Protocols for Win VPN pptp in ACL

Unanswered Question
Jun 25th, 2010


I made configuration to connect computers using the windows VPN client with set PPTP  on the router and MPPE encryption.

Using this:

Now I have a problem with ACL.

Which protocols must be opened on outside port ??

I'm using C 871.

My configuration:

Current configuration : 9906 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname xxx
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxx
aaa new-model
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki trustpoint TP-self-signed-255774071
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-255774071
revocation-check none
rsakeypair TP-self-signed-255774071
crypto pki certificate chain TP-self-signed-255774071
certificate self-signed 01
dot11 syslog
no ip source-route
ip dhcp excluded-address
ip dhcp pool ccp-pool1
   import all
ip cef
no ip bootp server
ip domain name
ip name-server
ip name-server
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
  protocol pptp
  virtual-template 1
username gwo privilege 15 secret 5 xxx
username testowe secret 5 xxxx
log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any VPN_laptop
match protocol l2tp
match protocol pptp
match protocol gtpv0
match protocol gtpv1
match protocol gdoi
match protocol ipsec-msft
match protocol isakmp
match protocol ssp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any test
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-2
match class-map test
match access-group 150
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map VPN_laptop
match access-group 110
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-cls-ccp-permit-icmpreply-2
class class-default
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
class type inspect ccp-insp-traffic
class type inspect ccp-sip-inspect
class type inspect ccp-h323-inspect
class type inspect ccp-h323annexe-inspect
class type inspect ccp-h225ras-inspect
class type inspect ccp-h323nxg-inspect
class type inspect ccp-skinny-inspect
policy-map type inspect ccp-permit
class type inspect ccp-cls-ccp-permit-1
class class-default
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
class class-default
  drop log
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
interface Virtual-Template1
description $FW_INSIDE$
ip unnumbered FastEthernet4
zone-member security in-zone
peer default ip address pool test
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap
interface Vlan1
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool test
ip forward-protocol nd
ip route
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 100 permit ip any
access-list 110 remark CCP_ACL Category=128
access-list 110 permit ip any any
access-list 150 remark CCP_ACL Category=128
access-list 150 permit ip any any
no cdp run

banner exec ^C
% Password expiration warning.

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pwolsza_wolfik1 Sat, 06/26/2010 - 12:34
/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

This tutorial is very useful.

Unfortunately on my router there are a lot of already configured ACL rules.

I do not want to destroy something what works perfectly, I just want to add some rules to allow connect through l2tp and to ping server which is inside.

All the rules was made using automatic creator in CCP.


This Discussion