Cisco 881W - How to set in-zone to out-zone open?

Unanswered Question

Hello,

How can I configure the firewall of the Cisco 881W router so all LAN to WAN traffic is allowed?
Preferably how to do it by use of the CP professional tool.

So far I have configured the firewall with the CPP wizard and edited the Firewall Policy manually to allow TCP, UDP and icmp in the in-zone to out-zone section.

However all basic traffic like HTTP, HTTPS, Live Messenger ... passes  through the router but a MS-VPN client installed on PCs on the LAN is unable to connect to the remote VPN-server.

First a PPTP connection is made, but after that, the logon screen never appears and a timeout popup shows up.  When I remove all lines in the CPP Edit Firewall Policy (similar to disable firewall) the logon screen apears and a connection can be made.
What is used next to TCP, UDP and icmp to transport MS-VPN-Client packets?  or did I forgot something else?

Any help appreciated,

Maxim

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 01/22/2010 - 02:39

[email protected]

Hello,

How can I configure the firewall of the Cisco 881W router so all LAN to WAN traffic is allowed?
Preferably how to do it by use of the CP professional tool.

So far I have configured the firewall with the CPP wizard and edited the Firewall Policy manually to allow TCP, UDP and icmp in the in-zone to out-zone section.

However all basic traffic like HTTP, HTTPS, Live Messenger ... passes  through the router but a MS-VPN client installed on PCs on the LAN is unable to connect to the remote VPN-server.

First a PPTP connection is made, but after that, the logon screen never appears and a timeout popup shows up.  When I remove all lines in the CPP Edit Firewall Policy (similar to disable firewall) the logon screen apears and a connection can be made.
What is used next to TCP, UDP and icmp to transport MS-VPN-Client packets?  or did I forgot something else?

Any help appreciated,

Maxim

Maxim

If it is a PPTP connection in addition to TCP port 1723 which you have already allowed you need to allow GRE through your firewall. Note that GRE is not TCP/UDP or ICMP. It is it's own protocol number at the IP layer.

GRE is protocol number 47

Edit - GRE is not stateful in the same way as TCP for example so you not only need to allow GRE out but also back in.

Jon

Jon Marshall Fri, 01/22/2010 - 02:54

[email protected]

Jon,

Is there a way to allow all protocol numbers from the in to the out zone and not just GRE (47) ...? (and how can this be done in CCP)

Maxim

Maxim

You could allow all protocols but you would maually have to add each of them. Other than that the only way to do it would be to turn off the firewall i'm afraid.

I think apart from TCP/UDP/ICMP + GRE you probably wouldn't need anything else as most apps that you would want to run would use TCP or UDP so you should be fine.

Sorry but i have never used CCP, i am a CLI person myself

Jon

Actions

This Discussion