02-16-2014 05:13 PM
I am trying to connect to my workplace PPTP server from my home that has a Cisco 877w ADSL/Wireless router. I configured the majority of the setup via CLI and just started playing with CCP. I've used version 2.5 and 2.7 on a virtual Windows station that resides on my primary Linux box.
Background in trying things out. PPTP works fine without CCP firewall wizard having been run - with just a vanilla interfaces configured kind of setting.
I ran the CCP Advanced Firewall task, specified that I had PPTP clients on the LAN and went with it. The proposed changes included GRE and PPTP stuff, but being green in the IOS Firewall, I have no idea what I was looking at.
My configuration as it gave me is as follows:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HomeRouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 MyPass
!
no aaa new-model
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-904815991
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-904815991
revocation-check none
rsakeypair TP-self-signed-904815991
!
!
crypto pki certificate chain TP-self-signed-904815991
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39303438 31353939 31301E17 0D313430 32313632 33323035
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3930 34383135
39393130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B192CA33 08917B1D 8237C7BB 00E38CA6 4BE8B394 4A3C9A40 F7087B15 F5C9D7CB
50F15F43 1084859D CB14F438 5352A1BC BF38C005 15FD518D 362D5769 EFB2528D
1DCF2239 1F2F66CD 5B67B1FF 40108483 740EEB0F D9098DCA 82616014 884E4630
96391ED4 A6B5575B E46BA5FB 2F4FFC32 A7855C59 86B2EBFA FAE485D3 56AF5D5B
02030100 01A36A30 68300F06 03551D13 0101FF04 05300301 01FF3015 0603551D
11040E30 0C820A48 6F6D6552 6F757465 72301F06 03551D23 04183016 8014F385
49957AD6 804D76D9 AD5DADF7 C1BAF9E6 12C6301D 0603551D 0E041604 14F38549
957AD680 4D76D9AD 5DADF7C1 BAF9E612 C6300D06 092A8648 86F70D01 01040500
03818100 387142CF 1B60955E D7D63134 E07E381F BF5491CD 571D718D A8B73E2E
327C81C8 35E33754 67662C59 0FDD3F8E 9B0F8B69 4BF95AD8 E8484EC6 C00A7BE2
5D168C98 818812AF B9490F55 C19257B4 8FE70B49 1D5F0772 5F0550E1 DE7C17DB
02DBA7DB 233AFF65 B381970E 3DEAFF79 482D2914 788665BF 0ED9117F 8ADB6844 2A1854E0
quit
dot11 syslog
!
dot11 ssid Wireless1
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 097F46080E0B57310A1E1D6A0F3D24323B623006130F1858
!
dot11 ssid Wireless2
vlan 2
authentication open
mbssid guest-mode
!
ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.1.1 10.0.1.99
!
ip dhcp pool Local-Network
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool Guest-Network
network 10.0.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.0.1.1
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ddns update method NO-IP
HTTP
add http://MyUser:MyPass@dynupdate.noip.com/nic/update?hostname=MyPass@dynupdate.noip.com/nic/update?hostname=<h>&myip=<a>
interval maximum 1 0 0 0
interval minimum 0 0 5 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
username MyLocalUser privilege 15 password 7 01010101011010101
!
!
!
archive
log config
hidekeys
!
!
no ip ftp passive
!
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
match protocol pptp
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-ssh-1
match access-group 101
match protocol ssh
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-ssh-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map QoS_Out_BVI2
class class-default
police rate 500000
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid Wireless1
!
ssid Wireless2
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country US outdoor
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1
ip virtual-reassembly
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
no ip address
ip virtual-reassembly
bridge-group 1
!
interface Vlan2
no ip address
bridge-group 2
!
interface Dialer0
description $FW_OUTSIDE$
ip ddns update hostname me.domain.com
ip ddns update NO-IP
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username MyUsername password 7 MyPassword
!
interface BVI1
description $FW_INSIDE$
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface BVI2
description $FW_INSIDE$
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
service-policy output QoS_Out_BVI2
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.1.1.10 22 interface Dialer0 xxxxx
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
no logging trap
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.1.1.10
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
banner login ^CUnauthorized access is STRICTLY PROHIBITED! ^C
!
line con 0
exec-timeout 15 0
password 7 01010101010101010101
no modem enable
line aux 0
line vty 0 4
exec-timeout 5 0
privilege level 15
login local
transport preferred none
transport input ssh
!
scheduler max-task-time 5000
ntp server 199.102.46.73
end
Any clues as to what I would have to do to allow the PPTP connection to complete? It appears as though GRE may not be getting through? I haven't found much in the way of fixing this. My Google-fu might be lacking.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide