Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

892 Router PPTP VPN Help Please

Hello,

I've just been trying to configure my 892 router to accept PPTP connections (not passthrough but it being the PPTP server) but I'm continuously getting 619 errors. I've tried multiple different configurations and I'm just hitting a brick wall. I was hoping someone could take a quick look for me please.

I'm not the normal administrator of this appliance and have not set up anything other than setting up user2 & user3 along with the PPTP settings.

The parts i've mainly been changing are the " ip unnumbered GigabitEthernet0", I've been changin between that and VLAN1 as the interfaces I'm tying it to.

User3 & User4 are the two users I want to connect with. It might also be good to add I'm testing from a Windows 7 PC which can successfully make PPTP VPN's to other servers external to my current location, but they are all windows based, I have no cisco devices to test from. Also the end configuration this router will be used for voip phones to make pptp connections.

Here is the config (IP addresses and some information changed for anonimity purposes):

Current configuration : 9077 bytes

!

version 15.1

service timestamps debug datetime msec localtime

service timestamps log datetime localtime

service password-encryption

!

hostname Generic

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200

enable secret 4 jhfkdjgfdf87687f687g67yfdjhfjd

!

no aaa new-model

!

clock timezone ********

clock summer-time ****** recurring last Sun Sep 2:00 1 Sun Apr 3:

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

!

ip cef

ip inspect udp idle-time 300

ip inspect tcp max-incomplete host 100 block-time 0

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall ftp

ip inspect name firewall icmp

ip inspect name firewall sip

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall netshow

ip inspect name firewall rtsp

ip inspect name firewall pptp

ip inspect name firewall skinny

no ipv6 cef

!

!

!

!

multilink bundle-name authenticated

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

l2tp tunnel timeout no-session 15

!

!

!

!

!

!

!

license udi pid CISCO892-K9 sn **************

!

!

username user1 privilege 15 secret 4 kjlghigyftuf867687ruygiygiyg

username user2 secret 4 fSpgIsbY.iggiyfiyyrtdd5768979yhjgjg

username user3 password 7 kgjggig876r5f6gi

username user4 password 7 khgvkhftuctcr577y9

!

!

!

!

!

track 100 ip sla 100 reachability

delay down 15 up 30

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key generic address 111.111.111.111

!

!

crypto ipsec transform-set generic esp-aes esp-sha-hmac

!

crypto map Connection1 10 ipsec-isakmp

set peer 111.111.111.111

set transform-set generic

match address 106

!

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

description Net1

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0

peer default ip address pool phonepptp

no keepalive

ppp encrypt mppe 128

ppp authentication ms-chap ms-chap-v2

!

interface GigabitEthernet0

description Net2

ip address 192.168.200.2 255.255.255.252

ip access-group 102 in

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

duplex auto

speed auto

crypto map Connection1

!

interface Vlan1

description LAN

ip address 172.16.4.3 255.255.255.0

ip access-group 103 in

ip nat inside

ip virtual-reassembly in

ip policy route-map Connection2

!

interface Dialer1

description WAN1 Net1

mtu 1492

ip address negotiated

ip access-group 101 in

ip nat outside

ip inspect firewall out

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1440

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username generic password 7 ggkdfhdty6587676565

no cdp enable

!

ip local pool phonepptp 172.16.4.160 172.16.4.169

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

ip nat translation tcp-timeout 30

ip nat translation udp-timeout 30

ip nat translation icmp-timeout 30

ip nat inside source route-map Net2 interface GigabitEthernet0 overload

ip nat inside source route-map Net1 interface Dialer1 overload

ip nat inside source static tcp 172.16.4.205 25 192.168.200.2 25 extendable

ip nat inside source static tcp 172.16.4.205 443 192.168.200.2 443 extendable

ip nat inside source static tcp 172.16.4.205 587 192.168.200.2 587 extendable

ip nat inside source static tcp 172.16.4.204 3389 192.168.200.2 3389 extendable

ip route 0.0.0.0 0.0.0.0 192.168.200.1 10 track 100

ip route 0.0.0.0 0.0.0.0 Dialer1 251

ip route 10.0.0.0 255.255.255.0 172.16.4.19

ip route 100.30.40.1 255.255.255.255 192.168.200.1 permanent

!

ip access-list extended NSServices

permit tcp any any eq telnet

deny   ip any any

!

ip sla 100

icmp-echo 100.30.40.1 source-interface GigabitEthernet0

threshold 500

timeout 500

frequency 5

ip sla schedule 100 life forever start-time now

access-list 2 remark Where management can be done from

access-list 2 permit 111.111.111.112

access-list 2 permit 172.16.4.0 0.0.0.255

access-list 101 remark Traffic allowed to enter the router from Net1 WAN

access-list 101 deny   ip 0.0.0.0 0.255.255.255 any

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 169.254.0.0 0.0.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.0.2.0 0.0.0.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 198.18.0.0 0.1.255.255 any

access-list 101 deny   ip 224.0.0.0 0.15.255.255 any

access-list 101 deny   ip any host 255.255.255.255

access-list 101 permit tcp host 111.111.111.112 any eq telnet

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

access-list 101 deny   icmp any any echo

access-list 101 deny   ip any any log

access-list 102 remark Traffic allowed to enter the router from Net2 WAN

access-list 102 deny   ip 0.0.0.0 0.255.255.255 any

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip 169.254.0.0 0.0.255.255 any

access-list 102 deny   ip 192.0.2.0 0.0.0.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip 198.18.0.0 0.1.255.255 any

access-list 102 deny   ip 224.0.0.0 0.15.255.255 any

access-list 102 deny   ip any host 255.255.255.255

access-list 102 permit tcp host 111.111.111.112 any eq telnet

access-list 102 permit ip host 111.111.111.111 any

access-list 102 permit tcp any any eq smtp

access-list 102 permit tcp any any eq 587

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq 3389

access-list 102 permit tcp any any eq 1723

access-list 102 permit tcp any any eq 500

access-list 102 permit udp any any eq isakmp

access-list 102 permit gre any any

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any packet-too-big

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any traceroute

access-list 102 permit icmp any any administratively-prohibited

access-list 102 permit icmp any any echo

access-list 102 deny   ip any any log

access-list 103 remark Traffic allowed to enter the router from the Ethernet

access-list 103 permit ip any host 172.16.4.3

access-list 103 permit ip any 192.168.50.0 0.0.0.255

access-list 103 permit ip any 10.0.0.0 0.0.0.255

access-list 103 deny   ip any host 172.16.4.255

access-list 103 deny   udp any any eq tftp log

access-list 103 deny   ip any 0.0.0.0 0.255.255.255 log

access-list 103 deny   ip any 10.0.0.0 0.255.255.255 log

access-list 103 deny   ip any 127.0.0.0 0.255.255.255 log

access-list 103 deny   ip any 169.254.0.0 0.0.255.255 log

access-list 103 deny   ip any 172.16.0.0 0.15.255.255 log

access-list 103 deny   ip any 192.0.2.0 0.0.0.255 log

access-list 103 deny   ip any 172.16.4 0.0.255.255 log

access-list 103 deny   ip any 198.18.0.0 0.1.255.255 log

access-list 103 deny   udp any any eq 135 log

access-list 103 deny   tcp any any eq 135 log

access-list 103 deny   udp any any eq netbios-ns log

access-list 103 deny   udp any any eq netbios-dgm log

access-list 103 deny   tcp any any eq 445 log

access-list 103 permit ip 172.16.4.0 0.0.0.255 any

access-list 103 permit ip any host 255.255.255.255

access-list 103 deny   ip any any log

access-list 105 deny   ip 172.16.4.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 105 permit ip 172.16.4.0 0.0.0.255 any

access-list 106 permit ip 172.16.4.0 0.0.0.255 192.168.50.0 0.0.0.255

!

!

!

!

route-map Net1 permit 10

match interface Dialer1

!

route-map Connection2 permit 10

match ip address NSServices

set interface Dialer1

!

route-map Net2 permit 10

match ip address 105

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

line con 0

exec-timeout 120 0

password 7 ,jhgghdtye655687687

login local

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 120 0

password 7 jhhjftydrye534547656

login local

transport input telnet ssh

!

end

146
Views
0
Helpful
0
Replies
CreatePlease to create content