Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PPTP VPN - Clients inside Cisco877w - server at workplace

I am trying to connect to my workplace PPTP server from my home that has a Cisco 877w ADSL/Wireless router.  I configured the majority of the setup via CLI and just started playing with CCP.  I've used version 2.5 and 2.7 on a virtual Windows station that resides on my primary Linux box.

Background in  trying things out.  PPTP works fine without CCP firewall wizard having been run - with just a vanilla interfaces configured kind of setting. 

I ran the CCP Advanced Firewall task, specified that I had PPTP clients on the LAN and went with it.  The proposed changes included GRE and PPTP stuff, but being green in the IOS Firewall, I have no idea what  I was looking at. 

My configuration as it gave me is as follows:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HomeRouter

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

enable secret 5 MyPass

!

no aaa new-model

clock timezone Chicago -6

clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-904815991

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-904815991

revocation-check none

rsakeypair TP-self-signed-904815991

!

!

crypto pki certificate chain TP-self-signed-904815991

certificate self-signed 01

  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 39303438 31353939 31301E17 0D313430 32313632 33323035

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3930 34383135

  39393130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  B192CA33 08917B1D 8237C7BB 00E38CA6 4BE8B394 4A3C9A40 F7087B15 F5C9D7CB

  50F15F43 1084859D CB14F438 5352A1BC BF38C005 15FD518D 362D5769 EFB2528D

  1DCF2239 1F2F66CD 5B67B1FF 40108483 740EEB0F D9098DCA 82616014 884E4630

  96391ED4 A6B5575B E46BA5FB 2F4FFC32 A7855C59 86B2EBFA FAE485D3 56AF5D5B

  02030100 01A36A30 68300F06 03551D13 0101FF04 05300301 01FF3015 0603551D

  11040E30 0C820A48 6F6D6552 6F757465 72301F06 03551D23 04183016 8014F385

  49957AD6 804D76D9 AD5DADF7 C1BAF9E6 12C6301D 0603551D 0E041604 14F38549

  957AD680 4D76D9AD 5DADF7C1 BAF9E612 C6300D06 092A8648 86F70D01 01040500

  03818100 387142CF 1B60955E D7D63134 E07E381F BF5491CD 571D718D A8B73E2E

  327C81C8 35E33754 67662C59 0FDD3F8E 9B0F8B69 4BF95AD8 E8484EC6 C00A7BE2

  5D168C98 818812AF B9490F55 C19257B4 8FE70B49 1D5F0772 5F0550E1 DE7C17DB

  02DBA7DB 233AFF65 B381970E 3DEAFF79 482D2914 788665BF 0ED9117F 8ADB6844 2A1854E0

            quit

dot11 syslog

!

dot11 ssid Wireless1

vlan 1

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 097F46080E0B57310A1E1D6A0F3D24323B623006130F1858

!

dot11 ssid Wireless2

vlan 2

authentication open

mbssid guest-mode

!

ip source-route

!

!

ip dhcp excluded-address 10.0.0.1 10.0.0.99

ip dhcp excluded-address 10.0.1.1 10.0.1.99

!

ip dhcp pool Local-Network

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.1

   dns-server 8.8.8.8 8.8.4.4

!

ip dhcp pool Guest-Network

   network 10.0.1.0 255.255.255.0

   dns-server 8.8.8.8 8.8.4.4

   default-router 10.0.1.1

!

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 4.2.2.2

ip name-server 4.2.2.1

ip ddns update method NO-IP

HTTP

  add http://MyUser:MyPass@dynupdate.noip.com/nic/update?hostname=MyPass@dynupdate.noip.com/nic/update?hostname=<h>&myip=<a>

interval maximum 1 0 0 0

interval minimum 0 0 5 0

!

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group pppoe

request-dialin

  protocol pppoe

!

!

!

username MyLocalUser privilege 15 password 7 01010101011010101

!

!

!

archive

log config

  hidekeys

!

!

no ip ftp passive

!

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

match protocol pptp

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all sdm-nat-ssh-1

match access-group 101

match protocol ssh

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-ssh-1

  inspect

class type inspect CCP_PPTP

  pass

class class-default

  drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map QoS_Out_BVI2

class class-default

   police rate 500000

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

bridge irb

!

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

interface Dot11Radio0

no ip address

!

encryption vlan 1 mode ciphers aes-ccm

!

ssid Wireless1

!

ssid Wireless2

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

world-mode dot11d country US outdoor

no cdp enable

!

interface Dot11Radio0.1

encapsulation dot1Q 1

ip virtual-reassembly

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 spanning-disabled

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

!

interface Vlan1

no ip address

ip virtual-reassembly

bridge-group 1

!

interface Vlan2

no ip address

bridge-group 2

!

interface Dialer0

description $FW_OUTSIDE$

ip ddns update hostname me.domain.com

ip ddns update NO-IP

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username MyUsername password 7 MyPassword

!

interface BVI1

description $FW_INSIDE$

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface BVI2

description $FW_INSIDE$

ip address 10.0.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

service-policy output QoS_Out_BVI2

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 10.1.1.10 22 interface Dialer0 xxxxx

!

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

no logging trap

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 10.1.1.10

!

!

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 2 protocol ieee

bridge 2 route ip

banner login ^CUnauthorized access is STRICTLY PROHIBITED!  ^C

!

line con 0

exec-timeout 15 0

password 7 01010101010101010101

no modem enable

line aux 0

line vty 0 4

exec-timeout 5 0

privilege level 15

login local

transport preferred none

transport input ssh

!

scheduler max-task-time 5000

ntp server 199.102.46.73

end

Any clues as to what I would have to do to allow the PPTP connection to complete?  It appears as though GRE may not be getting through?  I haven't found much in the way of fixing this.  My Google-fu might be lacking.

Everyone's tags (6)
336
Views
0
Helpful
0
Replies
CreatePlease to create content