Hi david, yes I am using CCA, the VPN isnt getting tunneled by the UC540 the customer is connecting a laptop to the network and trying to use Windows 7 to make the Tunnel.

Hi Graham,

Is the UC acting as the router? If not what is your WAN router and is this doing the firewall??

Will need some more info and if possible a little bit of an idea as to the construct of the network.

Cheers,

David.

Hi David, yes the UC is the Router.

The WAN Modem is in Bridge so there is a PPPOE Connection to the ISP.

Firewall is off on the UC

I can See that Dialup 3 seems to be how it is connecting to the internet and I can also see you can add some rules.

I have made a new TCP Allow rule for 1723 and UDP 500 for any network but it still seems to block it.

May have to look at the logs in order to see why.

Hi Graham,

I might be slow on the uptake on this so you will have to forgive me here, but if the UC is not doing the firewalling, what is?

If the Firewall is turned off or all ACL's are removed, then the UC will not prevent or stop someone from within the network creating a PPTP or IPSEC to the outside world, the UC will just pass everything through as it has no instructions to block anything... Are you sure the Firewall is turned off??

You can port forward but I don't think this is what you need... Actually I would have to say that what ever the modem is sitting in front of the UC in bridge mode, does not allow for VPN passthrough, even if it is in bridge mode it would still need to support VPN passthrough, otherwise the connection will not get through either ingress or egress.

Can you give explain the network topology a little more, how things are setup and in what fashion I.E device roles, I need to understand better what the network composes, right now I am not drawing a clear mental picture.

Cheers,

David.

Hi I'm just about to start investigating the same issue.

Customer previously had a 'normal' DSL router/modem (Netgear)

     They have Windows 7 desktop computers that create a VPN to another site (head office) via Windows in-built VPN connection/client.

Since installing a UC540 with a modem in bridge mode I too have had reports of the VPN connections that used to work have stopped. I tried a similar setup in the Lab and yes it appears to be stopping (GRE/PPTP?) passthrough for internal network clients that are trying to connect to external VPN/sites.

The modem is in true bridge mode and the UC assumes the Public IP etc (the UC is creating the PPPoE connection)

I have the firewall enabled in pretty much default settings (other than a NAT rule that does work)

And yes the clients are connecting to an external VPN server i'm not trying to configure the UC to be a VPN server itself.

Any Ideas where to look?

Hi Guys,

I'm not sure so I'm checking now, but there might be a command line you can

use to get PPTP pass through enabled on the UC/iOS.

I will have to dig up some really old baked up con figs from former

clients, this would take me some time has I have hundreds to look at :-\

Cheers,

David Trad

"Sent from my Acer Iconia A500"

On May 30, 2012 8:11 PM, "focusonit" <

Hi David, the modem is definetely in Bridge mode and I can confirm the config is allowing passthrough.

As if I disconnect the UC, make a PPPOE Connection from a laptop and set the PC's to go via my laptop they can get a VPN tunnel. So the UC is the one stopping it.

the Firewall is Off, unsure why.

The Clients are running Windows Firewall so I am a little reluctant to turn it on whilst I am not onsite in case I loose connectivity.

I have found where to set the ACL rule and will experiment now to see if I can get the tunnel to work.

Will post results.

Thanks for the replies Graham    

Hi Ryan,

You hit the nail on the head

Check the external WAN ACL and permit GRE traffic.
permit gre any any

So the deny any any statement at the end may need to be removed, unless it now follows a sequential setup, in this case choose the next line number I.E "60 permit gre any any" that way it will reside above the deny all statement.

However I am confused now, in previous posts the statement was that the firewall is turned off, yet there are ACL's in place, when you use CCA to turn the firewall off, it removes every ACL with the exception of a couple of critical ones that may be residual to protect the system from outside attacks. So I wonder if the Firewall is actually off??

Cheers,

David.

Hi Gents,

All good, I set phasers to stun. and walla.

The Firewall was at medium but that GRE rule wasnt there.

For the record had to click on FAST Ethernet, Click Add, Make Command GRE, Inside Destination Any, Outside Destination "Customers IP of Server"

Thanks for the Tips Gents.

Love a good ending... So I guess I've been stunned

Cheers,

David Trad

"Sent from my Acer Iconia A500"

On May 31, 2012 4:42 PM, "grahamhand" <

Glad to hear, the issue has been resolved.

Ryan Kramer