Cisco Support Community
Community Member

Firewall IOS and PPTP


I have a simple vpn connection using pptp working on multiple routers. I have a newer 2821 running the firewall ios that I'm trying to do the same vpn connection to. It works on all of the other routers but not to the new one running the firewall IOS. Here is the relevant configuration that I use on all of the other routers:

user vpn password 0 vpn

vpdn enable

vpdn-group 1

! Default PPTP VPDN group


protocol pptp

virtual-template 1


interface Virtual-Template1

ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

peer default ip address pool vpn

ppp authentication ms-chap-v2


ip local pool vpn


access-list 106 permit tcp any host x.x.x.x eq 1723

access-list 106 permit gre any host x.x.x.x

I'm wondering what is different on the newer router that does not allow any gre connections. I have tried disabling IPS and CBAC completely and just using the access list and the access list still won't match any of the gre traffic.

Hall of Fame Super Silver

Re: Firewall IOS and PPTP

Hello Dan,

where is applied ACL 106 ?

if after removing IPS and CBAC the ACL is not invoked by any feature it cannot match anything.

another point is that if all routers are configured with accept-dialin who's going to make the virtual call ?

This can also be a problem of authentication on the VPDN.

see also the troubleshooting section of the following doc:

This can help you to understand what is wrong.

Hope to help



RFC 2637

Community Member

Re: Firewall IOS and PPTP

ACL 106 is applied incoming on the outside interface facing my ISP.

The virtual call is coming from a windows or linux host. This part is all working because I have tested it from inside the lan and I have tested it on other routers that are not running the IOS Firewall.

Even if I have IPS and CBAC enabled it only matches tcp port 1723 and not GRE.

This 2821 is running: c2800nm-adventerprisek9-mz.124-20.T.bin

I have now configured a 2801 for testing with: c2801-adventerprisek9-mz.124-13b.bin and it is running CBAC and the pptp connection works!

So this is leading me to believe that either the ISP that the 2821 is connected to is now allowing GRE traffic or there is something wrong with this ios version: c2800nm-adventerprisek9-mz.124-20.T.bin

Hall of Fame Super Silver

Re: Firewall IOS and PPTP

Hello Dan,

it is possible you have hit a software bug on the C2821 with 12.4(20)T.

Or also you might need to add/modify configuration for it to work.

Cisco feature navigator reports only PPTP with MPPE as the only PPTP feature.

here it is the feature description

But the configuration looks like similar to yours.

Hope to help


CreatePlease to create content