Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

1841 configured as pptp server, but 1723 port are filtered

IOS: c1841-advsecurityk9-mz.124-15.T4.bin

nmap reports port 1723 filtered.

Acl 101 doesn't deny port 1723. I have try to remove acl 101 from FastEthernet 0/1, but the result were the same... With or without acl 101 on FastEthernet0/1, nmap reports 1723 as filtered. On lan interface, FastEthernet0/0 1723 is "visible" and I can connect vpn client. I suspect that route-map may cause this, because the same configuration worked fine without second Cellular interface which we use as failover.

Interesting parts of conf:

vpdn enable

!

vpdn-group vpn-dialin

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

local name PPTP-Tunel

!

interface FastEthernet0/0

description $FW_INSIDE$$ETH-LAN$

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop

speed auto

full-duplex

no mop enabled

!

interface FastEthernet0/1

description $FW_OUTSIDE$$ETH-WAN$

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip ips sdm_ips_rule in

ip nat outside

ip virtual-reassembly

rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop

duplex auto

speed auto

no mop enabled

!

interface Cellular0/0/0

description WAN MTS

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer in-band

dialer string xxxxx

dialer-group 1

async mode interactive

ppp chap hostname xxx

ppp chap password 7 xxxxxxxxxx

ppp ipcp dns request

!

interface Virtual-Template1

ip unnumbered FastEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

peer default ip address pool vpn-pool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip nat inside source route-map FR interface FastEthernet0/1 overload

ip nat inside source route-map 3G interface Cellular0/0/0 overload

route-map 3G permit 10

match ip address 1 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 1 103

match interface FastEthernet0/1

1 ACCEPTED SOLUTION

Accepted Solutions

Re: 1841 configured as pptp server, but 1723 port are filtered

try the following

route-map 3G permit 10

match ip address 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 103

match interface FastEthernet0/1

access-list 103 deny ip 192.168.10.250 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any

end

clear ip nat tr *

10 REPLIES

Re: 1841 configured as pptp server, but 1723 port are filtered

show your access-lists

New Member

Re: 1841 configured as pptp server, but 1723 port are filtered

access-list 101 deny tcp any any eq 15000

access-list 101 deny tcp any any eq 8989

access-list 101 deny tcp any any eq 88

access-list 101 deny tcp any any eq www

access-list 101 deny tcp any any eq 16000

access-list 101 deny tcp any any eq 22

access-list 101 deny tcp any any eq 2222

access-list 101 remark Permit all

access-list 101 permit ip any any

The upper part of acl is huge, and defines permited IPs to listed ports that is denied.

Re: 1841 configured as pptp server, but 1723 port are filtered

show access-l 1 and 103

New Member

Re: 1841 configured as pptp server, but 1723 port are filtered

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.11.0 0.0.0.255

access-list 1 permit any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any

Re: 1841 configured as pptp server, but 1723 port are filtered

what is the ip address for lan interface?

interface FastEthernet0/0

description $FW_INSIDE$$ETH-LAN$

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

New Member

Re: 1841 configured as pptp server, but 1723 port are filtered

192.168.10.250

Re: 1841 configured as pptp server, but 1723 port are filtered

try the following

route-map 3G permit 10

match ip address 103

match interface Cellular0/0/0

!

route-map FR permit 10

match ip address 103

match interface FastEthernet0/1

access-list 103 deny ip 192.168.10.250 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.11.0 0.0.0.255 any

access-list 103 permit ip host 192.168.9.4 any

access-list 103 permit ip host 192.168.9.5 any

end

clear ip nat tr *

New Member

Re: 1841 configured as pptp server, but 1723 port are filtered

192.168.10.250

Re: 1841 configured as pptp server, but 1723 port are filtered

Hi, Aleksandar

Have you tried?

New Member

Re: 1841 configured as pptp server, but 1723 port are filtered

Yes, right now, and it works!!!

Can you give some insight, for mortals?

Any way, thanx a lot...

535
Views
0
Helpful
10
Replies
CreatePlease login to create content