Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
3
Replies

Firewall IOS and PPTP

danletkeman
Level 1
Level 1

‎05-23-2009 10:07 AM - edited ‎03-04-2019 04:51 AM

Hello,

I have a simple vpn connection using pptp working on multiple routers. I have a newer 2821 running the firewall ios that I'm trying to do the same vpn connection to. It works on all of the other routers but not to the new one running the firewall IOS. Here is the relevant configuration that I use on all of the other routers:

user vpn password 0 vpn

vpdn enable

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

interface Virtual-Template1

ip address 10.8.8.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

peer default ip address pool vpn

ppp authentication ms-chap-v2

!

ip local pool vpn 10.8.8.2 10.8.8.3

!

access-list 106 permit tcp any host x.x.x.x eq 1723

access-list 106 permit gre any host x.x.x.x

I'm wondering what is different on the newer router that does not allow any gre connections. I have tried disabling IPS and CBAC completely and just using the access list and the access list still won't match any of the gre traffic.

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-24-2009 04:30 AM

Hello Dan,

where is applied ACL 106 ?

if after removing IPS and CBAC the ACL is not invoked by any feature it cannot match anything.

another point is that if all routers are configured with accept-dialin who's going to make the virtual call ?

This can also be a problem of authentication on the VPDN.

see also the troubleshooting section of the following doc:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml#maintask1

This can help you to understand what is wrong.

Hope to help

Giuseppe

see

RFC 2637

0 Helpful

danletkeman
Level 1
Level 1
In response to Giuseppe Larosa

‎05-24-2009 07:46 AM

ACL 106 is applied incoming on the outside interface facing my ISP.

The virtual call is coming from a windows or linux host. This part is all working because I have tested it from inside the lan and I have tested it on other routers that are not running the IOS Firewall.

Even if I have IPS and CBAC enabled it only matches tcp port 1723 and not GRE.

This 2821 is running: c2800nm-adventerprisek9-mz.124-20.T.bin

I have now configured a 2801 for testing with: c2801-adventerprisek9-mz.124-13b.bin and it is running CBAC and the pptp connection works!

So this is leading me to believe that either the ISP that the 2821 is connected to is now allowing GRE traffic or there is something wrong with this ios version: c2800nm-adventerprisek9-mz.124-20.T.bin

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to danletkeman

‎05-24-2009 12:03 PM

Hello Dan,

it is possible you have hit a software bug on the C2821 with 12.4(20)T.

Or also you might need to add/modify configuration for it to work.

Cisco feature navigator reports only PPTP with MPPE as the only PPTP feature.

here it is the feature description

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/dt_pptp.html

But the configuration looks like similar to yours.

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card