03-01-2014 04:42 AM - edited 03-11-2019 08:52 PM
Hello,
I've just been trying to configure my 892 router to accept PPTP connections (not passthrough but it being the PPTP server) but I'm continuously getting 619 errors. I've tried multiple different configurations and I'm just hitting a brick wall. I was hoping someone could take a quick look for me please.
I'm not the normal administrator of this appliance and have not set up anything other than setting up user2 & user3 along with the PPTP settings.
The parts i've mainly been changing are the " ip unnumbered GigabitEthernet0", I've been changin between that and VLAN1 as the interfaces I'm tying it to.
User3 & User4 are the two users I want to connect with. It might also be good to add I'm testing from a Windows 7 PC which can successfully make PPTP VPN's to other servers external to my current location, but they are all windows based, I have no cisco devices to test from. Also the end configuration this router will be used for voip phones to make pptp connections.
Here is the config (IP addresses and some information changed for anonimity purposes):
Current configuration : 9077 bytes
!
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Generic
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
enable secret 4 jhfkdjgfdf87687f687g67yfdjhfjd
!
no aaa new-model
!
clock timezone ********
clock summer-time ****** recurring last Sun Sep 2:00 1 Sun Apr 3:
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip inspect udp idle-time 300
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
!
!
!
!
!
!
license udi pid CISCO892-K9 sn **************
!
!
username user1 privilege 15 secret 4 kjlghigyftuf867687ruygiygiyg
username user2 secret 4 fSpgIsbY.iggiyfiyyrtdd5768979yhjgjg
username user3 password 7 kgjggig876r5f6gi
username user4 password 7 khgvkhftuctcr577y9
!
!
!
!
!
track 100 ip sla 100 reachability
delay down 15 up 30
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key generic address 111.111.111.111
!
!
crypto ipsec transform-set generic esp-aes esp-sha-hmac
!
crypto map Connection1 10 ipsec-isakmp
set peer 111.111.111.111
set transform-set generic
match address 106
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description Net1
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0
peer default ip address pool phonepptp
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap ms-chap-v2
!
interface GigabitEthernet0
description Net2
ip address 192.168.200.2 255.255.255.252
ip access-group 102 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
duplex auto
speed auto
crypto map Connection1
!
interface Vlan1
description LAN
ip address 172.16.4.3 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip policy route-map Connection2
!
interface Dialer1
description WAN1 Net1
mtu 1492
ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1440
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username generic password 7 ggkdfhdty6587676565
no cdp enable
!
ip local pool phonepptp 172.16.4.160 172.16.4.169
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat translation tcp-timeout 30
ip nat translation udp-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source route-map Net2 interface GigabitEthernet0 overload
ip nat inside source route-map Net1 interface Dialer1 overload
ip nat inside source static tcp 172.16.4.205 25 192.168.200.2 25 extendable
ip nat inside source static tcp 172.16.4.205 443 192.168.200.2 443 extendable
ip nat inside source static tcp 172.16.4.205 587 192.168.200.2 587 extendable
ip nat inside source static tcp 172.16.4.204 3389 192.168.200.2 3389 extendable
ip route 0.0.0.0 0.0.0.0 192.168.200.1 10 track 100
ip route 0.0.0.0 0.0.0.0 Dialer1 251
ip route 10.0.0.0 255.255.255.0 172.16.4.19
ip route 100.30.40.1 255.255.255.255 192.168.200.1 permanent
!
ip access-list extended NSServices
permit tcp any any eq telnet
deny ip any any
!
ip sla 100
icmp-echo 100.30.40.1 source-interface GigabitEthernet0
threshold 500
timeout 500
frequency 5
ip sla schedule 100 life forever start-time now
access-list 2 remark Where management can be done from
access-list 2 permit 111.111.111.112
access-list 2 permit 172.16.4.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from Net1 WAN
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp host 111.111.111.112 any eq telnet
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from Net2 WAN
access-list 102 deny ip 0.0.0.0 0.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.0.2.0 0.0.0.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 198.18.0.0 0.1.255.255 any
access-list 102 deny ip 224.0.0.0 0.15.255.255 any
access-list 102 deny ip any host 255.255.255.255
access-list 102 permit tcp host 111.111.111.112 any eq telnet
access-list 102 permit ip host 111.111.111.111 any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq 587
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 1723
access-list 102 permit tcp any any eq 500
access-list 102 permit udp any any eq isakmp
access-list 102 permit gre any any
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any traceroute
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any echo
access-list 102 deny ip any any log
access-list 103 remark Traffic allowed to enter the router from the Ethernet
access-list 103 permit ip any host 172.16.4.3
access-list 103 permit ip any 192.168.50.0 0.0.0.255
access-list 103 permit ip any 10.0.0.0 0.0.0.255
access-list 103 deny ip any host 172.16.4.255
access-list 103 deny udp any any eq tftp log
access-list 103 deny ip any 0.0.0.0 0.255.255.255 log
access-list 103 deny ip any 10.0.0.0 0.255.255.255 log
access-list 103 deny ip any 127.0.0.0 0.255.255.255 log
access-list 103 deny ip any 169.254.0.0 0.0.255.255 log
access-list 103 deny ip any 172.16.0.0 0.15.255.255 log
access-list 103 deny ip any 192.0.2.0 0.0.0.255 log
access-list 103 deny ip any 172.16.4 0.0.255.255 log
access-list 103 deny ip any 198.18.0.0 0.1.255.255 log
access-list 103 deny udp any any eq 135 log
access-list 103 deny tcp any any eq 135 log
access-list 103 deny udp any any eq netbios-ns log
access-list 103 deny udp any any eq netbios-dgm log
access-list 103 deny tcp any any eq 445 log
access-list 103 permit ip 172.16.4.0 0.0.0.255 any
access-list 103 permit ip any host 255.255.255.255
access-list 103 deny ip any any log
access-list 105 deny ip 172.16.4.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 105 permit ip 172.16.4.0 0.0.0.255 any
access-list 106 permit ip 172.16.4.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
!
route-map Net1 permit 10
match interface Dialer1
!
route-map Connection2 permit 10
match ip address NSServices
set interface Dialer1
!
route-map Net2 permit 10
match ip address 105
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
exec-timeout 120 0
password 7 ,jhgghdtye655687687
login local
line aux 0
line vty 0 4
access-class 2 in
exec-timeout 120 0
password 7 jhhjftydrye534547656
login local
transport input telnet ssh
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide