12-21-2006 12:12 PM - edited 02-21-2020 02:47 PM
I have windows pptp vpn access setup on an 1841 router. i need to be able to restrict access to internal hosts for VPN users. i have tried 'username access-class', but it does not seem to be working, unless i am just formatting my access list wrong or something.
!
username vpntest access-class 150 password test
access-list 150 permit ip 192.168.85.0 0.0.0.255 host 10.1.16.67
access-list 150 deny ip any any
VPDN pool is 192.168.85.0/24, main internal network is 192.168.80.0/24, with several others also (10.1.16.0/24).
in the example above, i want the VPN user to only be able to access that perticular host. however when i login, i can ping any host.
12-21-2006 12:32 PM
Hi,
I also am trying to setup windows pptp vpn access on a cisco 1841 router with IOS version 12.4 Could you please help me with the configs you used as i am getting an error 619 message whenever i try connecting. I have a context based access list firewall configured on the Internet Interface.This is inspecting cuseeme,ftp realaudio,tftp,udp,icmp and esmtp out. I have an extended access list configured on the lan interface permiting protocol gre and tcp port 1723 but still gives me the same error. I can however connect when i am connected on the local lan. This informs me it is an issue with the firewall configs.Any help please asap.
Thanks
12-21-2006 03:55 PM
you say you have an access list on the LAN interface permitting GRE and 1723, do you also have one on the WAN interface, or was that a typo?
here is what i have used to learn how to setup pptp:
http://www.parkansky.com/tutorials/pptp.htm
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml
i also change the setup of the windows VPN client. set to 'type of vpn: pptp' and under 'security', select custom, then check MS-CHAP and MS-CHAPv2.
post your configs and i may be able to help more.
12-22-2006 03:27 AM
Thanks cmonks, i tried all the configs but still getting the same error 619 message when establishing from the internet. These are the configs
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname VPN Router
boot-start-marker
boot-end-marker
enable secret 5 $1$3GyN$7uNpSCfTKaEjFSktuzSba.
aaa new-model
aaa authentication login userauthen local
aaa authentication ppp default local-case
aaa authorization network default local
aaa authorization network groupauthor local
aaa session-id common
resource policy
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
ip inspect name myfw cuseeme
ip inspect name myfw ftp
ip inspect name myfw http
ip inspect name myfw rcmd
ip inspect name myfw realaudio
ip inspect name myfw tftp
ip inspect name myfw udp
ip inspect name myfw tcp
ip inspect name myfw icmp
ip inspect name myfw esmtp
ip ips notify SDEE
vpdn enable
no vpdn aaa untagged default
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
username xxxx password 7 113B1C084444520D07292E373B
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group CISCOVPNclient
key cisco
pool clients
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0
description WAN interface
encapsulation dot1Q 230
ip address 192.168.10.4 255.255.255.240
ip access-group incontrol in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
no snmp trap link-status
crypto map clientmap
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ntp broadcast
interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool MSVPN
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
ip local pool CISCOVPNclient 192.168.100.1 192.168.100.5
ip local pool MSVPN 172.16.1.240 172.16.1.249
ip classless
ip http server
no ip http secure-server
ip nat inside source route-map ISgtw interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.20
ip access-list extended mylan
permit tcp 172.16.1.0 0.0.0.255 any eq www
permit tcp 172.16.1.0 0.0.0.255 any eq 443
permit tcp 172.16.1.0 0.0.0.255 any eq ftp
permit icmp 172.16.1.0 0.0.0.255 any echo
permit tcp host 172.16.1.2 any eq smtp
permit tcp host 172.16.1.2 any eq pop3
permit tcp 172.16.1.0 0.0.0.255 any eq 1723
permit tcp 172.16.1.0 0.0.0.255 any eq smtp
permit tcp 172.16.1.0 0.0.0.255 any eq pop3
permit gre 172.16.1.0 0.0.0.255 any
ip access-list extended incontrol
permit tcp any host 192.168.10.4 eq smtp
permit tcp any host 192.168.10.4 eq 443
permit esp any host 192.168.10.4
permit udp any eq isakmp host 192.168.10.4
permit tcp any host 192.168.10.4 eq 1723
permit gre any host 192.168.10.4
permit udp any host 192.168.10.4 eq isakmp
permit udp any host 192.168.10.4 eq non500-isakmp
permit udp any host 192.168.10.4 eq 1000
permit tcp any host 192.168.10.4 eq 51
permit tcp any host 192.168.10.4 eq 1000
permit udp any host 192.168.10.4 eq 62515
deny ip any any
route-map ISgtw permit 50
match ip address mylan
control-plane
line con 0
line aux 0
line vty 0 4
password 7 104D000A0618
i also have cisco vpn client configured which works fine but i am only able to recieve mails and cannot send mails in outlook when connected.
01-23-2007 12:57 AM
hi,
You should have ip inspect myfw pptp in order to allow pptp return traffic.
You must also permit gre and pptp on your inside Acl
hopes it helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: