PPTP Passthrough Error 800 and 807

pbratach1 · ‎12-15-2013

Hi,

I have an ASUS RT-AC66U wireless router on my network configured as a VPN server using PPTP. We recently purchased a Cisco 2921 with an

EHWIC-D-8ESG that has 8 switch ports that we want to use as our core router to our ISP (Comcast). I am trying to configure the 2921 to pass the PPTP traffic through to the ASUS, but am receiving error 800 when I set the Microsoft Windows 7 PPTP client to only use PPTP and error 807 when I set the PPTP client to Auto. Here is my running-config file (I edited the Comast IP address for security purposes).

I appreciate any help or suggestions to get this resolved.

Thanks,

Paul

!

! Last configuration change at 15:52:44 MDT Sun Dec 15 2013 by vault

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname dts2921

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.153-3.M1.bin

boot-end-marker

!

logging buffered 4096

enable secret 5 $1$n8qo$6RhH/4yZ32PLTw8M049...

enable password 0rgan1cDTS

!

no aaa new-model

clock timezone MDT -7 0

clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00

!

ip dhcp excluded-address 192.168.10.1 192.168.10.49

ip dhcp excluded-address 192.168.10.200 192.168.10.254

ip dhcp excluded-address 192.168.20.1 192.168.20.9

ip dhcp excluded-address 192.168.20.100 192.168.20.254

!

ip dhcp pool office-pool

import all

network 192.168.10.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.10.1

!

ip dhcp pool phone-pool

import all

network 192.168.20.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.20.1

!

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-3398053797

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3398053797

revocation-check none

rsakeypair TP-self-signed-3398053797

!

crypto pki certificate chain TP-self-signed-3398053797

certificate self-signed 01

! Crypo key removed for security

quit

license udi pid CISCO2921/K9 sn ABCDEFGHIJKL

license boot module c2900 technology-package securityk9

!

object-group network outgoing-DNS-servers

description Allowed outgoing DNS servers

host 8.8.8.8

host 8.8.4.4

!

vtp mode transparent

username vault privilege 15 password 0 0rgan1c

!

redundancy

!

class-map type inspect match-any SIP

match protocol sip

class-map type inspect match-any OUTSIDE_TO_INSIDE

description Outside to Inside traffic

match access-group name OUTSIDE_TO_INSIDE_ACCESS

class-map type inspect match-any INSIDE_TO_OUTSIDE

match protocol http

match protocol https

match protocol dns

match protocol ssh

match protocol imap

match protocol smtp

match protocol pop3

match protocol ftp

match protocol l2tp

match protocol isakmp

match protocol ms-sql

match protocol mysql

match protocol nfs

match protocol ntp

match protocol pptp

match protocol telnet

match protocol x11

match protocol xdmcp

match protocol cifs

match protocol netbios-dgm

match protocol netbios-ns

match protocol netbios-ssn

match protocol netstat

match protocol icmp

match access-group 105

!

policy-map type inspect OUTSIDE_TO_INSIDE

description Outside to Inside traffic

class type inspect OUTSIDE_TO_INSIDE

inspect

class type inspect SIP

inspect

class class-default

drop

policy-map type inspect INSIDE_TO_OUTSIDE

description Inside to Outside traffic

class type inspect INSIDE_TO_OUTSIDE

inspect

class class-default

drop log

!

zone security INSIDE

description Office LAN

zone security OUTSIDE

description Internet

zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE

service-policy type inspect OUTSIDE_TO_INSIDE

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE_TO_OUTSIDE

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $FW_OUTSIDE$

ip address 50.50.50.93 255.255.255.252

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/2

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1/0

description Phones$FW_INSIDE$

switchport access vlan 20

no ip address

zone-member security INSIDE

no mop enabled

!

interface GigabitEthernet0/1/1

no ip address

shutdown

!

interface GigabitEthernet0/1/2

no ip address

shutdown

!

interface GigabitEthernet0/1/3

no ip address

shutdown

!

interface GigabitEthernet0/1/4

no ip address

shutdown

!

interface GigabitEthernet0/1/5

no ip address

shutdown

!

interface GigabitEthernet0/1/6

no ip address

shutdown

!

interface GigabitEthernet0/1/7

no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.10 22 interface GigabitEthernet0/0 8222

ip nat inside source static tcp 192.168.10.203 80 interface GigabitEthernet0/0 80

ip nat inside source static tcp 192.168.10.13 8040 interface GigabitEthernet0/0 8040

ip nat inside source static tcp 192.168.10.13 8041 interface GigabitEthernet0/0 8041

ip nat inside source static tcp 192.168.10.11 80 interface GigabitEthernet0/0 8280

ip nat inside source static tcp 192.168.10.3 1723 interface GigabitEthernet0/0 1723

ip nat inside source static tcp 192.168.10.3 500 interface GigabitEthernet0/0 500

ip nat inside source static tcp 192.168.10.3 4500 interface GigabitEthernet0/0 4500

ip route 0.0.0.0 0.0.0.0 50.50.50.94

ip route 10.98.50.0 255.255.255.0 192.168.10.2

!

ip access-list extended OUTSIDE_TO_INSIDE_ACCESS

remark CCP_ACL Category=16

permit tcp any host 192.168.10.10 eq 22

permit tcp any host 192.168.10.203 eq www

permit tcp any host 192.168.10.13 eq 8040

permit tcp any host 192.168.10.13 eq 8041

permit tcp any host 192.168.10.11 eq www

permit tcp any host 192.168.10.3 eq 1723

permit gre any host 192.168.10.3

permit udp any 192.168.10.0 0.0.0.255 range 2222 2269

permit udp any host 192.168.10.3 eq isakmp

permit udp any host 192.168.10.3 eq non500-isakmp

permit esp any host 192.168.10.3

permit tcp any any established

!

logging trap debugging

!

access-list 101 permit ip any any

access-list 101 permit udp any any

access-list 101 permit gre any any

access-list 105 permit udp any eq 5060 any

access-list 105 permit udp any range 2222 2269 any

access-list 105 permit tcp any any established

access-list 105 permit udp any any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 0rgan1c

login local

transport input telnet ssh

transport output telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

!

end

pbratach1 · ‎12-17-2013

Well, after reading more posts and trying a few things, I have gone past the error 800 and 807 and now have an error 691 on the "Verifying username and password" dialog.

In short the only change I made to get past the 800 and 807 errors was to update my "access-list 105" and added

access-list 105 permit tcp host 192.168.10.14 eq 1723 any

access-list 105 permit gre any any

so that my access-lists now look like this:

access-list 101 permit gre any any

access-list 101 permit udp any any

access-list 101 permit ip any any

access-list 105 permit udp any eq 5060 any

access-list 105 permit udp any range 2222 2269 any

access-list 105 permit tcp host 192.168.10.14 eq 1723 any

access-list 105 permit esp any any

access-list 105 permit tcp any any established

access-list 105 permit gre any any

access-list 105 permit tcp any any

access-list 105 permit udp any any

access-list 105 permit icmp any any

access-list 105 permit ip any any

I have gone though the

"PPTP Connection Through Zone Based Firewall Router with NAT Configuration Example"

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ab7073.shtml

document, adding the vpdn group, virtual template, PPTP-Pass-Through-Traffic, PPTP-Terminated-Traffic, Router-Access-Traffic, OUT-TO-SELF and SELF-TO-OUT policy maps and and still I am getting the same error 691 from the VPN client that is outside my network trying to VPN into the ASUS RT-AC66U router that is inside our network and is running a PPTP VPN Server.

Is there anyone who has experienced this and can sterr me in the direction of a resolution to this issue?

Any help is greatly appreciated.

Thanks,

Paul

NOTE: The error 691 was caused by an error in my password. The VPN server had one password and it turns out the Cisco 2921 needed a separate username and password to validate against and the 2921 had a different password.

pbratach1 · ‎12-18-2013

Well, making some progress...the orginal error I received in the Cisco log when the VPN client connection failed was:

*Dec 18 15:34:56.937: %FW-6-DROP_PKT: Dropping Unknown-l4 session 192.168.10.3:0 XX.XX.168.84:0 on zone-pair INSIDE_TO_OUTSIDE class INSIDE_TO_OUTSIDE due to Invalid Segment with ip ident 0

now after making some changes the running-configuration, the error in the Cisco log when the VPN client connection fails is:

*Dec 18 18:57:10.368: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.3:1723 XX.XX.168.84:0

on zone-pair INSIDE_TO_OUTSIDE class INSIDE_TO_OUTSIDE due to Invalid Flags with ip ident 0

My new configuration is:

Building configuration...

Current configuration : 11471 bytes

!

! Last configuration change at 11:52:49 MDT Wed Dec 18 2013 by vault

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname dts2921

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.153-3.M1.bin

boot-end-marker

!

logging buffered 4096

enable secret 5 $1$n8qo$6RhH/4yZ32PLTw8M049...

enable password XXX

!

no aaa new-model

clock timezone MDT -7 0

clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00

!

ip dhcp excluded-address 192.168.10.1 192.168.10.49

ip dhcp excluded-address 192.168.10.200 192.168.10.254

ip dhcp excluded-address 192.168.20.1 192.168.20.9

ip dhcp excluded-address 192.168.20.100 192.168.20.254

!

ip dhcp pool office-pool

import all

network 192.168.10.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.10.1

!

ip dhcp pool phone-pool

import all

network 192.168.20.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.20.1

!

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip inspect log drop-pkt

ip cef

no ipv6 cef

!

parameter-map type inspect global

log dropped-packets enable

max-incomplete low 18000

max-incomplete high 20000

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

crypto pki trustpoint TP-self-signed-3398053797

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3398053797

revocation-check none

rsakeypair TP-self-signed-3398053797

!

crypto pki certificate chain TP-self-signed-3398053797

certificate self-signed 01

quit

license udi pid CISCO2921/K9 sn FGL112345XX

license boot module c2900 technology-package securityk9

!

object-group network outgoing-DNS-servers

description Allowed outgoing DNS servers

host 8.8.8.8

host 8.8.4.4

!

vtp mode transparent

username vault privilege 15 password 0 XXX

!

redundancy

!

vlan 10

name Office

!

vlan 20

name Phones

!

class-map type inspect match-all PPTP-Pass-Through-Traffic

match access-group name PPTP-PASS-THROUGH

class-map type inspect match-any All-Traffic

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-all Router-Access-Traffic

match access-group name Router-Access

class-map type inspect match-any SELF-TO-OUT

match access-group name Test

class-map type inspect match-any SIP

match protocol sip

class-map type inspect match-any OUTSIDE_TO_INSIDE

description Outside to Inside traffic

match access-group name OUTSIDE_TO_INSIDE_ACCESS

class-map type inspect match-any INSIDE_TO_OUTSIDE

match protocol http

match protocol https

match protocol dns

match protocol ssh

match protocol imap

match protocol smtp

match protocol pop3

match protocol ftp

match protocol l2tp

match protocol isakmp

match protocol ms-sql

match protocol mysql

match protocol nfs

match protocol ntp

match protocol pptp

match protocol telnet

match protocol x11

match protocol xdmcp

match protocol cifs

match protocol netbios-dgm

match protocol netbios-ns

match protocol netbios-ssn

match protocol netstat

match protocol icmp

match access-group 105

class-map type inspect match-all PPTP-Terminated-Traffic

match access-group name PPTP-TERMINATED

!

policy-map type inspect OUTSIDE_TO_INSIDE

description Outside to Inside traffic

class type inspect OUTSIDE_TO_INSIDE

inspect

class type inspect SIP

inspect

class type inspect PPTP-Pass-Through-Traffic

pass

class class-default

drop

policy-map type inspect Out-Self-Policy

class type inspect Router-Access-Traffic

pass

class type inspect PPTP-Terminated-Traffic

pass

class class-default

drop

policy-map type inspect PPTP-In-Policy

class type inspect All-Traffic

inspect

class class-default

drop

policy-map type inspect INSIDE_TO_OUTSIDE

description Inside to Outside traffic

class type inspect INSIDE_TO_OUTSIDE

inspect

class type inspect PPTP-Pass-Through-Traffic

pass

class class-default

drop log

policy-map type inspect ICMPinspectpolicy

class class-default

drop

policy-map type inspect SELF-TO-OUT

class type inspect SELF-TO-OUT

pass

class class-default

drop

!

zone security INSIDE

description Office LAN

zone security OUTSIDE

description Internet

zone security pptp

zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE

service-policy type inspect OUTSIDE_TO_INSIDE

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE_TO_OUTSIDE

zone-pair security outside-self source OUTSIDE destination self

service-policy type inspect Out-Self-Policy

zone-pair security pptp-in source pptp destination INSIDE

service-policy type inspect PPTP-In-Policy

zone-pair security Self-TO-OUT source self destination OUTSIDE

service-policy type inspect SELF-TO-OUT

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $FW_OUTSIDE$

ip address XX.XX.XX.93 255.255.255.252

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/2

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1/0

description Phones$FW_INSIDE$

switchport access vlan 20

no ip address

zone-member security INSIDE

no mop enabled

!

interface GigabitEthernet0/1/1

no ip address

shutdown

!

interface GigabitEthernet0/1/2

no ip address

shutdown

!

interface GigabitEthernet0/1/3

no ip address

shutdown

!

interface GigabitEthernet0/1/4

no ip address

shutdown

!

interface GigabitEthernet0/1/5

no ip address

shutdown

!

interface GigabitEthernet0/1/6

no ip address

shutdown

!

interface GigabitEthernet0/1/7

no ip address

shutdown

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/0

zone-member security INSIDE

peer default ip address pool vpnpool

ppp encrypt mppe auto

ppp authentication ms-chap-v2 ms-chap chap

!

interface Vlan1

no ip address

shutdown

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

!

ip local pool vpnpool 192.168.100.40 192.168.100.49

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.10 22 interface GigabitEthernet0/0 8222

ip nat inside source static tcp 192.168.10.203 80 interface GigabitEthernet0/0 80

ip nat inside source static tcp 192.168.10.13 8040 interface GigabitEthernet0/0 8040

ip nat inside source static tcp 192.168.10.13 8041 interface GigabitEthernet0/0 8041

ip nat inside source static tcp 192.168.10.11 80 interface GigabitEthernet0/0 8280

ip nat inside source static tcp 192.168.10.11 465 interface GigabitEthernet0/0 465

ip nat inside source static tcp 192.168.10.11 993 interface GigabitEthernet0/0 993

ip nat inside source static tcp 192.168.10.3 1723 interface GigabitEthernet0/0 1723

ip nat inside source static tcp 192.168.10.3 500 interface GigabitEthernet0/0 500

ip nat inside source static tcp 192.168.10.3 4500 interface GigabitEthernet0/0 4500

ip nat inside source static tcp 192.168.10.8 443 interface GigabitEthernet0/0 443

ip route 0.0.0.0 0.0.0.0 50.198.202.94

ip route 10.98.50.0 255.255.255.0 192.168.10.2

ip route 192.168.100.0 255.255.255.0 192.168.10.3

!

ip access-list extended OUTSIDE_TO_INSIDE_ACCESS

permit tcp any host 192.168.10.10 eq 22

permit tcp any host 192.168.10.203 eq www

permit tcp any host 192.168.10.13 eq 8040

permit tcp any host 192.168.10.13 eq 8041

permit tcp any host 192.168.10.11 eq www

permit udp any 192.168.10.0 0.0.0.255 range 2222 2269

permit tcp any any established

permit udp any 192.168.20.0 0.0.0.255 range 2222 2269

permit tcp any host 192.168.10.8 eq 443

ip access-list extended PPTP-PASS-THROUGH

permit gre host 192.168.10.3 any

permit gre any host 192.168.10.3

permit tcp any host 192.168.10.3 eq 1723

permit udp any host 192.168.10.3 eq isakmp

permit udp any host 192.168.10.3 eq non500-isakmp

permit esp any host 192.168.10.3

permit tcp host 192.168.10.3 eq 1723 any

permit esp host 192.168.10.3 any

ip access-list extended PPTP-TERMINATED

permit gre any any

permit tcp any any eq 1723

ip access-list extended Test

permit tcp any any

permit udp any any

permit icmp any any

permit eigrp any any

permit esp any any

!

logging trap debugging

!

access-list 101 permit gre any any

access-list 101 permit udp any any

access-list 101 permit ip any any

access-list 105 permit udp any eq 5060 any

access-list 105 permit udp any range 2222 2269 any

access-list 105 permit tcp any any established

access-list 105 permit tcp any any

access-list 105 permit udp any any

access-list 105 permit icmp any any

access-list 105 permit ip any any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password XXX

login local

transport input telnet ssh

transport output telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 20000 1000

!

end

As usual, any help will be greatly aprreciated.

I'll continue plugging away until this issue is resolved.

Thanks,

Paul

pbratach1 · ‎12-19-2013

Wow, it's been a long few days and nights, but I finally figured it out. The order of operations in the policy-map is important an it turns out my PPTP-Pass-Through-Traffic class map needs to run before the OUTSIDE_TO_INSIDE and the INSIDE_TO_OUTSIDE class maps. The errors I was receiving

*Dec 18 22:52:10.535: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.3:1723 XX.XX.12.76:49839 on zone-pair INSIDE_TO_OUTSIDE class INSIDE_TO_OUTSIDE due to Invalid Flags with ip ident 0

and

*Dec 18 17:35:28.172: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.127:55689 XX.XX.148.102:443 on zone-pair INSIDE_TO_OUTSIDE class INSIDE_TO_OUTSIDE due to Stray Segment with ip ident 0

got me thinking that my sessions were getting split between the PPTP-Pass-Through-Traffic class map and the

INSIDE_TO_OUTSIDE and OUTSIDE_TO_INSIDE class maps.

Here is the current running-config in case anyone comes across this and wants to see what I did.

Building configuration...

Current configuration : 10496 bytes

!

! Last configuration change at 11:27:12 MDT Thu Dec 19 2013 by vault

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname dts2921

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.153-3.M1.bin

boot-end-marker

!

logging buffered 4096

enable secret 5 $1$n8wse$6RhH/4yZ32PLTw8M049...

enable password XXX

!

aaa new-model

!

aaa authentication ppp default local

!

aaa session-id common

clock timezone MDT -7 0

clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00

!

ip dhcp excluded-address 192.168.10.1 192.168.10.49

ip dhcp excluded-address 192.168.10.200 192.168.10.254

ip dhcp excluded-address 192.168.20.1 192.168.20.9

ip dhcp excluded-address 192.168.20.100 192.168.20.254

!

ip dhcp pool office-pool

import all

network 192.168.10.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.10.1

!

ip dhcp pool phone-pool

import all

network 192.168.20.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.20.1

!

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip inspect log drop-pkt

ip cef

no ipv6 cef

!

parameter-map type inspect global

log dropped-packets enable

max-incomplete low 18000

max-incomplete high 20000

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

crypto pki trustpoint TP-self-signed-3398053797

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3398053797

revocation-check none

rsakeypair TP-self-signed-3398053797

!

crypto pki certificate chain TP-self-signed-3398053797

certificate self-signed 01

quit

license udi pid CISCO2921/K9 sn FGL1234567MB

license boot module c2900 technology-package securityk9

!

object-group network outgoing-DNS-servers

description Allowed outgoing DNS servers

host 8.8.8.8

host 8.8.4.4

!

vtp mode transparent

username vault privilege 15 password 0 XXX

!

redundancy

!

vlan 10

name Office

!

vlan 20

name Phones

!

class-map type inspect match-all PPTP-Pass-Through-Traffic

match access-group name PPTP-PASS-THROUGH

class-map type inspect match-any All-Traffic

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-any SIP

match protocol sip

class-map type inspect match-any OUTSIDE_TO_INSIDE

description Outside to Inside traffic

match access-group name OUTSIDE_TO_INSIDE_ACCESS

class-map type inspect match-any INSIDE_TO_OUTSIDE

match protocol http

match protocol https

match protocol dns

match protocol ssh

match protocol imap

match protocol smtp

match protocol pop3

match protocol ftp

match protocol ms-sql

match protocol mysql

match protocol nfs

match protocol ntp

match protocol telnet

match protocol x11

match protocol xdmcp

match protocol cifs

match protocol netbios-dgm

match protocol netbios-ns

match protocol netbios-ssn

match protocol netstat

match protocol icmp

match access-group 105

match protocol pptp

match protocol l2tp

match protocol isakmp

!

policy-map type inspect OUTSIDE_TO_INSIDE

description Outside to Inside traffic

class type inspect SIP

inspect

class type inspect PPTP-Pass-Through-Traffic

pass

class type inspect OUTSIDE_TO_INSIDE

inspect

class class-default

drop

policy-map type inspect PPTP-In-Policy

class type inspect All-Traffic

inspect

class class-default

drop

policy-map type inspect INSIDE_TO_OUTSIDE

description Inside to Outside traffic

class type inspect PPTP-Pass-Through-Traffic

pass

class type inspect INSIDE_TO_OUTSIDE

inspect

class class-default

drop log

policy-map type inspect ICMPinspectpolicy

class class-default

drop

!

zone security INSIDE

description Office LAN

zone security OUTSIDE

description Internet

zone security pptp

zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE

service-policy type inspect OUTSIDE_TO_INSIDE

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE_TO_OUTSIDE

zone-pair security pptp-in source pptp destination INSIDE

service-policy type inspect PPTP-In-Policy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $FW_OUTSIDE$

ip address XX.XX.202.93 255.255.255.252

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/2

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1/0

description Phones$FW_INSIDE$

switchport access vlan 20

no ip address

zone-member security INSIDE

no mop enabled

!

interface GigabitEthernet0/1/1

no ip address

shutdown

!

interface GigabitEthernet0/1/2

no ip address

shutdown

!

interface GigabitEthernet0/1/3

no ip address

shutdown

!

interface GigabitEthernet0/1/4

no ip address

shutdown

!

interface GigabitEthernet0/1/5

no ip address

shutdown

!

interface GigabitEthernet0/1/6

no ip address

shutdown

!

interface GigabitEthernet0/1/7

no ip address

shutdown

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/0

zone-member security pptp