Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2949
Views
0
Helpful
1
Replies

PPTP VPN through 2811 IOS Router

mikeb
Level 1
Level 1

‎08-05-2011 01:11 PM - edited ‎03-04-2019 01:11 PM

I have a user who cannot connect to a PPTP VPN through an IOS router which is acting as a firewall.  I have read with much confusion the postings about this issue but cannot make sense of what is at issue.  I thought making a static assignment would cure the problem but that didn't work.  Please take a look at my config and let me know if you see something I am missing our need to do differently.  Thanks in advance.

Mike

Current configuration : 13475 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CDH-ROO-2811

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

!

no aaa new-model

clock timezone est -5

clock summer-time EDT recurring

!

dot11 syslog

ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.18.10.1 172.18.10.99

ip dhcp excluded-address 172.18.20.1 172.18.20.99

ip dhcp excluded-address 172.18.0.1 172.18.0.99

!

ip dhcp pool DATA

   network 172.18.10.0 255.255.255.0

   default-router 172.18.10.1

   option 150 ip 172.17.20.52

   domain-name

   option 43 ip 172.17.0.15

   dns-server 8.8.8.8 8.8.4.4

   lease 0 2

!

ip dhcp pool VOICE

   network 172.18.20.0 255.255.255.0

   default-router 172.18.20.1

   option 150 ip 172.17.20.52

   option 43 ip 172.17.0.15

   dns-server 8.8.8.8 8.8.4.4

   lease 0 2

!

ip dhcp pool Native

   network 172.18.0.0 255.255.255.0

   default-router 172.18.0.1

   domain-name

   option 43 ip 172.17.0.15

   dns-server 8.8.8.8 8.8.4.4

   lease 0 2

!

ip dhcp pool STATIC_DATA

   host 172.18.10.250 255.255.255.0

   client-identifier 0164.8099.33ec.24

   default-router 172.18.10.1

   option 150 ip 172.17.20.52

   domain-name

   option 43 ip 172.17.0.15

   dns-server 8.8.8.8 8.8.4.4

   lease 0 2

!

!

no ipv6 cef

!

multilink bundle-name authenticated

!

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key

!

!

crypto ipsec transform-set CDHSET esp-des esp-md5-hmac

!

crypto map GRO-ROO 1 ipsec-isakmp

set peer

set transform-set CDHSET

match address 115

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address xxx.xxx.17.218 255.255.255.248

ip access-group BlockDSL in

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map GRO-ROO

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/2/0

ip unnumbered Vlan1

ip flow ingress

shutdown

!

!

interface Vlan1

ip address 192.168.1.75 255.255.255.0 secondary

ip address 172.18.0.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface Vlan6

no ip address

!

interface Vlan7

no ip address

!

interface Vlan42

no ip address

!

interface Vlan47

no ip address

!

interface Vlan810

ip address 172.18.10.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface Vlan820

ip address 172.18.20.1 255.255.255.0

ip helper-address 172.17.10.100

ip flow ingress

h323-gateway voip bind srcaddr 172.18.20.1

!

interface Vlan899

ip address 192.168.0.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface Dialer1

no ip address

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0

ip http server

ip http access-class 2

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map nonat interface FastEthernet0/0 overload

ip nat inside source static 172.18.10.250 XXX.XXX.17.219

!

ip access-list extended BlockDSL

permit udp any any

permit tcp any any established

permit icmp any any

permit tcp any any eq telnet

deny   ip any any log

!

access-list 1 permit 172.17.0.0 0.0.0.255

access-list 1 permit 172.17.10.0 0.0.0.255

access-list 1 permit 172.17.20.0 0.0.0.255

access-list 1 permit 192.168.75.0 0.0.0.255

access-list 1 permit 172.18.10.0 0.0.0.255

access-list 1 permit 172.18.0.0 0.0.0.255

access-list 110 deny   ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255

access-list 110 permit ip 172.18.0.0 0.0.255.255 any

access-list 115 permit ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255

!

!

!

!

route-map nonat permit 10

match ip address 110

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 172.17.10.58

end

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-11-2011 01:12 PM

Hello Mike,

PPTP uses a TCP control session on port 1723 but VPN user traffic is carried on a GRE tunnel

you have an ACL applied inbound on the WAN interface

ip access-list extended BlockDSL

permit udp any any

permit tcp any any established

permit icmp any any

permit tcp any any eq telnet

deny   ip any any log

!

this ACL does not permit incoming GRE packets. GRE is protocol 47 over IP

you need a line like

permit gre any any

before final deny

this might not be enough you may need to change the routing

it is not clear what it is the configuration of the default route

also you may have omitted configuration of CBAC if present

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents