C887 router zone based firewall - Windows Server 2012 PPTP VPN Pass Through

Nik Warren — Tue, 12 Mar 2019 07:59:29 GMT

I ham having no end of bother trying to get my mobile devices connected to the VPN server since I implemented a simple zone based firewall!

It all worked before so NAT is in place and traffic was passing and the VPN worked a treat. I have configured the following as a first attempt and I can't see why its not working. Any pointers would be much appreciated.

hostname R1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 informational
logging monitor errors
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-16243XX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-16243XX
revocation-check none
rsakeypair TP-self-signed-1624352400
!
!
crypto pki certificate chain TP-self-signed-16243XX

no ip source-route
ip cef
!
!
!
!
!
!
no ip bootp server
ip name-server 10.10.10.8
ip multicast-routing
!
no ipv6 cef
!

parameter-map type ooo global
tcp reassembly queue length 64
tcp reassembly memory limit 4096
tcp reassembly alarm off
!
license udi pid C887VA-W-E-K9 sn FCZ171894JN
!
!
username XXXX privilege 15 secret XXXXXXXXXXXXXXXXX
!
!
!
!
!
controller VDSL 0
firmware filename flash:/vdsl.bin-A2pv6C035d23j
modem customUKannexM
modem UKfeature
!
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh version 2
!
class-map type inspect match-any PROTOCOLS-ALLOWED-IN
match protocol tcp
match protocol udp
match protocol icmp

match protocol pptp

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol dns
match protocol http
match protocol https
match protocol ftp
match protocol imap
match protocol imap3
match protocol smtp
match protocol pop3
match protocol pop3s
match protocol imaps
match protocol pptp
match protocol icmp
match protocol ntp
match protocol tcp
match protocol udp
!
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect PROTOCOLS-ALLOWED-IN
inspect
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default
drop
!
zone security LAN
description Inside Private Network
zone security INTERNET
description Outside Public Internet
zone-pair security LAN-TO-INTERNET source LAN destination INTERNET
description LAN-TO-INTERNET TRAFFIC
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security INTERNET-TO-LAN source INTERNET destination LAN
description INTERNET-TO-LAN TRAFFIC
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Ethernet0.101
encapsulation dot1Q 101
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip helper-address 10.10.10.8
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip pim dense-mode
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Dialer0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Dialer1
description **BT INFINITY**$FW_OUTSIDE$
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
encapsulation ppp
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname XXXXX@XXX.btclick.com
ppp chap password XXXXXXXXXXXXXXXXXX
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.4 21 X.X.X.X 21 extendable
ip nat inside source static tcp 10.10.10.8 1723 X.X.X.X 1723 extendable
ip nat inside source static tcp 10.10.10.4 5500 X.X.X.X 5500 extendable
ip nat inside source static tcp 10.10.10.4 5501 X.X.X.X 5501 extendable
ip nat inside source static tcp 10.10.10.4 5502 X.X.X.X 5502 extendable
ip nat inside source static tcp 10.10.10.4 5503 X.X.X.X 5503 extendable
ip nat inside source static tcp 10.10.10.4 5504 X.X.X.X 5504 extendable
ip nat inside source static tcp 10.10.10.4 5505 X.X.X.X 5505 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended filezilla-in
permit tcp any any eq ftp
permit tcp any any range 5500 5505
!
logging host 10.10.10.148
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server community public RO
snmp-server ifindex persist
snmp-server location Test LAB
snmp-server contact admin@XXXXX.com
snmp-server chassis-id XXXXXXXXX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps aaa_server
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
tftp-server ;
access-list 1 remark *** CLIENTS LAN ***
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny   any
access-list 101 permit tcp any eq 1723 host 10.10.10.8
!
!
!
!
line con 0
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 1 in
password XXXXXXXXXXXXXXXX
transport input telnet ssh
!
scheduler allocate 20000 1000
scheduler interval 500
ntp server 0.uk.pool.ntp.org prefer
!
end

----------------------

Hi,

johnd2310 — Wed, 06 Jul 2016 00:26:09 GMT

Hi,

In you zone-based firewall configuration, can you start by not inspecting the traffic to the vpn server. Use the pass and not the inspect command for traffic to the vpn server only. See if this works. You also need to allow gre to the vpn server.

Thanks

John

Hi,

Nik Warren — Wed, 06 Jul 2016 18:29:54 GMT

Hi,

Thanks for that. It worked perfectly. I created the following access lists but substituted any any for the ip's of the relevant hosts.

ip access-list extended GRE-IN
permit gre any any
ip access-list extended GRE-OUT
permit gre any any

Then Ammended the Policy Maps as follows:

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect CLASS-GRE-IN
pass
class type inspect PROTOCOLS-ALLOWED-IN
inspect
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect CLASS-GRE-OUT
pass
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default
drop

And then created the following Class Maps:

class-map type inspect match-any CLASS-GRE-IN
match access-group name GRE-IN

class-map type inspect match-any CLASS-GRE-OUT
match access-group name GRE-OUT

And that was that. I have also removed some protocols inbound that I didn't need and just left PPTP.

Thank you so much for you help. I was staring at the screen for hours not seeing the wood for the forrest.

Rgds,

topic C887 router zone based firewall - Windows Server 2012 PPTP VPN Pass Through in Network Security

C887 router zone based firewall - Windows Server 2012 PPTP VPN Pass Through

Hi,

Hi,