cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
146
Views
0
Helpful
1
Replies
Rob44
Beginner

Issue port forwarding PPTP in new router

Hi, I'm pretty new to Cisco setup, and I've managed to get a Cisco 1117 set up with a PPoE internet connection. I'm trying to port forward 1723 to a Windows server (192.168.0.5) for PPTP VPN connections from home-based clients. I've used the below line:

 

ip nat inside source static tcp 192.168.0.5 1723 interface Ethernet0/2/0 1723

 

This seems to work flawlessly for a lot of people, but appears to do nothing for me. I'm thinking it might have to do with the ACL that I've set up, as per below:

 

ip access-list extended OUTSIDE-INSIDE
10 permit icmp any 192.168.0.0 0.0.255.255
20 permit gre any any
30 permit tcp any eq 1723 any eq 1723

 

Which for the purposes of intial config I've made as permissive as I feel reasonable. But it's not working. I've attached a sanitised running-config, if anyone could give me a hand, that would be fantastic!

1 REPLY 1
Georg Pauwen
VIP Expert

Hello,

 

looking at your config, it looks like you got access list 102 applied to the outside interface, which is either a typo, and you meant access list 104, or it is an empty access list ? Either way, the ZBF and access list applied to zoned interfaces does not work together, so remove that access list.

 

You also might want to inspect the PPTP control traffic (inspect) and just let the GRE pass.

 

That said, do you actually get an IP address on your outside interface ? Typically you would have to allow UDP 67 outbound from the self zone, and UDP 68 inbound to the self zone, in order for the DHCP to work... 

 

Make the changes marked in bold to your configuration:

 

Router#show running-config
Building configuration...

Current configuration : 10479 bytes
!
! Last configuration change at 10:59:29 UTC Sun Sep 12 2021 by admintemp
!
version 17.4
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 9 xxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
aaa session-id common
!
transport-map type console telnet-ui
banner wait ^C
x
^C
banner diagnostic ^C
^C
!
clock timezone UTC 10 0
!
ip name-server 8.8.8.8 8.8.4.4
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool dpool1
import all
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 192.168.0.10
default-router 192.168.0.1
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
flow record defaultApplicationTraffic
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect counter packets long
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow exporter export_Vlan1_2023215077
destination 192.168.0.5
source Vlan1
transport udp 2055
!
flow monitor dat_Vlan1_2023215077
exporter export_Vlan1_2023215077
record defaultApplicationTraffic
!
sampler deterministic_1_32
mode deterministic 1 out-of 32
!
crypto pki trustpoint TP-self-signed-887792347
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-887792347
revocation-check none
rsakeypair TP-self-signed-887792347
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-887792347
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
no license feature hseck9
license udi pid C1117-4PWZ sn FGL2523LAWW
license boot level securityk9
license smart url https://smartreceiver.cisco.com/licservice/license
license smart url smart https://smartreceiver.cisco.com/licservice/license
license smart transport smart
memory free low-watermark processor 70888
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
et-analytics
!
username admin privilege 15 password 0 xxxxxxxxxxxxxxxxxxxxx
username admintemp privilege 15 secret 9 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username ciscot password 0 xxxxxxxxxxxxxxx
!
redundancy
mode none
!
controller VDSL 0/2/0
operating mode vdsl2
!
vlan internal allocation policy ascending
!
class-map match-all exit
--> class-map type inspect match-any PPTP-IN-CLASS
--> match protocol pptp
class-map type inspect match-any INSIDE-OUTSIDE-CLASS
description Allowed_Protocol_From_INSIDE_to_OUTSIDE
match access-group name INSIDE-OUTSIDE
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
class-map type inspect match-all OUTSIDE-INSIDE-CLASS
match access-group name OUTSIDE-INSIDE
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class type inspect INSIDE-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
--> class type inspect PPTP-IN-CLASS
--> inspect
class type inspect OUTSIDE-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Wlan-GigabitEthernet0/1/4
!
interface ATM0/2/0
no ip address
shutdown
atm oversubscribe factor 2
no atm ilmi-keepalive
!
interface Ethernet0/2/0
ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 input
ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 output
ip address dhcp
ip nat outside
--> no ip access-group 102 in
zone-member security OUTSIDE
no negotiation auto
ip virtual-reassembly
!
interface Vlan1
ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 input
ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 output
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1460
ip virtual-reassembly
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http secure-port 1025
ip forward-protocol nd
ip dns server
ip nat inside source static tcp 192.168.0.5 443 interface Ethernet0/2/0 443
ip nat inside source static tcp 192.168.0.5 1723 interface Ethernet0/2/0 1723
ip nat inside source list outbound_nat interface Ethernet0/2/0 overload
!
ip access-list extended INSIDE-OUTSIDE
10 permit tcp 192.168.0.0 0.0.255.255 any eq www
20 permit icmp 192.168.0.0 0.0.255.255 any
--> ip access-list extended OUTSIDE-INSIDE
--> 10 permit icmp any 192.168.0.0 0.0.255.255
--> 20 permit gre any any
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended outbound_nat
10 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list standard 1
10 permit 192.168.0.0 0.0.0.255
20 deny any
--> no ip access-list extended 104
10 permit gre any any
!
snmp-server community public RO
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class 1 in
password xxxxxxxxxxx
logging synchronous
length 0
transport input ssh
line vty 5 16
access-class 1 in
transport input ssh
!
transport type console 0 input telnet-ui
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
end

Router#