https://community.cisco.com/t5/network-security/cbac-pptp-outbound-issue-to-server-on-same-isp-subnet-2811/m-p/2140376#M360743 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>could you re-write ACL:</P><P></P><P>access-list 105 permit tcp any host 71.x.x.x eq 22</P><P>access-list 105 permit udp any host 71.x.x.x eq 5060</P><P>access-list 105 permit tcp any any eq 1723</P><P><STRONG>access-list 105 permit udp any any eq 1723</STRONG></P><P>access-list 105 permit gre host 71.x.x.50 any</P><P>access-list 105 deny&nbsp;&nbsp; ip any any log</P></BODY></HTML> Tue, 26 Mar 2013 06:06:24 GMT johnlloyd_13 2013-03-26T06:06:24Z https://community.cisco.com/t5/network-security/cbac-pptp-outbound-issue-to-server-on-same-isp-subnet-2811/m-p/2140375#M360742 <P>Hello,</P><P><BR />I am using MS VPN/PPTP client. This client works fine from home but not at the office. At our office, we have a 192.168.2.0 /24 subnet. We have two DSL connections from the same provider. Both of these DSL connections are in the same Class C subnet. One DSL is used for the office users and one is used for a completely, separate/isolated test environment. I need to be able to PPTP into the test environment fw (71.x.x.50) from the local office lan. I am sitting behind a 2811 using CBAC for outbound traffic and an ACL for inbound traffic. I can't even telnet to port 23 and the log only shows this generic message:</P><P></P><P>002027: Mar&nbsp; 4 17:27:19.861 CST: %FW-6-SESS_AUDIT_TRAIL_START: Start pptp session: initiator (192.168.2.120:51094) -- responder (71.x.x.x:1723)<BR />002028: Mar&nbsp; 4 17:27:42.226 CST: %FW-6-SESS_AUDIT_TRAIL: Stop pptp session: initiator (192.168.2.120:51094) sent 364 bytes -- responder (71.x.x.x:1723) sent 352 bytes</P><P></P><P>Here is my config. Wha should I change, please?</P><P>ip inspect name Outbound sip<BR />ip inspect name Outbound tftp<BR />ip inspect name Outbound tcp<BR />ip inspect name Outbound udp<BR />ip inspect name Outbound icmp router-traffic<BR />ip inspect name Outbound pptp audit-trail on timeout 3600</P><P><BR />interface FastEthernet0/0<BR />&nbsp; ip address 71.x.x.120 255.255.255.0<BR />ip access-group 105 in<BR />no ip unreachables<BR />ip flow ingress<BR />ip flow egress<BR />ip nat outside<BR />ip inspect Outbound out<BR />ip virtual-reassembly<BR />duplex auto<BR />speed auto</P><P></P><P>access-list 105 permit tcp any host 71.x.x.x eq 22<BR />access-list 105 permit udp any host 71.x.x.x eq 5060<BR />access-list 105 permit tcp any any eq 1723<BR />access-list 105 permit gre host 71.x.x.50 any<BR />access-list 105 deny&nbsp;&nbsp; ip any any log</P><P>access-list 175 deny&nbsp;&nbsp; ip 192.168.2.0 0.0.0.255 192.168.60.0 0.0.0.255<BR />access-list 175 deny&nbsp;&nbsp; ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255<BR />access-list 175 deny&nbsp;&nbsp; ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255<BR />access-list 175 permit ip 192.168.2.0 0.0.0.255 any</P><P><BR />ip nat inside source route-map nonat interface FastEthernet0/0 overload</P> Tue, 12 Mar 2019 01:10:17 GMT https://community.cisco.com/t5/network-security/cbac-pptp-outbound-issue-to-server-on-same-isp-subnet-2811/m-p/2140375#M360742 jacob6000 2019-03-12T01:10:17Z https://community.cisco.com/t5/network-security/cbac-pptp-outbound-issue-to-server-on-same-isp-subnet-2811/m-p/2140376#M360743 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>could you re-write ACL:</P><P></P><P>access-list 105 permit tcp any host 71.x.x.x eq 22</P><P>access-list 105 permit udp any host 71.x.x.x eq 5060</P><P>access-list 105 permit tcp any any eq 1723</P><P><STRONG>access-list 105 permit udp any any eq 1723</STRONG></P><P>access-list 105 permit gre host 71.x.x.50 any</P><P>access-list 105 deny&nbsp;&nbsp; ip any any log</P></BODY></HTML> Tue, 26 Mar 2013 06:06:24 GMT https://community.cisco.com/t5/network-security/cbac-pptp-outbound-issue-to-server-on-same-isp-subnet-2811/m-p/2140376#M360743 johnlloyd_13 2013-03-26T06:06:24Z