Windows Client VPN Passthrough on C2900

RonaldTidwell69310 · ‎12-12-2022

I have a C2900 series router with 15.0(1r)M16 configured with ZBFW. Within this internal network a need a windows computer to be able to reach out via pptp to an asus router at another location. It seems like I make connection, but then it fails at authentication. I have tested the creds and they work fine when not utilizing this cisco router. I get 829 and 619 error codes on the windows client.

What would be a standard config for vpn passthrough?

ip access-list extended VPN-IN
 permit gre host (asus public ip) 192.168.2.0 0.0.0.255
ip access-list extended VPN-OUT
 permit gre 192.168.2.0 0.0.0.255 host (asus public ip)

class-map type inspect match-any GRE-IN-TO-OUT
 match access-group name VPN-OUT
class-map type inspect match-any GRE-OUT-TO-IN
 match access-group name VPN-IN
class-map type inspect match-any PPTP-IN-TO-OUT
 match protocol pptp

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class type inspect PPTP-IN-TO-OUT
  inspect
 class type inspect GRE-IN-TO-OUT
  pass
 class class-default
  drop log

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass
 class type inspect GRE-OUT-TO-IN
  pass
 class class-default
  drop log

MHM Cisco World · ‎12-12-2022

Can i see your zone pairing config? I think you missing config the Zone-Pair.

RonaldTidwell69310 · ‎12-12-2022

class-map type inspect match-any  GRE-IN-TO-OUT
 match access-group name  VPN-OUT
class-map type inspect match-any  GRE-OUT-TO-IN
 match access-group name  VPN-IN
class-map type inspect match-all INSIDE-TO-VLAN5
 match access-group name INSIDE-TO-VLAN5
class-map type inspect match-all VLAN5-TO-INSIDE
 match access-group name VLAN5-TO-INSIDE
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
 match access-group name INSIDE-TO-DMZ
class-map match-any VOICE_CLASS
 match access-group name VOICE_ACL
class-map type inspect match-any  PPTP-IN-TO-OUT
 match protocol pptp
class-map type inspect match-all VLAN5-TO-OUTSIDE
 match access-group name VLAN5-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-VLAN5
 match access-group name OUTSIDE-TO-VLAN5
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
 match access-group name OUTSIDE-TO-DMZ
!
policy-map type inspect VLAN5-TO-INSIDE-POLICY
 class type inspect VLAN5-TO-INSIDE
  pass
 class class-default
  drop log
policy-map type inspect INSIDE-TO-DMZ-POLICY
 class type inspect INSIDE-TO-DMZ-CLASS
  pass
 class class-default
  drop log
policy-map type inspect INSIDE-TO-VLAN5-POLICY
 class type inspect INSIDE-TO-VLAN5
  pass
 class class-default
  drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class type inspect  PPTP-IN-TO-OUT
  inspect
 class type inspect  GRE-IN-TO-OUT
  pass
 class class-default
  drop log
policy-map VOICE
 class VOICE_CLASS
  priority percent 30
 class class-default
  bandwidth remaining percent 100
  fair-queue
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass
 class type inspect  GRE-OUT-TO-IN
  pass
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
 class type inspect OUTSIDE-TO-DMZ-CLASS
  inspect
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-VLAN5-POLICY
 class type inspect OUTSIDE-TO-VLAN5
  pass
 class class-default
  drop log
policy-map type inspect VLAN5-TO-OUTSIDE-POLICY
 class type inspect VLAN5-TO-OUTSIDE
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone security VLAN5
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
 service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
 service-policy type inspect INSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-VLAN5 source INSIDE destination VLAN5
 service-policy type inspect INSIDE-TO-VLAN5-POLICY
zone-pair security VLAN5-TO-IN source VLAN5 destination INSIDE
 service-policy type inspect VLAN5-TO-INSIDE-POLICY
zone-pair security VLAN5-TO-OUT source VLAN5 destination OUTSIDE
 service-policy type inspect VLAN5-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-VLAN5 source OUTSIDE destination VLAN5
 service-policy type inspect OUTSIDE-TO-VLAN5-POLICY
!
!
interface GigabitEthernet0/0
 description LAN
 ip address dhcp
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 glbp 123 ip 192.168.2.4
 glbp 123 priority 110
 glbp 123 preempt
 glbp 123 load-balancing host-dependent
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security VLAN5
 glbp 5 ip 192.168.5.4
 glbp 5 priority 110
 glbp 5 preempt
 glbp 5 load-balancing host-dependent
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description WAN
 ip address <wan ip>
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 duplex auto
 speed auto
 ntp broadcast client
 service-policy output VOICE
 hold-queue 150 in
!
!
!
ip http server
no ip http secure-server
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list NAT interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 <ip>
ip route 192.168.1.0 255.255.255.0 192.168.2.2 name DanTun
ip ssh version 2
!
ip access-list extended INSIDE-TO-DMZ
 permit tcp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255 eq www
 permit icmp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255
ip access-list extended INSIDE-TO-OUTSIDE
 permit tcp 192.168.0.0 0.0.255.255 any eq www
 permit tcp 192.168.0.0 0.0.255.255 any eq pop3
 permit icmp 192.168.0.0 0.0.255.255 any
 permit tcp any any
 permit udp any any
 permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended INSIDE-TO-VLAN5
 permit icmp 192.168.2.0 0.0.0.255 any
 permit tcp 192.168.2.0 0.0.0.255 any
 permit udp 192.168.2.0 0.0.0.255 any
ip access-list extended  VPN
ip access-list extended  VPN-IN
 permit gre host <asus public ip> 192.168.2.0 0.0.0.255
ip access-list extended  VPN-OUT
 permit gre 192.168.2.0 0.0.0.255 host <asus public ip>
ip access-list extended NAT
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.5.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
 permit tcp any 172.17.0.0 0.0.255.255 eq www
ip access-list extended OUTSIDE-TO-INSIDE
 permit icmp any 192.168.0.0 0.0.255.255
ip access-list extended OUTSIDE-TO-VLAN5
 permit icmp any 192.168.0.0 0.0.255.255
ip access-list extended VLAN5-TO-INSIDE
 permit udp any host 192.168.2.252 eq bootps
ip access-list extended VLAN5-TO-OUTSIDE
 permit tcp 192.168.5.0 0.0.0.255 any eq www
 permit icmp 192.168.5.0 0.0.0.255 any
 permit tcp 192.168.5.0 0.0.0.255 any eq pop3
 permit ip 192.168.5.0 0.0.0.255 any
 permit tcp any any
 permit udp any any
ip access-list extended VOICE_ACL
 permit ip any any dscp ef
!
!
!

access-list 10 remark --Restrict Ext CLI Access--
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 deny   any log

MHM Cisco World · ‎12-13-2022

from my view IF you get log of traffic drop in router which meaning that Zone security what make your traffic drop then there are two point here
1- are you use PPTP or you use PPTP/IPSec ? if you use PPTP then
2- from where the traffic initiate, I ask your config to see which traffic allow from OUT to IN,
if the traffic initiate from OUT to IN then you need to inspect PPTP for zone-pair OUT-IN not IN-OUT.

hope this solve your issue

RonaldTidwell69310 · ‎12-13-2022

Traffic initiates from Inside to outside.

RonaldTidwell69310 · ‎12-13-2022

I hope this explains better what I am trying to achieve.

MHM Cisco World · ‎12-16-2022

class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class type inspect PPTP-IN-TO-OUT
inspect
class type inspect GRE-IN-TO-OUT
pass
class class-default
drop log
!
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class type inspect GRE-OUT-TO-IN
pass
class class-default
drop log

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect INSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-VLAN5 source INSIDE destination VLAN5
service-policy type inspect INSIDE-TO-VLAN5-POLICY
zone-pair security VLAN5-TO-IN source VLAN5 destination INSIDE
service-policy type inspect VLAN5-TO-INSIDE-POLICY
zone-pair security VLAN5-TO-OUT source VLAN5 destination OUTSIDE
service-policy type inspect VLAN5-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-VLAN5 source OUTSIDE destination VLAN5
service-policy type inspect OUTSIDE-TO-VLAN5-POLICY
!
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 192.168.0.0 0.0.255.255 any eq www
permit tcp 192.168.0.0 0.0.255.255 any eq pop3
permit icmp 192.168.0.0 0.0.255.255 any
permit tcp any any
permit udp any any
permit ip 192.168.2.0 0.0.0.255 any
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 192.168.0.0 0.0.255.255

only try change the order of policy

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

class type inspect PPTP-IN-TO-OUT
inspect

class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class type inspect GRE-IN-TO-OUT
pass
class class-default
drop log

MHM Cisco World · ‎12-24-2022

Hi friend
are this issue solved ?
I run Zone Firewall and inspect L2TP, pleas see how can I check if the L2TP is inspect allow and session is build under policy-map.