- Cisco Community
- Technology and Support
- Security
- VPN
- PPTP out & in, Cisco 881
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
PPTP out & in, Cisco 881
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2011 02:29 AM
Hello,
I've searched a few forums and tried to use some of suggestions (and that's why the config is so big and probably messed up ;-)
The network is very simple: (Computers behind NAT + Windows 2008 Server with PPTP -> Cisco 881 -> DSL) and (near) everything works perfectly.
It is not posible to connect from outside to W2008 PPTP (stops at "connecting..."), what is even more interesting you can not connect from inside to any of PPTP servers located on the Internet (this stops at "veryfying user name & password")
Please check the configuration, and thanks in advance!
Greetings,
Adrian
| config |
| ip dhcp excluded-address 192.168.100.1 192.168.100.29 ip dhcp excluded-address 192.168.100.100 192.168.100.254 ! ip dhcp pool Logmar import all network 192.168.100.0 255.255.255.0 dns-server 194.204.159.1 192.204.152.34 default-router 192.168.100.1 ! ! ip cef no ip bootp server ip domain name logmar ip name-server 194.204.159.1 ip name-server 194.204.152.34 ip port-map user-rserial port tcp 33600 list 3 description rserial ip inspect tcp reassembly queue length 1024 no ipv6 cef ! ! ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map type inspect match-any SDM_GRE match access-group name SDM_GRE class-map type inspect match-any VOIP match protocol sip-tls match protocol sip match protocol pptp match class-map SDM_GRE class-map type inspect imap match-any ccp-app-imap match invalid-command class-map type inspect match-any pptp match protocol pptp match class-map SDM_GRE class-map type inspect match-any ccp-cls-protocol-p2p match protocol edonkey signature match protocol gnutella signature match protocol kazaa2 signature match protocol fasttrack signature match protocol bittorrent signature class-map type inspect match-any SDM_TELNET match access-group name SDM_TELNET class-map type inspect match-any SDM_HTTP match access-group name SDM_HTTP class-map type inspect match-any SDM_SHELL match access-group name SDM_SHELL class-map type inspect match-any SDM_SSH match access-group name SDM_SSH class-map type inspect match-any SDM_HTTPS match access-group name SDM_HTTPS class-map type inspect match-any sdm-mgmt-cls-0 match class-map SDM_TELNET match class-map SDM_HTTP match class-map SDM_SHELL match class-map SDM_SSH match class-map SDM_HTTPS class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any CCP-Voice-permit match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp match class-map SDM_GRE match protocol pptp class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-all sdm-cls--1 match class-map VOIP match access-group name VOIP class-map type inspect match-any SDM_IP match access-group name SDM_IP class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC class-map type inspect gnutella match-any ccp-app-gnutella match file-transfer class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices match service any class-map type inspect msnmsgr match-any ccp-app-msn-otherservices match service any class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any ccp-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-servers class-map type inspect aol match-any ccp-app-aol-otherservices match service any class-map type inspect match-all ccp-protocol-pop3 match protocol pop3 class-map type inspect match-any pptp-traffic match access-group name pptp match access-group name SDM_GRE match access-group name pptp-out class-map type inspect pop3 match-any ccp-app-pop3 match invalid-command class-map type inspect kazaa2 match-any ccp-app-kazaa2 match file-transfer class-map type inspect match-all ccp-protocol-p2p match class-map ccp-cls-protocol-p2p class-map type inspect msnmsgr match-any ccp-app-msn match service text-chat class-map type inspect ymsgr match-any ccp-app-yahoo match service text-chat class-map type inspect match-all ccp-protocol-im match class-map ccp-cls-protocol-im class-map type inspect match-all ccp-invalid-src match access-group 100 class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect http match-any ccp-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol match request method mkdir match request method move match request method notify match request method options match request method poll match request method propfind match request method proppatch match request method revadd match request method revlabel match request method revlog match request method revnum match request method save match request method search match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribe class-map type inspect edonkey match-any ccp-app-edonkey match file-transfer match text-chat match search-file-name class-map type inspect http match-any ccp-http-blockparam match request port-misuse im match request port-misuse p2p class-map type inspect edonkey match-any ccp-app-edonkeydownload match file-transfer class-map type inspect aol match-any ccp-app-aol match service text-chat class-map type inspect match-all ccp-protocol-imap match protocol imap class-map type inspect edonkey match-any ccp-app-edonkeychat match search-file-name match text-chat class-map type inspect http match-any ccp-http-allowparam match request port-misuse tunneling class-map type inspect fasttrack match-any ccp-app-fasttrack match file-transfer class-map type inspect match-all ccp-protocol-http match protocol http ! ! policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access inspect class class-default pass policy-map type inspect p2p ccp-action-app-p2p class type inspect edonkey ccp-app-edonkeychat log allow class type inspect edonkey ccp-app-edonkeydownload log allow class type inspect fasttrack ccp-app-fasttrack log allow class type inspect gnutella ccp-app-gnutella log allow class type inspect kazaa2 ccp-app-kazaa2 log allow policy-map type inspect im ccp-action-app-im class type inspect aol ccp-app-aol log allow class type inspect msnmsgr ccp-app-msn log allow class type inspect ymsgr ccp-app-yahoo log allow class type inspect aol ccp-app-aol-otherservices log reset class type inspect msnmsgr ccp-app-msn-otherservices log reset class type inspect ymsgr ccp-app-yahoo-otherservices log reset policy-map global-policy policy-map type inspect http ccp-action-app-http class type inspect http ccp-http-blockparam log allow class type inspect http ccp-app-httpmethods log allow class type inspect http ccp-http-allowparam log allow policy-map type inspect imap ccp-action-imap class type inspect imap ccp-app-imap log policy-map type inspect pop3 ccp-action-pop3 class type inspect pop3 ccp-app-pop3 log policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect service-policy http ccp-action-app-http class type inspect ccp-protocol-imap inspect service-policy imap ccp-action-imap class type inspect ccp-protocol-pop3 inspect service-policy pop3 ccp-action-pop3 class type inspect ccp-protocol-p2p inspect service-policy p2p ccp-action-app-p2p class type inspect ccp-protocol-im inspect service-policy im ccp-action-app-im class type inspect ccp-insp-traffic inspect class type inspect CCP-Voice-permit inspect class type inspect pptp-traffic pass class type inspect SDM_GRE pass class class-default pass policy-map type inspect ccp-permit class type inspect SDM_EASY_VPN_SERVER_PT pass class type inspect pptp-traffic pass class class-default drop policy-map type inspect sdm-policy-sdm-cls--1 class type inspect sdm-cls--1 pass class type inspect pptp-traffic pass class class-default drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP pass class type inspect pptp-traffic pass class class-default drop log ! zone security out-zone zone security in-zone zone security ezvpn-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone service-policy type inspect sdm-policy-sdm-cls--1 zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone service-policy type inspect sdm-permit-ip ! ! interface Null0 no ip unreachables ! interface FastEthernet0 switchport mode trunk ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $FW_OUTSIDE$$ETH-WAN$ ip address 83.0.201.122 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip verify unicast reverse-path ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.100.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1452 ! ip local pool SDM_POOL_3 192.168.100.200 192.168.100.210 ip forward-protocol nd ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat pool logmar 192.168.100.1 192.168.100.254 netmask 255.255.255.0 ip nat inside source list 4 interface FastEthernet4 overload ip nat inside source static tcp 192.168.100.100 1723 interface FastEthernet4 1723 ip nat inside source list pptp-out interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 83.0.201.121 permanent ! ip access-list extended SDM_AH remark CCP_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark CCP_ACL Category=1 permit esp any any ip access-list extended SDM_GRE remark CCP_ACL Category=0 permit gre any any ip access-list extended SDM_HTTP remark CCP_ACL Category=0 permit tcp any any eq www ip access-list extended SDM_HTTPS remark CCP_ACL Category=0 permit tcp any any eq 443 ip access-list extended SDM_IP remark CCP_ACL Category=1 permit ip any any ip access-list extended SDM_SHELL remark CCP_ACL Category=0 permit tcp any any eq cmd ip access-list extended SDM_SSH remark CCP_ACL Category=0 permit tcp any any eq 22 ip access-list extended SDM_TELNET remark CCP_ACL Category=0 permit tcp any any eq telnet ip access-list extended VOIP remark CCP_ACL Category=128 permit ip any host 192.168.100.100 ip access-list extended pptp remark CCP_ACL Category=1 permit gre any any permit tcp any host 192.168.100.100 eq 1723 permit ip any host 192.168.100.100 ip access-list extended pptp-out remark CCP_ACL Category=2 permit tcp any any eq 1723 permit gre any any ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.100.0 0.0.0.255 access-list 2 remark Auto generated by SDM Management Access feature access-list 2 remark CCP_ACL Category=1 access-list 2 permit 192.168.100.0 0.0.0.255 access-list 3 remark CCP_ACL Category=1 access-list 4 remark CCP_ACL Category=2 access-list 4 permit 192.168.100.0 0.0.0.255 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark CCP_ACL Category=1 access-list 102 permit ip 192.168.100.0 0.0.0.255 any access-list 106 remark CCP_ACL Category=0 no cdp run |
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2011 04:53 AM
OK, I resolved this by myself.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2011 05:31 PM
Hi Adrian, I know it was a while ago, but I am suffering the same problem. Can you recall how you fixed this ?
cheers
Greg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-23-2011 01:06 AM
I've deleted all (well at least part concerning PPTP access ;-) configuration and written it from scratch...
Heh, I do not understand WHY configuring Cisco is such a pain while doing same thing in ALL other routers is easier, far more predictable, and not at all less secure
Below is ACL & policy-map-related part of my config - hope this helps.
!
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any cpp-cls-inside
match protocol pptp
match class-map SDM_GRE
match access-group name SDM_GRE
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match class-map SDM_GRE
match protocol pptp
match protocol skinny
match protocol sip
match protocol sip-tls
match access-group name SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map global-policy
policy-map type inspect ccp-inspect
class type inspect SDM_GRE
pass
class type inspect ccp-invalid-src
drop log
class type inspect ccp-insp-traffic
inspect
class class-default
pass
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inside
class type inspect SDM_GRE
pass
class type inspect cpp-cls-inside
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security cp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-inside
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 83.0.201.122 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_3 192.168.100.200 192.168.100.210
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool logmar 192.168.100.1 192.168.100.254 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.100.100 1723 interface FastEthernet4 1723
ip route 0.0.0.0 0.0.0.0 83.0.201.121 permanent
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=0
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
!
logging trap debugging
logging 192.168.100.100
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit any
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
no cdp run
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-23-2011 02:40 PM
Thanks for replying Adrian, still working on it.
Cheers
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide