Discussions

Cisco 871W - PPTP - Passthrough

+
0 Votes
Locked

Cisco 871W - PPTP - Passthrough

ajtk2000
I am trying to connect to a remote SBS 2003 VPN server from home.

I have a Cisco 871W router that I use to connect to the internet. It will establish the connection to the VPN server but will not verify username/password.

VPN connection is fine without the 871w connected.

Any ideas?
  • +
    0 Votes
    NetMan1958

    Are you trying to establish a pptp VPN from a computer that is on the LAN side of the 871 or is the VPN between the 871 and a remote device?

    Do you have any access lists configured on the 871? If so, can you post them. Also do you have the Cisco firewall (ip inspect) configured on the 871? If so, can you post that config.

    +
    0 Votes
    ajtk2000

    Thanks for the reply.

    I had to permit GRE and PPTP, GRE was my problem

    Just to clarify for others:

    workstation is on the LAN side of the 871
    VPN server is remote (SBS2003 at wife's office)

    Here is config file. Let me know if you see anything that looks funny/unneeded.

    I'm also forwarding mail and HTTP to inside the LAN which is working fine.

    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname D-T
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging message-counter syslog
    logging buffered 51200
    logging console critical
    enable secret 5 $1$SEO2$rROwq.
    !
    no aaa new-model
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-2652445221
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2652445221
    revocation-check none
    rsakeypair TP-self-signed-2652445221
    !
    !
    crypto pki certificate chain TP-self-signed-2652445221
    certificate self-signed 01
    3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32363532 34343532 3231301E 170D3039 31303039 31313135
    32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36353234
    34353232 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100B87C 6A558D88 EEAA4C73 3C1D8E55 8C95920F 239EB3A4 4BC58BB4 B97612F6
    D7483CCD FFCD9C5F 3C76180A 63117F7A 715966CC 12FECD84 B891E364 160E457A
    62BAEE68 1227F6A2 D84160D3 FC1CE7B9 06B103B1 053A8C91 50BB3745 F7581B45
    98B881E5 DFAD3894 C3FC35DA E87D8E11 C71430D1 B69AA2CB DF35F18D 01EF28DB
    AFC70203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
    551D1104 18301682 14534153 2D526F75 7465722E 7361732E 6C6F6361 6C301F06
    03551D23 04183016 80143E19 8DEF4F2A 15C3E9B0 AD2C24C1 48F879D1 BD86301D
    0603551D 0E041604 143E198D EF4F2A15 C3E9B0AD 2C24C148 F879D1BD 86300D06
    092A8648 86F70D01 01040500 03818100 93B15416 C3133AB8 2D42E115 F1139AB2
    3E501633 A397F03A 2332B378 D843567B 3233EF5F C390F2C4 80A46C85 2635F90C
    74EFFBAE 981B8CD8 70FA099C 1CDB90BF 10636AB5 53D56786 1BDBC4E7 F3F6BE7D
    8ECBD280 C4BEEB44 054AE40C C879D64F 9C852608 F3924869 A872041C B52CF103
    C762A0D5 13568C57 E31BDAB5 24FE340B
    quit
    dot11 syslog
    !
    dot11 ssid D-T
    authentication open
    !
    no ip source-route
    !
    !
    ip dhcp excluded-address 192.168.10.1 192.168.10.9
    ip dhcp excluded-address 192.168.10.101 192.168.10.254
    !
    ip dhcp pool D-Tech
    import all
    network 192.168.10.0 255.255.255.0
    dns-server 24.25.4.107 24.25.4.108
    default-router 192.168.10.254
    !
    !
    ip cef
    no ip bootp server
    ip domain name D-Tech.local
    ip name-server 24.25.1.107
    ip name-server 24.25.4.108
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    username kevin privilege 15 secret 5 $1$kpQL$OcA.oIxeQLLKWbimwf5aT.
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    class-map type inspect match-all sdm-nat-http-1
    match access-group 101
    match protocol http
    class-map type inspect match-all sdm-nat-http-2
    match access-group 102
    match protocol http
    class-map type inspect match-all sdm-nat-smtp-1
    match access-group 103
    match protocol smtp
    class-map type inspect match-any SDM_GRE
    match access-group name SDM_GRE
    class-map type inspect match-any excacl
    match class-map SDM_GRE
    match protocol pptp
    class-map type inspect match-any CCP-Voice-permit
    match protocol h323
    match protocol skinny
    match protocol sip
    class-map type inspect match-any ccp-cls-insp-traffic
    match protocol cuseeme
    match protocol dns
    match protocol ftp
    match protocol h323
    match protocol https
    match protocol icmp
    match protocol imap
    match protocol pop3
    match protocol netshow
    match protocol shell
    match protocol realmedia
    match protocol rtsp
    match protocol smtp extended
    match protocol sql-net
    match protocol streamworks
    match protocol tftp
    match protocol vdolive
    match protocol tcp
    match protocol udp
    class-map type inspect match-all ccp-insp-traffic
    match class-map ccp-cls-insp-traffic
    class-map type inspect match-any exchange
    match class-map SDM_GRE
    match protocol pptp
    class-map type inspect match-any ccp-cls-icmp-access
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all ccp-invalid-src
    match access-group 100
    class-map type inspect match-all ccp-icmp-access
    match class-map ccp-cls-icmp-access
    class-map type inspect match-all ccp-protocol-http
    match protocol http
    !
    !
    policy-map type inspect ccp-permit-icmpreply
    class type inspect ccp-icmp-access
    class class-default
    pass
    policy-map type inspect sdm-pol-NATOutsideToInside-1
    class type inspect excacl
    pass
    class type inspect exchange
    inspect
    class type inspect sdm-nat-http-1
    inspect
    class type inspect sdm-nat-http-2
    inspect
    class type inspect sdm-nat-smtp-1
    inspect
    class class-default
    drop
    policy-map type inspect ccp-inspect
    class type inspect ccp-invalid-src
    drop log
    class type inspect ccp-protocol-http
    inspect
    class type inspect ccp-insp-traffic
    inspect
    class type inspect CCP-Voice-permit
    inspect
    class class-default
    pass
    policy-map type inspect ccp-permit
    class class-default
    drop
    !
    zone security out-zone
    zone security in-zone
    zone-pair security ccp-zp-self-out source self destination out-zone
    service-policy type inspect ccp-permit-icmpreply
    zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
    service-policy type inspect sdm-pol-NATOutsideToInside-1
    zone-pair security ccp-zp-in-out source in-zone destination out-zone
    service-policy type inspect ccp-inspect
    zone-pair security ccp-zp-out-self source out-zone destination self
    service-policy type inspect ccp-permit
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $ES_WAN$$FW_OUTSIDE$
    ip address dhcp client-id FastEthernet4
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    zone-member security out-zone
    duplex auto
    speed auto
    !
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    !
    ssid D-Tech2
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address 192.168.10.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    zone-member security in-zone
    !
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    !
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.10.252 80 interface FastEthernet4 80
    ip nat inside source static tcp 192.168.10.1 25 interface FastEthernet4 25
    !
    ip access-list extended SDM_GRE
    remark CCP_ACL Category=0
    permit gre any any
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 192.168.10.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    access-list 101 remark CCP_ACL Category=0
    access-list 101 permit ip any host 192.168.10.252
    access-list 102 remark CCP_ACL Category=0
    access-list 102 permit ip any host 192.168.10.252
    access-list 103 remark CCP_ACL Category=0
    access-list 103 permit ip any host 192.168.10.1
    no cdp run

  • +
    0 Votes
    NetMan1958

    Are you trying to establish a pptp VPN from a computer that is on the LAN side of the 871 or is the VPN between the 871 and a remote device?

    Do you have any access lists configured on the 871? If so, can you post them. Also do you have the Cisco firewall (ip inspect) configured on the 871? If so, can you post that config.

    +
    0 Votes
    ajtk2000

    Thanks for the reply.

    I had to permit GRE and PPTP, GRE was my problem

    Just to clarify for others:

    workstation is on the LAN side of the 871
    VPN server is remote (SBS2003 at wife's office)

    Here is config file. Let me know if you see anything that looks funny/unneeded.

    I'm also forwarding mail and HTTP to inside the LAN which is working fine.

    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname D-T
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging message-counter syslog
    logging buffered 51200
    logging console critical
    enable secret 5 $1$SEO2$rROwq.
    !
    no aaa new-model
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-2652445221
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2652445221
    revocation-check none
    rsakeypair TP-self-signed-2652445221
    !
    !
    crypto pki certificate chain TP-self-signed-2652445221
    certificate self-signed 01
    3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32363532 34343532 3231301E 170D3039 31303039 31313135
    32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36353234
    34353232 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100B87C 6A558D88 EEAA4C73 3C1D8E55 8C95920F 239EB3A4 4BC58BB4 B97612F6
    D7483CCD FFCD9C5F 3C76180A 63117F7A 715966CC 12FECD84 B891E364 160E457A
    62BAEE68 1227F6A2 D84160D3 FC1CE7B9 06B103B1 053A8C91 50BB3745 F7581B45
    98B881E5 DFAD3894 C3FC35DA E87D8E11 C71430D1 B69AA2CB DF35F18D 01EF28DB
    AFC70203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
    551D1104 18301682 14534153 2D526F75 7465722E 7361732E 6C6F6361 6C301F06
    03551D23 04183016 80143E19 8DEF4F2A 15C3E9B0 AD2C24C1 48F879D1 BD86301D
    0603551D 0E041604 143E198D EF4F2A15 C3E9B0AD 2C24C148 F879D1BD 86300D06
    092A8648 86F70D01 01040500 03818100 93B15416 C3133AB8 2D42E115 F1139AB2
    3E501633 A397F03A 2332B378 D843567B 3233EF5F C390F2C4 80A46C85 2635F90C
    74EFFBAE 981B8CD8 70FA099C 1CDB90BF 10636AB5 53D56786 1BDBC4E7 F3F6BE7D
    8ECBD280 C4BEEB44 054AE40C C879D64F 9C852608 F3924869 A872041C B52CF103
    C762A0D5 13568C57 E31BDAB5 24FE340B
    quit
    dot11 syslog
    !
    dot11 ssid D-T
    authentication open
    !
    no ip source-route
    !
    !
    ip dhcp excluded-address 192.168.10.1 192.168.10.9
    ip dhcp excluded-address 192.168.10.101 192.168.10.254
    !
    ip dhcp pool D-Tech
    import all
    network 192.168.10.0 255.255.255.0
    dns-server 24.25.4.107 24.25.4.108
    default-router 192.168.10.254
    !
    !
    ip cef
    no ip bootp server
    ip domain name D-Tech.local
    ip name-server 24.25.1.107
    ip name-server 24.25.4.108
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    username kevin privilege 15 secret 5 $1$kpQL$OcA.oIxeQLLKWbimwf5aT.
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    class-map type inspect match-all sdm-nat-http-1
    match access-group 101
    match protocol http
    class-map type inspect match-all sdm-nat-http-2
    match access-group 102
    match protocol http
    class-map type inspect match-all sdm-nat-smtp-1
    match access-group 103
    match protocol smtp
    class-map type inspect match-any SDM_GRE
    match access-group name SDM_GRE
    class-map type inspect match-any excacl
    match class-map SDM_GRE
    match protocol pptp
    class-map type inspect match-any CCP-Voice-permit
    match protocol h323
    match protocol skinny
    match protocol sip
    class-map type inspect match-any ccp-cls-insp-traffic
    match protocol cuseeme
    match protocol dns
    match protocol ftp
    match protocol h323
    match protocol https
    match protocol icmp
    match protocol imap
    match protocol pop3
    match protocol netshow
    match protocol shell
    match protocol realmedia
    match protocol rtsp
    match protocol smtp extended
    match protocol sql-net
    match protocol streamworks
    match protocol tftp
    match protocol vdolive
    match protocol tcp
    match protocol udp
    class-map type inspect match-all ccp-insp-traffic
    match class-map ccp-cls-insp-traffic
    class-map type inspect match-any exchange
    match class-map SDM_GRE
    match protocol pptp
    class-map type inspect match-any ccp-cls-icmp-access
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all ccp-invalid-src
    match access-group 100
    class-map type inspect match-all ccp-icmp-access
    match class-map ccp-cls-icmp-access
    class-map type inspect match-all ccp-protocol-http
    match protocol http
    !
    !
    policy-map type inspect ccp-permit-icmpreply
    class type inspect ccp-icmp-access
    class class-default
    pass
    policy-map type inspect sdm-pol-NATOutsideToInside-1
    class type inspect excacl
    pass
    class type inspect exchange
    inspect
    class type inspect sdm-nat-http-1
    inspect
    class type inspect sdm-nat-http-2
    inspect
    class type inspect sdm-nat-smtp-1
    inspect
    class class-default
    drop
    policy-map type inspect ccp-inspect
    class type inspect ccp-invalid-src
    drop log
    class type inspect ccp-protocol-http
    inspect
    class type inspect ccp-insp-traffic
    inspect
    class type inspect CCP-Voice-permit
    inspect
    class class-default
    pass
    policy-map type inspect ccp-permit
    class class-default
    drop
    !
    zone security out-zone
    zone security in-zone
    zone-pair security ccp-zp-self-out source self destination out-zone
    service-policy type inspect ccp-permit-icmpreply
    zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
    service-policy type inspect sdm-pol-NATOutsideToInside-1
    zone-pair security ccp-zp-in-out source in-zone destination out-zone
    service-policy type inspect ccp-inspect
    zone-pair security ccp-zp-out-self source out-zone destination self
    service-policy type inspect ccp-permit
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $ES_WAN$$FW_OUTSIDE$
    ip address dhcp client-id FastEthernet4
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    zone-member security out-zone
    duplex auto
    speed auto
    !
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    !
    ssid D-Tech2
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address 192.168.10.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    zone-member security in-zone
    !
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    !
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.10.252 80 interface FastEthernet4 80
    ip nat inside source static tcp 192.168.10.1 25 interface FastEthernet4 25
    !
    ip access-list extended SDM_GRE
    remark CCP_ACL Category=0
    permit gre any any
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 192.168.10.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    access-list 101 remark CCP_ACL Category=0
    access-list 101 permit ip any host 192.168.10.252
    access-list 102 remark CCP_ACL Category=0
    access-list 102 permit ip any host 192.168.10.252
    access-list 103 remark CCP_ACL Category=0
    access-list 103 permit ip any host 192.168.10.1
    no cdp run