Hi, I'm pretty new to Cisco setup, and I've managed to get a Cisco 1117 set up with a PPoE internet connection. I'm trying to port forward 1723 to a Windows server (192.168.0.5) for PPTP VPN connections from home-based clients. I've used the below line:
This seems to work flawlessly for a lot of people, but appears to do nothing for me. I'm thinking it might have to do with the ACL that I've set up, as per below:
ip access-list extended OUTSIDE-INSIDE 10 permit icmp any 192.168.0.0 0.0.255.255 20 permit gre any any 30 permit tcp any eq 1723 any eq 1723
Which for the purposes of intial config I've made as permissive as I feel reasonable. But it's not working. I've attached a sanitised running-config, if anyone could give me a hand, that would be fantastic!
looking at your config, it looks like you got access list 102 applied to the outside interface, which is either a typo, and you meant access list 104, or it is an empty access list ? Either way, the ZBF and access list applied to zoned interfaces does not work together, so remove that access list.
You also might want to inspect the PPTP control traffic (inspect) and just let the GRE pass.
That said, do you actually get an IP address on your outside interface ? Typically you would have to allow UDP 67 outbound from the self zone, and UDP 68 inbound to the self zone, in order for the DHCP to work...
Make the changes marked in bold to your configuration:
Router#show running-config Building configuration...
Current configuration : 10479 bytes ! ! Last configuration change at 10:59:29 UTC Sun Sep 12 2021 by admintemp ! version 17.4 service timestamps debug datetime msec service timestamps log datetime msec service call-home platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core platform hardware throughput crypto 50000 ! hostname Router ! boot-start-marker boot-end-marker ! enable secret 9 xxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx enable password xxxxxxxxxxxxxxxxxxxx ! aaa new-model ! aaa session-id common ! transport-map type console telnet-ui banner wait ^C x ^C banner diagnostic ^C ^C ! clock timezone UTC 10 0 ! ip name-server 18.104.22.168 22.214.171.124 ip dhcp excluded-address 192.168.0.1 192.168.0.10 ! ip dhcp pool dpool1 import all network 192.168.0.0 255.255.255.0 dns-server 192.168.0.1 192.168.0.10 default-router 192.168.0.1 ! login on-success log ! subscriber templating ! multilink bundle-name authenticated ! flow record defaultApplicationTraffic match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect transport tcp flags collect counter packets long collect counter bytes long collect timestamp sys-uptime first collect timestamp sys-uptime last ! flow exporter export_Vlan1_2023215077 destination 192.168.0.5 source Vlan1 transport udp 2055 ! flow monitor dat_Vlan1_2023215077 exporter export_Vlan1_2023215077 record defaultApplicationTraffic ! sampler deterministic_1_32 mode deterministic 1 out-of 32 ! crypto pki trustpoint TP-self-signed-887792347 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-887792347 revocation-check none rsakeypair TP-self-signed-887792347 ! crypto pki trustpoint SLA-TrustPoint enrollment terminal revocation-check crl ! ! crypto pki certificate chain TP-self-signed-887792347 certificate self-signed 01 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx quit crypto pki certificate chain SLA-TrustPoint certificate ca 01 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit ! crypto pki certificate pool cabundle nvram:ios_core.p7b ! no license feature hseck9 license udi pid C1117-4PWZ sn FGL2523LAWW license boot level securityk9 license smart url https://smartreceiver.cisco.com/licservice/license license smart url smart https://smartreceiver.cisco.com/licservice/license license smart transport smart memory free low-watermark processor 70888 ! diagnostic bootup level minimal ! spanning-tree extend system-id et-analytics ! username admin privilege 15 password 0 xxxxxxxxxxxxxxxxxxxxx username admintemp privilege 15 secret 9 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx username ciscot password 0 xxxxxxxxxxxxxxx ! redundancy mode none ! controller VDSL 0/2/0 operating mode vdsl2 ! vlan internal allocation policy ascending ! class-map match-all exit --> class-map type inspect match-any PPTP-IN-CLASS --> match protocol pptp class-map type inspect match-any INSIDE-OUTSIDE-CLASS description Allowed_Protocol_From_INSIDE_to_OUTSIDE match access-group name INSIDE-OUTSIDE match protocol https match protocol dns match protocol udp match protocol tcp match protocol pop3 match protocol smtp match protocol icmp class-map type inspect match-all OUTSIDE-INSIDE-CLASS match access-group name OUTSIDE-INSIDE class-map type inspect match-any Web_app match protocol tcp match protocol udp match protocol ftp match protocol icmp class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl ! policy-map type inspect INSIDE-OUTSIDE-POLICY class type inspect Web inspect class type inspect INSIDE-OUTSIDE-CLASS inspect class class-default drop log policy-map type inspect OUTSIDE-INSIDE-POLICY --> class type inspect PPTP-IN-CLASS --> inspect class type inspect OUTSIDE-INSIDE-CLASS pass class class-default drop log ! zone security INSIDE description Zone for inside interfaces zone security OUTSIDE description Zone for outside interfaces zone security default zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTSIDE-POLICY zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-INSIDE-POLICY ! interface GigabitEthernet0/0/0 no ip address negotiation auto ! interface GigabitEthernet0/1/0 ! interface GigabitEthernet0/1/1 ! interface GigabitEthernet0/1/2 ! interface GigabitEthernet0/1/3 ! interface Wlan-GigabitEthernet0/1/4 ! interface ATM0/2/0 no ip address shutdown atm oversubscribe factor 2 no atm ilmi-keepalive ! interface Ethernet0/2/0 ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 input ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 output ip address dhcp ip nat outside --> no ip access-group 102 in zone-member security OUTSIDE no negotiation auto ip virtual-reassembly ! interface Vlan1 ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 input ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 output ip address 192.168.0.1 255.255.255.0 ip nat inside zone-member security INSIDE ip tcp adjust-mss 1460 ip virtual-reassembly ! ip http server ip http access-class 1 ip http authentication local ip http secure-server ip http secure-port 1025 ip forward-protocol nd ip dns server ip nat inside source static tcp 192.168.0.5 443 interface Ethernet0/2/0 443 ip nat inside source static tcp 192.168.0.5 1723 interface Ethernet0/2/0 1723 ip nat inside source list outbound_nat interface Ethernet0/2/0 overload ! ip access-list extended INSIDE-OUTSIDE 10 permit tcp 192.168.0.0 0.0.255.255 any eq www 20 permit icmp 192.168.0.0 0.0.255.255 any --> ip access-list extended OUTSIDE-INSIDE --> 10 permit icmp any 192.168.0.0 0.0.255.255 --> 20 permit gre any any ip access-list extended Web_acl 10 permit ip any any ip access-list extended outbound_nat 10 permit ip 192.168.0.0 0.0.0.255 any ! ip access-list standard 1 10 permit 192.168.0.0 0.0.0.255 20 deny any --> no ip access-list extended 104 10 permit gre any any ! snmp-server community public RO ! control-plane ! line con 0 transport input none stopbits 1 line vty 0 4 access-class 1 in password xxxxxxxxxxx logging synchronous length 0 transport input ssh line vty 5 16 access-class 1 in transport input ssh ! transport type console 0 input telnet-ui ! call-home ! If contact email address in call-home is configured as firstname.lastname@example.org ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr email@example.com profile "CiscoTAC-1" active destination transport-method http ! end
Cisco DNA Center version 2.2.2.x includes the features and improvements that
New intelligence provides an easy, gradual, and complete adoption of SD-Access. Faster Cisco DNA Center set-up saves time and effort.
When using Cisco cellular modules with a SIM card an APN must be provided. The APN cannot be stored in the SIM card and is supplied by your SIM card provider. Cisco cellular software contains a database of well-known APNs based on the country and ...
Cisco 3850: IOS-XE/Firmware Upgrade
This procedure is aimed at Cisco 3850 switch ONLY.
IOS-XE Bundle Mode is not covered.
9300, 9500 (vanilla & high-performance), ISR 1k, ISR 4k and ASR is not covered.
Listen: https://smarturl.it/CCRS8E46Follow us: twitter.com/ciscochampionsIt’s been several years since the release of Cisco DNA Center, and it’s matured into a complete network management system, an automation and orchestration engine, an AI/ML analy...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...