1841 configured as pptp server, but 1723 port are filtered

Answered Question
Jul 23rd, 2008
User Badges:

IOS: c1841-advsecurityk9-mz.124-15.T4.bin


nmap reports port 1723 filtered.

Acl 101 doesn't deny port 1723. I have try to remove acl 101 from FastEthernet 0/1, but the result were the same... With or without acl 101 on FastEthernet0/1, nmap reports 1723 as filtered. On lan interface, FastEthernet0/0 1723 is "visible" and I can connect vpn client. I suspect that route-map may cause this, because the same configuration worked fine without second Cellular interface which we use as failover.



Interesting parts of conf:


vpdn enable

!

vpdn-group vpn-dialin

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

local name PPTP-Tunel

!

interface FastEthernet0/0

description $FW_INSIDE$$ETH-LAN$

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop

speed auto

full-duplex

no mop enabled

!

interface FastEthernet0/1

description $FW_OUTSIDE$$ETH-WAN$

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip ips sdm_ips_rule in

ip nat outside

ip virtual-reassembly

rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop

duplex auto

speed auto

no mop enabled

!

interface Cellular0/0/0

description WAN MTS

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer in-band

dialer string xxxxx

dialer-group 1

async mode interactive

ppp chap hostname xxx

ppp chap password 7 xxxxxxxxxx

ppp ipcp dns request

!

interface Virtual-Template1

ip unnumbered FastEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

peer default ip address pool vpn-pool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip nat inside source route-map FR interface FastEthernet0/1 overload

ip nat inside source route-map 3G interface Cellular0/0/0 overload



route-map 3G permit 10

match ip address 1 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 1 103

match interface FastEthernet0/1

Correct Answer by a.alekseev about 8 years 11 months ago

try the following


route-map 3G permit 10

match ip address 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 103

match interface FastEthernet0/1


access-list 103 deny ip 192.168.10.250 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any


end

clear ip nat tr *

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
alkos Wed, 07/23/2008 - 12:46
User Badges:

access-list 101 deny tcp any any eq 15000

access-list 101 deny tcp any any eq 8989

access-list 101 deny tcp any any eq 88

access-list 101 deny tcp any any eq www

access-list 101 deny tcp any any eq 16000

access-list 101 deny tcp any any eq 22

access-list 101 deny tcp any any eq 2222

access-list 101 remark Permit all

access-list 101 permit ip any any



The upper part of acl is huge, and defines permited IPs to listed ports that is denied.


alkos Wed, 07/23/2008 - 12:56
User Badges:

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.11.0 0.0.0.255

access-list 1 permit any



access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any


a.alekseev Wed, 07/23/2008 - 12:58
User Badges:
  • Gold, 750 points or more

what is the ip address for lan interface?


interface FastEthernet0/0

description $FW_INSIDE$$ETH-LAN$

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

Correct Answer
a.alekseev Wed, 07/23/2008 - 13:03
User Badges:
  • Gold, 750 points or more

try the following


route-map 3G permit 10

match ip address 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 103

match interface FastEthernet0/1


access-list 103 deny ip 192.168.10.250 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any


end

clear ip nat tr *

a.alekseev Thu, 07/24/2008 - 02:10
User Badges:
  • Gold, 750 points or more

Hi, Aleksandar


Have you tried?

alkos Fri, 07/25/2008 - 02:42
User Badges:

Yes, right now, and it works!!!


Can you give some insight, for mortals?


Any way, thanx a lot...

Actions

This Discussion