Does anyone know how to allow PPTP Passthrough on a Cisco 867?
I've got a Windows RRAS Server with PPTP configured however after installing the Cisco 867VAE the VPN clients cannot connect.
I've tried allowing GRE however that didn't work, (Not shown in config below), Control Port for PPTP 1723 is working ok, so i'm guessing its a problem with GRE, just not sure what.
Current Config is below, can anyone tell me what's wrong?
UDM-ROUTER(config)#exit
UDM-ROUTER#show run
Building configuration...
*Mar 1 00:08:05.878: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 7370 bytes
!
! Last configuration change at 00:08:05 UTC Tue Mar 1 2016
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname UDM-ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging console notifications
enable secret 5 ########
enable password #######
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
wan mode dsl
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
!
!
!
!
!
!
!
!
!
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.100.0 255.255.255.0
!
object-group network policy1_dst_net
any
!
object-group network policy1_src_net
any
!
object-group service policy1_svc
ip
!
object-group network ports_in_dst_net
any
!
object-group network ports_in_src_net
any
!
object-group service ports_in_svc
tcp eq 443
tcp eq 3389
tcp eq smtp
!
object-group network pptp_dst_net
any
!
object-group network pptp_in_dst_net
any
!
object-group network pptp_in_src_net
any
!
object-group service pptp_in_svc
ip
!
object-group network pptp_src_net
any
!
object-group service pptp_svc
ip
!
object-group network vpn_remote_subnets
any
!
!
!
controller VDSL 0
!
track 1 ip sla 1 reachability
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-all policy1
match access-group name policy1_acl
class-map type inspect match-all ports_in
description Port forward allow rules
match access-group name ports_in_acl
class-map type inspect match-any pptp_app
match protocol pptp
class-map type inspect match-any pptp_in_app
match protocol pptp
class-map type inspect match-all pptp
match access-group name pptp_acl
match class-map pptp_app
class-map type inspect match-all pptp_in
match access-group name pptp_in_acl
match class-map pptp_in_app
!
policy-map type inspect LAN-WAN-POLICY
class type inspect pptp_in
inspect
class type inspect policy1
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
policy-map type inspect WAN-LAN-POLICY
class type inspect pptp
inspect
class type inspect ports_in
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect WAN-LAN-POLICY
!
!
!
!
!
!
!
!
!
bridge irb
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description PrimaryWANDesc_telstra
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
load-interval 30
shutdown
!
interface FastEthernet0
no ip address
zone-member security LAN
shutdown
!
interface FastEthernet1
no ip address
zone-member security LAN
shutdown
!
interface FastEthernet2
no ip address
zone-member security LAN
shutdown
!
interface GigabitEthernet0
no ip address
zone-member security LAN
shutdown
!
interface GigabitEthernet1
no ip address
zone-member security LAN
!
interface GigabitEthernet2
description BackupWANDesc_
ip address dhcp hostname UDM-ROUTER
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0
no ip address
zone-member security LAN
!
interface Vlan1
ip address 192.168.100.1 255.255.255.0
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1412
load-interval 30
!
interface Dialer1
description PrimaryWANDesc_telstra_ATM0.1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security WAN
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname #########
ppp chap password 0 ####
ppp pap sent-username ######### password 0 ######
ppp ipcp dns request
!
ip local policy route-map track-primary-if
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list nat-list interface Dialer1 overload
ip nat inside source static tcp 192.168.100.3 25 interface Dialer1 25
ip nat inside source static tcp 192.168.100.3 3389 interface Dialer1 3390
ip nat inside source static tcp 192.168.100.3 443 interface Dialer1 443
ip nat inside source static tcp 192.168.100.3 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.100.3 13000 interface Dialer1 13000
ip nat inside source static tcp 192.168.100.3 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.3 15000 interface Dialer1 15000
ip nat inside source static tcp 192.168.100.199 3389 interface Dialer1 3333
ip nat inside source static tcp 192.168.100.199 80 interface Dialer1 80
ip nat inside source static tcp 192.168.100.199 4430 interface Dialer1 4430
ip nat inside source static tcp 192.168.100.10 3389 interface Dialer1 3334
ip nat inside source static tcp 192.168.100.4 3389 interface Dialer1 3391
ip nat inside source route-map nat2primary interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2 253
!
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
ip access-list extended policy1_acl
permit object-group policy1_svc object-group policy1_src_net object-group policy1_dst_net
ip access-list extended ports_in_acl
permit object-group ports_in_svc object-group ports_in_src_net object-group ports_in_dst_net
ip access-list extended pptp_acl
permit object-group pptp_svc object-group pptp_src_net object-group pptp_dst_net
ip access-list extended pptp_in_acl
permit object-group pptp_in_svc object-group pptp_in_src_net object-group pptp_in_dst_net
!
ip sla auto discovery
ip sla 1
icmp-echo 74.125.39.99 source-interface Dialer1
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
!
route-map track-primary-if permit 1
match ip address 197
!
route-map nat2primary permit 1
match ip address nat-list
!
route-map nat2backup permit 1
match ip address nat-list
match interface GigabitEthernet2
!
snmp-server community public RO
access-list 197 permit icmp any host 74.125.39.99
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
password ############
login
transport input none
!
scheduler allocate 60000 1000
!
end
UDM-ROUTER#
