12-12-2022 09:59 AM
I have a C2900 series router with 15.0(1r)M16 configured with ZBFW. Within this internal network a need a windows computer to be able to reach out via pptp to an asus router at another location. It seems like I make connection, but then it fails at authentication. I have tested the creds and they work fine when not utilizing this cisco router. I get 829 and 619 error codes on the windows client.
What would be a standard config for vpn passthrough?
ip access-list extended VPN-IN
permit gre host (asus public ip) 192.168.2.0 0.0.0.255
ip access-list extended VPN-OUT
permit gre 192.168.2.0 0.0.0.255 host (asus public ip)
class-map type inspect match-any GRE-IN-TO-OUT
match access-group name VPN-OUT
class-map type inspect match-any GRE-OUT-TO-IN
match access-group name VPN-IN
class-map type inspect match-any PPTP-IN-TO-OUT
match protocol pptp
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class type inspect PPTP-IN-TO-OUT
inspect
class type inspect GRE-IN-TO-OUT
pass
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class type inspect GRE-OUT-TO-IN
pass
class class-default
drop log
12-12-2022 10:23 AM - edited 12-12-2022 03:42 PM
Can i see your zone pairing config? I think you missing config the Zone-Pair.
12-12-2022 06:42 PM
class-map type inspect match-any GRE-IN-TO-OUT
match access-group name VPN-OUT
class-map type inspect match-any GRE-OUT-TO-IN
match access-group name VPN-IN
class-map type inspect match-all INSIDE-TO-VLAN5
match access-group name INSIDE-TO-VLAN5
class-map type inspect match-all VLAN5-TO-INSIDE
match access-group name VLAN5-TO-INSIDE
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
match access-group name INSIDE-TO-DMZ
class-map match-any VOICE_CLASS
match access-group name VOICE_ACL
class-map type inspect match-any PPTP-IN-TO-OUT
match protocol pptp
class-map type inspect match-all VLAN5-TO-OUTSIDE
match access-group name VLAN5-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-VLAN5
match access-group name OUTSIDE-TO-VLAN5
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
match access-group name OUTSIDE-TO-DMZ
!
policy-map type inspect VLAN5-TO-INSIDE-POLICY
class type inspect VLAN5-TO-INSIDE
pass
class class-default
drop log
policy-map type inspect INSIDE-TO-DMZ-POLICY
class type inspect INSIDE-TO-DMZ-CLASS
pass
class class-default
drop log
policy-map type inspect INSIDE-TO-VLAN5-POLICY
class type inspect INSIDE-TO-VLAN5
pass
class class-default
drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class type inspect PPTP-IN-TO-OUT
inspect
class type inspect GRE-IN-TO-OUT
pass
class class-default
drop log
policy-map VOICE
class VOICE_CLASS
priority percent 30
class class-default
bandwidth remaining percent 100
fair-queue
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class type inspect GRE-OUT-TO-IN
pass
class class-default
drop log
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
class type inspect OUTSIDE-TO-DMZ-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-VLAN5-POLICY
class type inspect OUTSIDE-TO-VLAN5
pass
class class-default
drop log
policy-map type inspect VLAN5-TO-OUTSIDE-POLICY
class type inspect VLAN5-TO-OUTSIDE
inspect
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone security VLAN5
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect INSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-VLAN5 source INSIDE destination VLAN5
service-policy type inspect INSIDE-TO-VLAN5-POLICY
zone-pair security VLAN5-TO-IN source VLAN5 destination INSIDE
service-policy type inspect VLAN5-TO-INSIDE-POLICY
zone-pair security VLAN5-TO-OUT source VLAN5 destination OUTSIDE
service-policy type inspect VLAN5-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-VLAN5 source OUTSIDE destination VLAN5
service-policy type inspect OUTSIDE-TO-VLAN5-POLICY
!
!
interface GigabitEthernet0/0
description LAN
ip address dhcp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
glbp 123 ip 192.168.2.4
glbp 123 priority 110
glbp 123 preempt
glbp 123 load-balancing host-dependent
duplex auto
speed auto
!
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 192.168.5.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security VLAN5
glbp 5 ip 192.168.5.4
glbp 5 priority 110
glbp 5 preempt
glbp 5 load-balancing host-dependent
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
description WAN
ip address <wan ip>
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
ntp broadcast client
service-policy output VOICE
hold-queue 150 in
!
!
!
ip http server
no ip http secure-server
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list NAT interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 <ip>
ip route 192.168.1.0 255.255.255.0 192.168.2.2 name DanTun
ip ssh version 2
!
ip access-list extended INSIDE-TO-DMZ
permit tcp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255 eq www
permit icmp 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 192.168.0.0 0.0.255.255 any eq www
permit tcp 192.168.0.0 0.0.255.255 any eq pop3
permit icmp 192.168.0.0 0.0.255.255 any
permit tcp any any
permit udp any any
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended INSIDE-TO-VLAN5
permit icmp 192.168.2.0 0.0.0.255 any
permit tcp 192.168.2.0 0.0.0.255 any
permit udp 192.168.2.0 0.0.0.255 any
ip access-list extended VPN
ip access-list extended VPN-IN
permit gre host <asus public ip> 192.168.2.0 0.0.0.255
ip access-list extended VPN-OUT
permit gre 192.168.2.0 0.0.0.255 host <asus public ip>
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
permit tcp any 172.17.0.0 0.0.255.255 eq www
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 192.168.0.0 0.0.255.255
ip access-list extended OUTSIDE-TO-VLAN5
permit icmp any 192.168.0.0 0.0.255.255
ip access-list extended VLAN5-TO-INSIDE
permit udp any host 192.168.2.252 eq bootps
ip access-list extended VLAN5-TO-OUTSIDE
permit tcp 192.168.5.0 0.0.0.255 any eq www
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 192.168.5.0 0.0.0.255 any eq pop3
permit ip 192.168.5.0 0.0.0.255 any
permit tcp any any
permit udp any any
ip access-list extended VOICE_ACL
permit ip any any dscp ef
!
!
!
access-list 10 remark --Restrict Ext CLI Access--
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 deny any log
12-13-2022 03:12 AM
from my view IF you get log of traffic drop in router which meaning that Zone security what make your traffic drop then there are two point here
1- are you use PPTP or you use PPTP/IPSec ? if you use PPTP then
2- from where the traffic initiate, I ask your config to see which traffic allow from OUT to IN,
if the traffic initiate from OUT to IN then you need to inspect PPTP for zone-pair OUT-IN not IN-OUT.
hope this solve your issue
12-13-2022 06:45 PM
Traffic initiates from Inside to outside.
12-13-2022 06:50 PM - edited 12-13-2022 06:51 PM
I hope this explains better what I am trying to achieve.
12-16-2022 02:19 AM
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class type inspect PPTP-IN-TO-OUT
inspect
class type inspect GRE-IN-TO-OUT
pass
class class-default
drop log
!
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class type inspect GRE-OUT-TO-IN
pass
class class-default
drop log
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect INSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-VLAN5 source INSIDE destination VLAN5
service-policy type inspect INSIDE-TO-VLAN5-POLICY
zone-pair security VLAN5-TO-IN source VLAN5 destination INSIDE
service-policy type inspect VLAN5-TO-INSIDE-POLICY
zone-pair security VLAN5-TO-OUT source VLAN5 destination OUTSIDE
service-policy type inspect VLAN5-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-VLAN5 source OUTSIDE destination VLAN5
service-policy type inspect OUTSIDE-TO-VLAN5-POLICY
!
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 192.168.0.0 0.0.255.255 any eq www
permit tcp 192.168.0.0 0.0.255.255 any eq pop3
permit icmp 192.168.0.0 0.0.255.255 any
permit tcp any any
permit udp any any
permit ip 192.168.2.0 0.0.0.255 any
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 192.168.0.0 0.0.255.255
only try change the order of policy
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect PPTP-IN-TO-OUT
inspect
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class type inspect GRE-IN-TO-OUT
pass
class class-default
drop log
12-24-2022 12:53 PM
Hi friend
are this issue solved ?
I run Zone Firewall and inspect L2TP, pleas see how can I check if the L2TP is inspect allow and session is build under policy-map.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide