10-10-2011 03:34 PM - edited 03-04-2019 01:53 PM
Hi,
I am having a bit of bother configuring my Cisco 887 for PPTP VPN.
As far as I can see the VPN configuration seems to be working ok. I can connect from within the network ok.
I believe that the issue is with the zone based firewall. I have tried to configure this to allow the VPN traffic to no avail. Any tips or sample configs that anyone could supply would be greatly appreciated. I am having trouble finding a difinitive way do set this up online.
I can post any configs if required
Thanks
Chris
10-11-2011 01:43 PM
Are you allowing ip protocol number 47?
Sent from Cisco Technical Support iPad App
10-11-2011 03:07 PM
Hi Kristian,
My problem is that I am not exactly sure how to allow the traffic through. I have a zone based firewall configured but I got a bit mixed up when I tried to add the VPN stuff. Some of the guides that I tried to follow had me setting up additional zones for the VPN. I tried but it didnt work. I have since removed the additional config. At the moment I am not allowing any additional traffic through.
Heres what I have so far.......
multilink bundle-name authenticated
vpdn enable
!
vpdn-group PPTP-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
10-15-2011 03:06 PM
Ive found this guide which im trying to work through. Im getting on ok but am getting a bit stuck with setting the policy maps and zone pair mappings.
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ab7073.shtml
I added the config that it suggests for the class maps and the policy maps. I then went and tried to put in the config for the zone-pairs. I noticed that this config uses different markings for the in and out zone than mine do. I decided to modify their config to match mine by changing the zone map commands from the ones in the document to the following.
zone-pair security out-self source out-zone destination self
service-policy type inspect Out-Self-Policy
zone-pair security pptp-in source pptp destination in-zone
service-policy type inspect PPTP-In-Policy
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect In-Out-Policy zone-pair security out-self source out-zone destination self
service-policy type inspect Out-Self-Policy
zone-pair security pptp-in source pptp destination in-zone
service-policy type inspect PPTP-In-Policy
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect In-Out-Policy
I get an error thrown up saying that the pair allready exists. Do I need to merge the config with my existing zone pairs by modifying my policy maps?
Sorry if I am sounding a bit daft but I haven't had much experience modifying the firewall.
Thanks
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: