Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

mdw
New Member

Cisco 881W - How to set in-zone to out-zone open?

Hello,

How can I configure the firewall of the Cisco 881W router so all LAN to WAN traffic is allowed?
Preferably how to do it by use of the CP professional tool.

So far I have configured the firewall with the CPP wizard and edited the Firewall Policy manually to allow TCP, UDP and icmp in the in-zone to out-zone section.

However all basic traffic like HTTP, HTTPS, Live Messenger ... passes  through the router but a MS-VPN client installed on PCs on the LAN is unable to connect to the remote VPN-server.

First a PPTP connection is made, but after that, the logon screen never appears and a timeout popup shows up.  When I remove all lines in the CPP Edit Firewall Policy (similar to disable firewall) the logon screen apears and a connection can be made.
What is used next to TCP, UDP and icmp to transport MS-VPN-Client packets?  or did I forgot something else?

Any help appreciated,

Maxim

5 REPLIES
Hall of Fame Super Blue

Re: Cisco 881W - How to set in-zone to out-zone open?

mdw@gemax.be

Hello,

How can I configure the firewall of the Cisco 881W router so all LAN to WAN traffic is allowed?
Preferably how to do it by use of the CP professional tool.

So far I have configured the firewall with the CPP wizard and edited the Firewall Policy manually to allow TCP, UDP and icmp in the in-zone to out-zone section.

However all basic traffic like HTTP, HTTPS, Live Messenger ... passes  through the router but a MS-VPN client installed on PCs on the LAN is unable to connect to the remote VPN-server.

First a PPTP connection is made, but after that, the logon screen never appears and a timeout popup shows up.  When I remove all lines in the CPP Edit Firewall Policy (similar to disable firewall) the logon screen apears and a connection can be made.
What is used next to TCP, UDP and icmp to transport MS-VPN-Client packets?  or did I forgot something else?

Any help appreciated,

Maxim

Maxim

If it is a PPTP connection in addition to TCP port 1723 which you have already allowed you need to allow GRE through your firewall. Note that GRE is not TCP/UDP or ICMP. It is it's own protocol number at the IP layer.

GRE is protocol number 47

Edit - GRE is not stateful in the same way as TCP for example so you not only need to allow GRE out but also back in.

Jon

mdw
New Member

Re: Cisco 881W - How to set in-zone to out-zone open?

Jon,

Is there a way to allow all protocol numbers from the in to the out zone and not just GRE (47) ...? (and how can this be done in CCP)

Maxim

Hall of Fame Super Blue

Re: Cisco 881W - How to set in-zone to out-zone open?

mdw@gemax.be

Jon,

Is there a way to allow all protocol numbers from the in to the out zone and not just GRE (47) ...? (and how can this be done in CCP)

Maxim

Maxim

You could allow all protocols but you would maually have to add each of them. Other than that the only way to do it would be to turn off the firewall i'm afraid.

I think apart from TCP/UDP/ICMP + GRE you probably wouldn't need anything else as most apps that you would want to run would use TCP or UDP so you should be fine.

Sorry but i have never used CCP, i am a CLI person myself

Jon

mdw
New Member

Re: Cisco 881W - How to set in-zone to out-zone open?

Hi Jon,

Could jou give the cli command(s) I need to enter to add GRE?

Regards,

Maxim

Hall of Fame Super Blue

Re: Cisco 881W - How to set in-zone to out-zone open?

mdw@gemax.be

Hi Jon,

Could jou give the cli command(s) I need to enter to add GRE?

Regards,

Maxim

access-list 101 permit gre any any

the above assumes that your existing acl is access-list 101

Jon

979
Views
0
Helpful
5
Replies