01-22-2010 02:21 AM - edited 03-06-2019 09:24 AM
Hello,
How can I configure the firewall of the Cisco 881W router so all LAN to WAN traffic is allowed?
Preferably how to do it by use of the CP professional tool.
So far I have configured the firewall with the CPP wizard and edited the Firewall Policy manually to allow TCP, UDP and icmp in the in-zone to out-zone section.
However all basic traffic like HTTP, HTTPS, Live Messenger ... passes through the router but a MS-VPN client installed on PCs on the LAN is unable to connect to the remote VPN-server.
First a PPTP connection is made, but after that, the logon screen never appears and a timeout popup shows up. When I remove all lines in the CPP Edit Firewall Policy (similar to disable firewall) the logon screen apears and a connection can be made.
What is used next to TCP, UDP and icmp to transport MS-VPN-Client packets? or did I forgot something else?
Any help appreciated,
Maxim
01-22-2010 02:39 AM
Hello,
How can I configure the firewall of the Cisco 881W router so all LAN to WAN traffic is allowed?
Preferably how to do it by use of the CP professional tool.So far I have configured the firewall with the CPP wizard and edited the Firewall Policy manually to allow TCP, UDP and icmp in the in-zone to out-zone section.
However all basic traffic like HTTP, HTTPS, Live Messenger ... passes through the router but a MS-VPN client installed on PCs on the LAN is unable to connect to the remote VPN-server.
First a PPTP connection is made, but after that, the logon screen never appears and a timeout popup shows up. When I remove all lines in the CPP Edit Firewall Policy (similar to disable firewall) the logon screen apears and a connection can be made.
What is used next to TCP, UDP and icmp to transport MS-VPN-Client packets? or did I forgot something else?Any help appreciated,
Maxim
Maxim
If it is a PPTP connection in addition to TCP port 1723 which you have already allowed you need to allow GRE through your firewall. Note that GRE is not TCP/UDP or ICMP. It is it's own protocol number at the IP layer.
GRE is protocol number 47
Edit - GRE is not stateful in the same way as TCP for example so you not only need to allow GRE out but also back in.
Jon
01-22-2010 02:47 AM
Jon,
Is there a way to allow all protocol numbers from the in to the out zone and not just GRE (47) ...? (and how can this be done in CCP)
Maxim
01-22-2010 02:54 AM
Jon,
Is there a way to allow all protocol numbers from the in to the out zone and not just GRE (47) ...? (and how can this be done in CCP)
Maxim
Maxim
You could allow all protocols but you would maually have to add each of them. Other than that the only way to do it would be to turn off the firewall i'm afraid.
I think apart from TCP/UDP/ICMP + GRE you probably wouldn't need anything else as most apps that you would want to run would use TCP or UDP so you should be fine.
Sorry but i have never used CCP, i am a CLI person myself
Jon
01-22-2010 03:06 AM
Hi Jon,
Could jou give the cli command(s) I need to enter to add GRE?
Regards,
Maxim
01-22-2010 03:42 AM
Hi Jon,
Could jou give the cli command(s) I need to enter to add GRE?
Regards,
Maxim
access-list 101 permit gre any any
the above assumes that your existing acl is access-list 101
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide