Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 881 GRE PPTP passthough issue CCP

Hi All, I'm just having some issues with my VPN passing though an 881 configured with CCP.

I have a PPTP VPN server at 192.168.3.241, so I need the router allow it to pass through (by the looks of it, it handles the initial connection over TCP just fine, but the second stage uses the GRE protocol which is where I think the VPN connection fails)

Any help would be much appreciated.

Current configuration : 13550 bytes
!
! Last configuration change at 14:51:08 Sydney Tue Dec 17 2013 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PIPEEOC
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
!
no aaa new-model
memory-size iomem 10
clock timezone Sydney 10 0
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3742516339
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3742516339
revocation-check none
rsakeypair TP-self-signed-3742516339
!
!
crypto pki certificate chain TP-self-signed-3742516339
certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373432 35313633 3339301E 170D3133 31323133 30363433
  31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37343235
  31363333 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A4F5 9BB9D061 54BE5932 A455C9CE 91D3E256 6F8C7B62 7875DADC 2CBB5C70
  3D94D961 03805E1C 259B482C 3C46F09C 85FB4694 0CDAB4C6 63740A2C C65F6684
  1E29FBD8 F4B537FD DA8C93CC DA592D33 87B4B409 156E4293 87451320 9C31422E
  A0598BB2 04D8D13B E2EBE8EF E86B69CA 187D6332 EF6C78C1 F43FFFA7 A51E4BAF
  33A50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14DBE35C D796DF47 72EAFF09 EC7B9BAF C2473459 95301D06
  03551D0E 04160414 DBE35CD7 96DF4772 EAFF09EC 7B9BAFC2 47345995 300D0609
  2A864886 F70D0101 05050003 81810089 7FA97CAF 6D395414 E20B5FEA 4F4D184F
  D49E55A7 1BE01431 03C42BE3 AAA377AE E6B80C04 07497D03 8B04578D 1795C89D
  E1935C6A 7D107B5C 593AF607 BBEBF35B 4F24FD06 9AA197D5 9247E89B 12BB40C3
  1A49F78A E2F1EA12 2D22BFB8 1FEDD61D 8479BE4A A20DF922 AA3A575C DA097746
  FC6C30E5 5E456E90 8B6818F7 2A1BF7
   quit
!
!
ip port-map user-protocol--2 port tcp 8080
ip port-map user-protocol--3 port tcp 3389
ip port-map user-protocol--6 port tcp 8083
ip port-map user-protocol--4 port tcp 8081
ip port-map user-protocol--5 port tcp 8082
!
ip dhcp excluded-address 10.10.10.1
!
!
!
ip domain name xxxxxx.local
ip name-server 203.12.160.35
ip name-server 203.12.160.36
ip cef
no ipv6 cef
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

!
license udi pid CISCO881-K9 sn FGL173420QP
!
!
username admin privilege 15 secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
!
!
!
!
!
no ip ftp passive
!
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 105
class-map type inspect match-all sdm-nat-user-protocol--3-5
match access-group 108
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--3-4
match access-group 107
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--4-3
match access-group 108
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 108
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 108
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 104
match access-group 108
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-6
match access-group 104
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 103
match access-group 104
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--3-3
match access-group 106
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 108
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-2
match access-group 102
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 105
match protocol user-protocol--3
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
match protocol pptp
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all sdm-nat-pptp-1
match access-group 103
match class-map sdm-service-sdm-pol-NATOutsideToInside-1
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match class-map SDM_GRE
match protocol pptp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
!
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-http-2
  inspect
class type inspect sdm-nat-user-protocol--2-1
  inspect
class type inspect sdm-nat-user-protocol--3-6
  inspect
class type inspect sdm-nat-user-protocol--3-2
  inspect
class type inspect sdm-nat-user-protocol--3-3
  inspect
class type inspect sdm-nat-user-protocol--3-4
  inspect
class type inspect sdm-nat-user-protocol--3-5
  inspect
class type inspect sdm-nat-user-protocol--2-2
  inspect
class type inspect sdm-nat-user-protocol--4-3
  inspect
class type inspect sdm-nat-user-protocol--5-1
  inspect
class type inspect sdm-nat-user-protocol--6-1
  inspect
class type inspect sdm-nat-pptp-1
  pass log
class type inspect CCP_PPTP
  pass
class class-default
  drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop log
policy-map type inspect ccp-permit
class class-default
  drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH_LAN$$FW_INSIDE$
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer1
description $FW_OUTSIDE$
ip address 14.203.xxx.xxx 255.255.255.252
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxx
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxxxxx password 0 xxxxxxx
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.3.242 80 interface Dialer1 80
ip nat inside source static tcp 192.168.3.4 80 interface Dialer1 85
ip nat inside source static tcp 192.168.3.241 8080 interface Dialer1 81
ip nat inside source static tcp 192.168.3.2 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.3.76 3389 interface Dialer1 3390
ip nat inside source static tcp 192.168.3.100 3389 interface Dialer1 3391
ip nat inside source static tcp 192.168.3.21 3389 interface Dialer1 3393
ip nat inside source static tcp 192.168.3.7 3389 interface Dialer1 3394
ip nat inside source static tcp 192.168.3.7 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.3.7 8081 interface Dialer1 8081
ip nat inside source static tcp 192.168.3.7 8082 interface Dialer1 8082
ip nat inside source static tcp 192.168.3.7 8083 interface Dialer1 8083
ip nat inside source static tcp 192.168.3.241 1723 interface Dialer1 1723
ip nat inside source list 110 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 14.203.117.61
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any log
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 14.203.117.60 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.3.242
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.3.4
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.3.241
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.3.2
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.3.76
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.3.100
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.3.21
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 192.168.3.7
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 192.168.3.82
access-list 110 remark CCP_ACL Category=18
access-list 110 permit gre any any log
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end

272
Views
0
Helpful
0
Replies
CreatePlease login to create content