cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
5
Replies

Cisco 881W - How to set in-zone to out-zone open?

mdw
Level 1
Level 1

Hello,

How can I configure the firewall of the Cisco 881W router so all LAN to WAN traffic is allowed?
Preferably how to do it by use of the CP professional tool.

So far I have configured the firewall with the CPP wizard and edited the Firewall Policy manually to allow TCP, UDP and icmp in the in-zone to out-zone section.

However all basic traffic like HTTP, HTTPS, Live Messenger ... passes  through the router but a MS-VPN client installed on PCs on the LAN is unable to connect to the remote VPN-server.

First a PPTP connection is made, but after that, the logon screen never appears and a timeout popup shows up.  When I remove all lines in the CPP Edit Firewall Policy (similar to disable firewall) the logon screen apears and a connection can be made.
What is used next to TCP, UDP and icmp to transport MS-VPN-Client packets?  or did I forgot something else?

Any help appreciated,

Maxim

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

mdw@gemax.be

Hello,

How can I configure the firewall of the Cisco 881W router so all LAN to WAN traffic is allowed?
Preferably how to do it by use of the CP professional tool.

So far I have configured the firewall with the CPP wizard and edited the Firewall Policy manually to allow TCP, UDP and icmp in the in-zone to out-zone section.

However all basic traffic like HTTP, HTTPS, Live Messenger ... passes  through the router but a MS-VPN client installed on PCs on the LAN is unable to connect to the remote VPN-server.

First a PPTP connection is made, but after that, the logon screen never appears and a timeout popup shows up.  When I remove all lines in the CPP Edit Firewall Policy (similar to disable firewall) the logon screen apears and a connection can be made.
What is used next to TCP, UDP and icmp to transport MS-VPN-Client packets?  or did I forgot something else?

Any help appreciated,

Maxim

Maxim

If it is a PPTP connection in addition to TCP port 1723 which you have already allowed you need to allow GRE through your firewall. Note that GRE is not TCP/UDP or ICMP. It is it's own protocol number at the IP layer.

GRE is protocol number 47

Edit - GRE is not stateful in the same way as TCP for example so you not only need to allow GRE out but also back in.

Jon

Jon,

Is there a way to allow all protocol numbers from the in to the out zone and not just GRE (47) ...? (and how can this be done in CCP)

Maxim

mdw@gemax.be

Jon,

Is there a way to allow all protocol numbers from the in to the out zone and not just GRE (47) ...? (and how can this be done in CCP)

Maxim

Maxim

You could allow all protocols but you would maually have to add each of them. Other than that the only way to do it would be to turn off the firewall i'm afraid.

I think apart from TCP/UDP/ICMP + GRE you probably wouldn't need anything else as most apps that you would want to run would use TCP or UDP so you should be fine.

Sorry but i have never used CCP, i am a CLI person myself

Jon

Hi Jon,

Could jou give the cli command(s) I need to enter to add GRE?

Regards,

Maxim

mdw@gemax.be

Hi Jon,

Could jou give the cli command(s) I need to enter to add GRE?

Regards,

Maxim

access-list 101 permit gre any any

the above assumes that your existing acl is access-list 101

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco