Hi,

I have some problems with Cisco VPN PPTP server on mine router and just wander if somebody can help me.

Basically after configuration was set, I’m able to connect to the device using Microsoft VPN client, also getting IP address from PPTP-pool (10.10.11.210-220) and able to ping gateway 10.10.11.1. However unfortunately I’m not able to get access to any machine from 10.10.11.0 network.

Could you advise please?

Thank you.

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 fhgfjhfjhgfjhfgjhfg
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3110729774
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3110729774
revocation-check none
rsakeypair TP-self-signed-3110729774
!
ip source-route
!
!
ip dhcp excluded-address 192.168.18.1 192.168.18.69
ip dhcp excluded-address 192.168.18.201 192.168.18.254
ip dhcp excluded-address 10.10.11.1 10.10.11.99
ip dhcp excluded-address 10.10.11.201 10.10.11.254
!
ip dhcp pool ccp-pool
   import all
   network 10.10.11.0 255.255.255.0
   default-router 10.10.11.1
   dns-server 8.8.8.8 8.8.4.4
   lease 30
!
ip dhcp pool ccp-pool1
   network 192.168.18.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 192.168.18.1
   lease 30
!
!
ip cef
ip flow-cache timeout active 1
ip domain name ams.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
l2tp tunnel timeout no-session 15
!
license udi pid CISCO887-K9 sn FCZ152990H2
!
!
username first privilege 15 secret 5 password
username vpn_user password 0 password
!
!
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 111
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any PPTP-Pass-Through-Traffic
description Allows PPTP-Pass-Through-Traffic
match access-group name PPTP-PASS-THROUGH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any IP
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any PPTP-TCP-1723-Traffic
description PPTP-TCP-1723-Traffic
match access-group name PPTP-TCP-1723
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-cls-ccp-protectAMS-1
match class-map IP
match access-group name Allow_AMS_to_public
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class type inspect PPTP-TCP-1723-Traffic
  inspect
class type inspect PPTP-Pass-Through-Traffic
  pass
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class type inspect PPTP-Pass-Through-Traffic
  pass
class class-default
  drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
  pass
class type inspect sdm-access
  inspect
class type inspect PPTP-TCP-1723-Traffic
  inspect
class type inspect PPTP-Pass-Through-Traffic
  pass
class class-default
  drop
policy-map type inspect ccp-protectAMS
class type inspect ccp-cls-ccp-protectAMS-1
  inspect
class class-default
  drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
  pass
class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
class type inspect PPTP-Pass-Through-Traffic
  pass
class class-default
  drop log
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security intrazone1 source in-zone destination in-zone
service-policy type inspect ccp-protectAMS
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key key address aaa.aaa.aaa.aaa
crypto isakmp key key address bbb.bbb.bbb.bbb
crypto isakmp key key address ccc.ccc.ccc.ccc
crypto isakmp key key address ddd.ddd.ddd.ddd
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toaaa.aaa.aaa.aaa
set peer aaa.aaa.aaa.aaa
set transform-set ESP-3DES-MD5
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel tobbb.bbb.bbb.bbb
set peer bbb.bbb.bbb.bbb
set transform-set ESP-3DES-MD5
match address 106
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel toccc.ccc.ccc.ccc
set peer ccc.ccc.ccc.ccc
set transform-set ESP-3DES-MD5
match address 108
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel toddd.ddd.ddd.ddd
set peer ddd.ddd.ddd.ddd
set transform-set ESP-3DES-MD5
match address 110
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 200
!
interface FastEthernet3
switchport access vlan 200
!
interface Virtual-Template1
ip unnumbered Vlan100
peer default ip address pool PPTP-Pool
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
bandwidth 6144
ip address 10.10.11.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan100
description $FW_OUTSIDE$
bandwidth 6144
ip address eee.eee.eee.eee 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
crypto map SDM_CMAP_1
!
interface Vlan200
description $FW_INSIDE$
bandwidth 6144
ip address 192.168.18.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool PPTP-Pool 10.10.11.210 10.10.11.220
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source Vlan100
ip flow-export version 5
ip flow-export destination 10.10.11.45 2055
!
ip nat inside source route-map SDM_RMAP_1 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 Vlan100 fff.fff.fff.fff permanent
!
ip access-list extended Allow_AMS_to_public
remark CCP_ACL Category=128
permit ip 10.10.11.0 0.0.0.255 192.168.18.0 0.0.0.255
ip access-list extended HTTPAccess
permit tcp 10.10.11.0 0.0.0.255 any eq www
permit tcp any any eq 443
deny   tcp any any
ip access-list extended PPTP-PASS-THROUGH
remark PPTP Passthrough Rule
remark CCP_ACL Category=1
permit gre any any
ip access-list extended PPTP-TCP-1723
remark PPTP-TCP-1723 Rule
remark CCP_ACL Category=1
permit tcp any any eq 1723
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended TerminalAccess
permit tcp 10.10.11.0 0.0.0.255 any eq telnet
permit tcp any any eq 22
deny   tcp any any
!
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.11.0 0.0.0.255
access-list 2 permit 192.168.18.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip eee.eee.0.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host aaa.aaa.aaa.aaa any
access-list 103 permit ip host bbb.bbb.bbb.bbb any
access-list 103 permit ip host ddd.ddd.ddd.ddd any
access-list 105 remark CCP_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip 10.10.11.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny   ip 10.10.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny   ip 10.10.11.0 0.0.0.255 192.168.231.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny   ip 10.10.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit ip 192.168.18.0 0.0.0.255 any
access-list 105 permit ip 10.10.11.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.10.11.0 0.0.0.255 192.168.231.0 0.0.0.255
access-list 108 remark CCP_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.10.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 remark CCP_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.10.11.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip 192.168.152.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 111 permit ip 192.168.231.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 10.10.11.0 0.0.0.255
no cdp run

!!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
control-plane

!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class TerminalAccess in
transport input telnet ssh
!
scheduler max-task-time 5000
end