Unable to get PPTP to server

Answered Question
May 18th, 2010
User Badges:

Hi,


Im having some issue with getting PPTP access to a windows 2008 server behind a cisco 877 ISR, I have forwarded port 1723 and opened the firewall to allow access to that server. I have also allowed gre access but still when connecting from an external source I timeout saying that gre is not allowed.



Current configuration : 9271 bytes
!
! Last configuration change at 15:14:23 London Sat Aug 8 2009 by sa_mprit
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DSL-RT01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
no aaa new-model
!
!
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1816409427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1816409427
revocation-check none
rsakeypair TP-self-signed-1816409427
!
!
crypto pki certificate chain TP-self-signed-1816409427
certificate self-signed 01
  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31383136 34303934 3237301E 170D3039 30373238 31333332
  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38313634
  30393432 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E1C7 E42F3DE4 6933D627 D982F02B A85BF10E 1412C7A8 591869D3 715278DF
  58F2D9EB 43A32AB5 D43B48C5 4735E024 5D229CB3 36375B9A 3DC5E55D 55C69AD4
  877CFEF8 C54B34AD 5D73B7CC 6D2EB63F 7BA81664 4B59D619 48CB69BD 93142805
  2C4CCE00 D49E663D 54F36FA7 4D4592A8 545E592A 36D509F6 E1F8CE02 944B3433
  AD4B0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
  551D1104 1A301882 1644534C 2D525430 312E7061 72656E74 612E636F 2E756B30
  1F060355 1D230418 30168014 462B7C7E E7EE730E 95F7CAEF CE974136 805E2F70
  301D0603 551D0E04 16041446 2B7C7EE7 EE730E95 F7CAEFCE 97413680 5E2F7030
  0D06092A 864886F7 0D010104 05000381 81003CEA 10D5184C F50B35B0 19DA715D
  22874030 09141D27 51BA0489 3FFFBE8B 0C0EDCE6 3ABEE3CF AAF83862 C178C55B
  BCF01226 5E32444C 7A21611F 08C75C70 F02E1C12 5A36EC54 C1FE5B39 F61787EF
  FF1CC867 B3224BDE ECCA809F DBA889FB 3C812B28 6ABEE177 074D9ABE 03E46590
  851B7A08 AC62034E 35A895C8 E3181FEB 8108
   quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name parenta.co.uk
ip name-server xxx.xxx.xxx.xxx

ip name-server xxx.xxx.xxx.xxx

ip port-map user-protocol--1 port tcp 3389
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxx privilege 15 password 0 xxxx

username xxx privilege 15 password 0 xxxx
!
!
!
class-map type inspect match-any TSRDP
match protocol user-protocol--1
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-2
match class-map TSRDP
match access-group name TSRDP
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any MPRDC
match protocol user-protocol--1
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map MPRDC
match access-group name MPRDC
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any VPN
match class-map SDM_GRE
match protocol pptp
class-map type inspect match-all sdm-nat-pptp-1
match access-group 104
match class-map VPN
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
match protocol pptp
match protocol isakmp
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all sdm-nat-ftp-1
match access-group 103
match protocol ftp
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-ftp-1
  inspect
class type inspect sdm-nat-pptp-1
  inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
  inspect
class class-default
  drop log
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.0.100 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx

ppp chap password 0 PARENTA1
ppp pap sent-username xxx password 0 xxx
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat pool WORKSTATION xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
ip nat pool PARENTANAT xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
ip nat inside source list 1 pool WORKSTATION overload
ip nat inside source static tcp 192.168.0.8 3389 xxx.xxx.xxx.xxx 3389 extendable
ip nat inside source static tcp 192.168.0.4 3389 xxx.xxx.xxx.xxx 3389 extendable
ip nat inside source static tcp 192.168.0.77 21 xxx.xxx.xxx.xxx 21 extendable
ip nat inside source static tcp 192.168.0.77 443 xxx.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 192.168.0.4 1723 xxx.xxx.xxx.xxx 1723 extendable
ip nat inside source static tcp 192.168.0.3 3389 xxx.xxx.xxx.xxx 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended MPRDC
remark SDM_ACL Category=128
permit ip any host 192.168.0.4
ip access-list extended SDM_GRE
remark CCP_ACL Category=0
permit gre any any
ip access-list extended TSRDP
remark SDM_ACL Category=128
permit ip any host 192.168.0.8
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 81.142.74.120 0.0.0.7 any
access-list 100 permit gre any any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.0.3
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.0.77
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.0.77
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.0.4
access-list 104 permit gre any any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
!
banner login ^CThis is a managed router if you are not the admin of this router please log off now^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end


Any help would be great


Many thanks

Correct Answer by Tanveer Deewan about 6 years 10 months ago

hi Alex,


In the configuration I see that you have inspected the GRE traffic coming into the network. ZBF can not inspect non-IP traffic so you need to define the 'pass' action to that while keeping the 'inspect' action for pptp traffic. Once you do this, you will also need to 'pass' the return GRE traffic from in-zone to out-zone.


If that still does not resolve your issue, turn on the audit-trail using 'ip inspect audit-trail' and check the logs to see what traffic ZBF drops and proceed accordingly.


Tanveer Dewan

[email protected]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Tanveer Deewan Wed, 06/09/2010 - 12:31
User Badges:

hi Alex,


In the configuration I see that you have inspected the GRE traffic coming into the network. ZBF can not inspect non-IP traffic so you need to define the 'pass' action to that while keeping the 'inspect' action for pptp traffic. Once you do this, you will also need to 'pass' the return GRE traffic from in-zone to out-zone.


If that still does not resolve your issue, turn on the audit-trail using 'ip inspect audit-trail' and check the logs to see what traffic ZBF drops and proceed accordingly.


Tanveer Dewan

[email protected]

Actions

This Discussion

Related Content