QJy1d105VOPvOn7pe0
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any CCP-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect CCP-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect ccp-permit
 class class-default
policy-map type inspect ccp-pol-outToIn
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip ddns update sdm_ddns1
 ip address EXTERNALIP 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.1 255.255.0.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GATEWAYIP
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.0.0.28 5900 interface FastEthernet4 10000
!
ip access-list extended P2P
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any host 10.0.0.2
 permit gre any any
ip access-list extended VPN
 remark CCP_ACL Category=128
 permit ip any host 10.0.0.2
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 71.123.55.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.0.0.28
no cdp run
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you
want to use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
Comment
Question by:Avalerion
4 Comments
 
LVL 14

Accepted Solution

by:
anoopkmr earned 250 total points
ID: 33446791
try the below commands


ip nat inside source static tcp 10.0.0.2 1723 interface FastEthernet4 1723

ip nat inside source static udp 10.0.0.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.0.0.2 1701 interface FastEthernet4 1701
ip nat inside source static tcp 10.0.0.2 1701 interface FastEthernet4 1701



ip access-list extended SDM_GRE
 permit tcp any any eq 1723
 permit udp any any eq 1701
  permit tcp any any eq 1701
 permit udp any any eq 500

0
 
LVL 22

Assisted Solution

by:Jody Lemoine
Jody Lemoine earned 250 total points
ID: 33551363
PPTP is fairly easy and will only require the 1723 and GRE statements anoopkmr has mentioned above.  L2TP is more complicated because it encapsulates its payload in IPsec ESP packets, which aren't going to be easily handled by a simple port forward.  If you have a second public IP address that you can assign for PPTP/L2TP use, you can add a secondary IP to your PPTP/L2TP server (10.0.0.3, for example?) and do something like this:

ip nat inside source static 10.0.0.3 x.x.x.x

ip access-list extended SDM_GRE
 permit tcp any any eq 1723
 permit gre any any
 permit udp any any eq 500
 permit esp any any

Replace x.x.x.x with the second public IP address mentioned above.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34459484
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now