cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
0
Helpful
10
Replies

1841 configured as pptp server, but 1723 port are filtered

alkos
Level 1
Level 1

IOS: c1841-advsecurityk9-mz.124-15.T4.bin

nmap reports port 1723 filtered.

Acl 101 doesn't deny port 1723. I have try to remove acl 101 from FastEthernet 0/1, but the result were the same... With or without acl 101 on FastEthernet0/1, nmap reports 1723 as filtered. On lan interface, FastEthernet0/0 1723 is "visible" and I can connect vpn client. I suspect that route-map may cause this, because the same configuration worked fine without second Cellular interface which we use as failover.

Interesting parts of conf:

vpdn enable

!

vpdn-group vpn-dialin

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

local name PPTP-Tunel

!

interface FastEthernet0/0

description $FW_INSIDE$$ETH-LAN$

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop

speed auto

full-duplex

no mop enabled

!

interface FastEthernet0/1

description $FW_OUTSIDE$$ETH-WAN$

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip ips sdm_ips_rule in

ip nat outside

ip virtual-reassembly

rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop

duplex auto

speed auto

no mop enabled

!

interface Cellular0/0/0

description WAN MTS

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer in-band

dialer string xxxxx

dialer-group 1

async mode interactive

ppp chap hostname xxx

ppp chap password 7 xxxxxxxxxx

ppp ipcp dns request

!

interface Virtual-Template1

ip unnumbered FastEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

peer default ip address pool vpn-pool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip nat inside source route-map FR interface FastEthernet0/1 overload

ip nat inside source route-map 3G interface Cellular0/0/0 overload

route-map 3G permit 10

match ip address 1 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 1 103

match interface FastEthernet0/1

1 Accepted Solution

Accepted Solutions

try the following

route-map 3G permit 10

match ip address 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 103

match interface FastEthernet0/1

access-list 103 deny ip 192.168.10.250 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any

end

clear ip nat tr *

View solution in original post

10 Replies 10

a.alekseev
Level 7
Level 7

show your access-lists

access-list 101 deny tcp any any eq 15000

access-list 101 deny tcp any any eq 8989

access-list 101 deny tcp any any eq 88

access-list 101 deny tcp any any eq www

access-list 101 deny tcp any any eq 16000

access-list 101 deny tcp any any eq 22

access-list 101 deny tcp any any eq 2222

access-list 101 remark Permit all

access-list 101 permit ip any any

The upper part of acl is huge, and defines permited IPs to listed ports that is denied.

show access-l 1 and 103

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.11.0 0.0.0.255

access-list 1 permit any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any

what is the ip address for lan interface?

interface FastEthernet0/0

description $FW_INSIDE$$ETH-LAN$

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

192.168.10.250

try the following

route-map 3G permit 10

match ip address 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 103

match interface FastEthernet0/1

access-list 103 deny ip 192.168.10.250 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any

end

clear ip nat tr *

192.168.10.250

Hi, Aleksandar

Have you tried?

Yes, right now, and it works!!!

Can you give some insight, for mortals?

Any way, thanx a lot...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: