Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
2
Replies

C887 router zone based firewall - Windows Server 2012 PPTP VPN Pass Through

Go to solution
Nik Warren
Level 1
Level 1

‎07-05-2016 12:39 PM - edited ‎03-12-2019 12:59 AM

I ham having no end of bother trying to get my mobile devices connected to the VPN server since I implemented a simple zone based firewall!

It all worked before so NAT is in place and traffic was passing and the VPN worked a treat.  I have configured the following as a first attempt and I can't see why its not working.  Any pointers would be much appreciated.

hostname R1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 informational
logging monitor errors
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-16243XX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-16243XX
 revocation-check none
 rsakeypair TP-self-signed-1624352400
!
!
crypto pki certificate chain TP-self-signed-16243XX

no ip source-route
ip cef
!
!
!
!
!
!
no ip bootp server
ip name-server 10.10.10.8
ip multicast-routing
!
no ipv6 cef
!

parameter-map type ooo global
 tcp reassembly queue length 64
 tcp reassembly memory limit 4096
 tcp reassembly alarm off
!
license udi pid C887VA-W-E-K9 sn FCZ171894JN
!
!
username XXXX privilege 15 secret XXXXXXXXXXXXXXXXX
!
!
!
!
!
controller VDSL 0
 firmware filename flash:/vdsl.bin-A2pv6C035d23j
 modem customUKannexM
 modem UKfeature
!
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh version 2
!
class-map type inspect match-any PROTOCOLS-ALLOWED-IN
 match protocol tcp
 match protocol udp
 match protocol icmp

match protocol pptp


class-map type inspect match-any ALLOWED-PROTOCOLS
 match protocol dns
 match protocol http
 match protocol https
 match protocol ftp
 match protocol imap
 match protocol imap3
 match protocol smtp
 match protocol pop3
 match protocol pop3s
 match protocol imaps
 match protocol pptp
 match protocol icmp
 match protocol ntp
 match protocol tcp
 match protocol udp
!
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect PROTOCOLS-ALLOWED-IN
  inspect
 class class-default
  drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect ALLOWED-PROTOCOLS
  inspect
 class class-default
  drop
!
zone security LAN
 description Inside Private Network
zone security INTERNET
 description Outside Public Internet
zone-pair security LAN-TO-INTERNET source LAN destination INTERNET
 description LAN-TO-INTERNET TRAFFIC
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security INTERNET-TO-LAN source INTERNET destination LAN
 description INTERNET-TO-LAN TRAFFIC
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!         
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Ethernet0.101
 encapsulation dot1Q 101
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip helper-address 10.10.10.8
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
!
interface Dialer0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!         
interface Dialer1
 description **BT INFINITY**$FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security INTERNET
 encapsulation ppp
 dialer pool 1
 ppp authentication pap chap ms-chap callin
 ppp chap hostname XXXXX@XXX.btclick.com
 ppp chap password XXXXXXXXXXXXXXXXXX
 ppp ipcp address accept
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.4 21 X.X.X.X 21 extendable
ip nat inside source static tcp 10.10.10.8 1723 X.X.X.X 1723 extendable
ip nat inside source static tcp 10.10.10.4 5500 X.X.X.X 5500 extendable
ip nat inside source static tcp 10.10.10.4 5501 X.X.X.X 5501 extendable
ip nat inside source static tcp 10.10.10.4 5502 X.X.X.X 5502 extendable
ip nat inside source static tcp 10.10.10.4 5503 X.X.X.X 5503 extendable
ip nat inside source static tcp 10.10.10.4 5504 X.X.X.X 5504 extendable
ip nat inside source static tcp 10.10.10.4 5505 X.X.X.X 5505 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended filezilla-in
 permit tcp any any eq ftp
 permit tcp any any range 5500 5505
!
logging host 10.10.10.148
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server community public RO
snmp-server ifindex persist
snmp-server location Test LAB
snmp-server contact admin@XXXXX.com
snmp-server chassis-id XXXXXXXXX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps aaa_server
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
tftp-server ;
access-list 1 remark *** CLIENTS LAN ***
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny   any
access-list 101 permit tcp any eq 1723 host 10.10.10.8
!
!
!
!
line con 0
 logging synchronous
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 access-class 1 in
 password XXXXXXXXXXXXXXXX
 transport input telnet ssh
!
scheduler allocate 20000 1000
scheduler interval 500
ntp server 0.uk.pool.ntp.org prefer
!
end

----------------------

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnd2310
Level 8
Level 8

‎07-05-2016 05:26 PM

Hi,

In you zone-based firewall configuration, can you start by not inspecting the traffic to the vpn server. Use the pass and not the inspect command for traffic to the vpn server only. See if this works. You also need to allow gre to the vpn server.

Thanks

John

**Please rate posts you find helpful**

View solution in original post

0 Helpful
2 Replies 2

Go to solution
johnd2310
Level 8
Level 8

‎07-05-2016 05:26 PM

Hi,

In you zone-based firewall configuration, can you start by not inspecting the traffic to the vpn server. Use the pass and not the inspect command for traffic to the vpn server only. See if this works. You also need to allow gre to the vpn server.

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Nik Warren
Level 1
Level 1
In response to johnd2310

‎07-06-2016 11:29 AM

Hi,

Thanks for that.  It worked perfectly.  I created the following access lists but substituted any any for the ip's of the relevant hosts.

ip access-list extended GRE-IN
permit gre any any
ip access-list extended GRE-OUT
permit gre any any

Then Ammended the Policy Maps as follows:

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect CLASS-GRE-IN
  pass
 class type inspect PROTOCOLS-ALLOWED-IN
  inspect
 class class-default
  drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect CLASS-GRE-OUT
  pass
 class type inspect ALLOWED-PROTOCOLS
  inspect
 class class-default
  drop

And then created the following Class Maps:

class-map type inspect match-any CLASS-GRE-IN
 match access-group name GRE-IN

class-map type inspect match-any CLASS-GRE-OUT
 match access-group name GRE-OUT

And that was that.  I have also removed some protocols inbound that I didn't need and just left PPTP.

Thank you so much for you help.  I was staring at the screen for hours not seeing the wood for the forrest.

Rgds,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card