Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Windows XP PPTP vpn client connection behind 1811 with NAT

i have an existing network. connected to the internet thru a cable internet company.

i had been using a cisco 4400N as the 'router/firewall',

i have a client machine inside (behind) that firewall that connects to a vpn somewhere else, using just the windows XP native vpn client (using pptp)

i connects fine, when just using the 4400N,

i have since replaced the 4400N with a cisco 1811.

i set up the 1811 using Cisco Conciguration Professional

now the computer with the vpn client cannot connect.

i have searched, and fiddled until i am now ready to scream.

please, someone help me?

relevent config follows

Using 8589 out of 196600 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TheHostname
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1215066690
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1215066690
revocation-check none
rsakeypair TP-self-signed-1215066690
!
!
crypto pki certificate chain TP-self-signed-1215066690
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
dot11 syslog
no ip source-route
!
!
no ip bootp server
!
multilink bundle-name authenticated
!
!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ipsec-msft
match protocol ipsec-msft
match protocol isakmp
match protocol gdoi
match protocol ssp
match protocol pptp
match protocol l2tp
match protocol gtpv1
match protocol gtpv0
match protocol ssh
match protocol x11
match protocol sunrpc
match protocol sshell
match protocol shell
match protocol telnets
match protocol telnet
match protocol rtelnet
match protocol xdmcp
match protocol exec
match protocol msrpc
match protocol pcanywherestat
match protocol pcanywheredata
match protocol login
class-map type inspect match-all ccp-cls-ccp-inspect-1
match class-map ipsec-msft
match access-group name ipsec-msft
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
  pass
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class class-default
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
  pass
class class-default
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
  pass
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
!

!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 192.168.2.3 2 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended ipsec-msft
remark CCP_ACL Category=128
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
!
!

559
Views
0
Helpful
0
Replies