Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1178
Views
0
Helpful
5
Replies

Allowing PPTP connection through a Cisco 877 ADSL Router

Go to solution
davidmitchell1
Level 1
Level 1

‎09-16-2013 06:34 AM - edited ‎03-11-2019 07:39 PM

I have just setup my first Cisco ADSL router, I have decided to setup the firewall with the Zone wizard. This is for a guest network and everything works fine except guest users are unable to connect to external to their remote sites via a Microsoft PPTP VPN.

Cisco Any Connect works fine but that uses different ports, I have added both these commands but it still doesn't work.

access-list 100 permit gre any any

access-list 100 permit tcp any any eq 1723

I think there may be an issue with gre inbound but I am not sure, I was wondering if anybody could have a look at the config (External IP's and passwords removed) and see if I am doing anything daft?

If you need any more information let me know, thanks in advance for any assistance on this!

David

Building configuration...

Current configuration : 8342 bytes

!

! Last configuration change at 09:18:02 UTC Fri Sep 13 2013 by *

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname EDI-ADSL

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

enable secret 4 63Lst2Pnk31pT7MbMMfjPdBjH38eoq7hvuC.FrOsSvI

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1182812878

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1182812878

revocation-check none

rsakeypair TP-self-signed-1182812878

!

!

crypto pki certificate chain TP-self-signed-1182812878

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31313832 38313238 3738301E 170D3133 30393131 31343337

  33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383238

  31323837 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100DA35 CC5DFFB8 91390002 86C033E7 811D4FE3 E3DF9020 50A41D7F 7DE64395

  5F627432 683D4D9E 1625C4EC 1EE90A24 E166A011 837CE613 4ED092B6 B2FA9F71

  543009A5 E5DCE7D6 ACB0DDD8 E49CDFA3 21E127A8 0ED961EC F1279C08 0635D0DF

  3FDC73D7 1A5F1704 EE9250C2 B66747EF 86CEB3AE 28669F1B 6E80B8FB 4155AABC

  8CEF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14A371E0 4CF9EE5E ABA8466F DFEBC167 725B6F42 0C301D06

  03551D0E 04160414 A371E04C F9EE5EAB A8466FDF EBC16772 5B6F420C 300D0609

  2A864886 F70D0101 05050003 81810082 D8940AF2 10AEA426 96789F16 746B63AB

  C1D4B3AF 2743E3A9 52C4CD9A 736755E9 F66B3E47 A5DCB92E 8137D59D 6B3168E1

  46B671FA CDBCF1C9 A7D0A78D C09C038C 8A048938 6F8A9A30 1B4C488E 5496F714

  F5FB6D88 79A4AE2C 89EE86AE 399A2CC6 A1980BBC 5F86375B 98A7C61B 5690F0A2

  B05906CB 00C3CDF5 EE37CD7B 90EFA1

       quit

ip source-route

!

!

!

ip dhcp excluded-address 192.168.99.1 192.168.99.20

!

ip dhcp pool edi-client-dhcp

network 192.168.99.0 255.255.255.0

default-router 192.168.99.1

dns-server *.*.69.2 *.*.63.2

domain-name EDI-CLIENT.ADSL

lease 8

!

!

ip cef

ip name-server *.*.69.2

ip name-server *.*.63.2

no ipv6 cef

!

!

password encryption aes

license udi pid CISCO887VA-K9 sn FCZ1648C23R

!

!

username * privilege 15 password *

!

!

!

!

controller VDSL 0

!

!

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

  pass

class class-default

  drop log

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

!

!

!

!

interface Ethernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly in

hold-queue 100 out

!

interface ATM0

ip address *.*.99.30 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.99.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname *@hg43.btclick.com

ppp chap password *

ppp pap sent-username *@hg43.btclick.com password *

ppp ipcp dns request

ppp ipcp wins accept

ppp ipcp mask request

ppp ipcp route default

ppp ipcp address accept

no cdp enable

!

ip forward-protocol nd

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface Dialer0 overload

ip route profile

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

access-list 1 permit 192.168.99.0 0.0.0.255

access-list 2 remark Auto generated by SDM Management Access feature

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.99.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit gre any any

access-list 100 permit tcp any any eq 1723

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq 22

access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq 443

access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq cmd

access-list 101 deny   tcp any host 192.168.99.1 eq telnet

access-list 101 deny   tcp any host 192.168.99.1 eq 22

access-list 101 deny   tcp any host 192.168.99.1 eq www

access-list 101 deny   tcp any host 192.168.99.1 eq 443

access-list 101 deny   tcp any host 192.168.99.1 eq cmd

access-list 101 deny   udp any host 192.168.99.1 eq snmp

access-list 101 permit ip any any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip 192.168.99.0 0.0.0.255 any

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

access-class 102 in

exec-timeout 120 0

password 7 11282A0A191B083F07382E332C213C341615300A19775554

login local

length 0

transport input ssh

!

end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Koltl
Level 7
Level 7

‎09-17-2013 12:37 PM

You have added CCP_PPTP class to ccp-pol-outToIn, i. e. out-to-in direction, but I guess the guests initiate this traffic from inside to outside.

In addition, you've added the two ACL lines to ACL 100 which is used for invalid-src drop traffic. It should be added to SDM_GRE ACL instead.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Peter Koltl
Level 7
Level 7

‎09-17-2013 12:37 PM

You have added CCP_PPTP class to ccp-pol-outToIn, i. e. out-to-in direction, but I guess the guests initiate this traffic from inside to outside.

In addition, you've added the two ACL lines to ACL 100 which is used for invalid-src drop traffic. It should be added to SDM_GRE ACL instead.

0 Helpful

Go to solution
davidmitchell1
Level 1
Level 1
In response to Peter Koltl

‎09-18-2013 02:44 AM

Thanks Peter,

I will give that a go, just to confirm, what you are suggesting is the ACL should look like this? I think the SDM_GRE ACL was created by the firewall wizard. Does the IP access group SDM_GRE then need to be listed under the Dialer0 group Out?

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

permit tcp any any eq 1723

!

access-list 1 permit 192.168.99.0 0.0.0.255

access-list 2 remark Auto generated by SDM Management Access feature

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.99.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq 22

access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq 443

access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq cmd

access-list 101 deny   tcp any host 192.168.99.1 eq telnet

access-list 101 deny   tcp any host 192.168.99.1 eq 22

access-list 101 deny   tcp any host 192.168.99.1 eq www

access-list 101 deny   tcp any host 192.168.99.1 eq 443

access-list 101 deny   tcp any host 192.168.99.1 eq cmd

access-list 101 deny   udp any host 192.168.99.1 eq snmp

access-list 101 permit ip any any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip 192.168.99.0 0.0.0.255 any

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to davidmitchell1

‎09-18-2013 05:46 AM

No, SDM_GRE is referenced in a class-map which is referenced by the zone-pair security policy. I guess it's not easy to find it in CCP GUI, I'm just referring to the object names in the CLI config.

0 Helpful

Go to solution
davidmitchell1
Level 1
Level 1
In response to Peter Koltl

‎09-18-2013 06:24 AM

Ok, I think I get that...so I have taken out the two entires in access-list 100 so this is all I have now.

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

Also go slightly confused about what you mentioned in regards to the CCP_PPTP class, but you are right, the guests will be going in to out so I think what you are trying to tell me is I will need to create a new service policy and associate this class with the ccp-zp-in-out source in-zone pair. Is that right. Sorry about this, really trying to get my head round the firewall on this, only just got it properly connecting to the net after about 4 weeks of trying.

0 Helpful

Go to solution
davidmitchell1
Level 1
Level 1
In response to davidmitchell1

‎09-19-2013 03:33 AM

I've got it working now, I made sure GRE and PPTP classes were on the in to out zone and it worked.

Thanks for pointing me in the right direction.

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card