«

I am having a problem establishing a VPN (pptp) sessions from a WinXP client
through a Cisco 2620 router to a Watchguard Firebox 1000 firewall end-point.
my Cisco configuration is included below. Would some kind soul take a look
and let me know where I went wrong?

Thanks
Jim

hostname DRIrouter01
!
clock timezone CST -6
!
logging buffered 16384 debugging
!
aaa new-model
aaa authentication login default local
!
username admin password xxxxxxxxxxxxxxxx
no logging console
enable secret xxxxxxxxxxxxxxxx
!
service nagle
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
!
no service pad
no cdp run
no ip source-route
no ip http server
no service udp-small-servers
no service tcp-small-servers
no service finger
!
ip tcp selective-ack
ip tcp path-mtu-discovery
ip name-server 207.191.1.10
ip name-server 207.191.50.10
ip route 0.0.0.0 0.0.0.0 207.201.246.237
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
access-list 101 permit ip any any
!
interface Serial0/0
no ip unreachables
encaps ppp
ip address 207.201.246.238 255.255.255.252
no ip proxy-arp
no ip redirects
no ip directed-broadcast
no ip mroute-cache
no fair-queue
no shutdown
!
interface Serial0/1
no ip unreachables
encaps ppp
no ip address
no ip proxy-arp
no ip redirects
no ip directed-broadcast
no ip mroute-cache
no fair-queue
shutdown
!
interface FastEthernet0/0
ip address 199.227.88.1 255.255.255.192
ip access-group 101 in
no ip proxy-arp
no ip directed-broadcast
no ip redirects
no ip unreachables
no shutdown
duplex auto
speed auto

> I am having a problem establishing a VPN (pptp) sessions

> access-list 101 permit ip any any


PPTP uses GRE (protocol 47) and TCP port 1723

The TCP session is used as a control channel and data is transferred
via the GRE tunnel


RFC 2637 - Point-to-Point Tunneling Protocol

RFC 2784 - Generic Routing Encapsulation (GRE)


so try:

no access-list 101

access-list 101 permit ip any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any

Ahh.. I forgot about GRE. So the statements of:

access-list 101 permit ip any any
access-list 101 permit gre any any

Should suffice. The IP keyword in the first statement should take care of
all TCP, UDP, ICMP, any other internet protocol. The second statement's GRE
keyword will take care of the Generic Routing Encapsulation.

I'll give it a go. Thanks.




"Merv" <> wrote in message
news: oups.com...
>> I am having a problem establishing a VPN (pptp) sessions
>
>> access-list 101 permit ip any any
>
>
> PPTP uses GRE (protocol 47) and TCP port 1723
>
> The TCP session is used as a control channel and data is transferred
> via the GRE tunnel
>
>
> RFC 2637 - Point-to-Point Tunneling Protocol
>
> RFC 2784 - Generic Routing Encapsulation (GRE)
>
>
> so try:
>
> no access-list 101
>
> access-list 101 permit ip any any
> access-list 101 permit tcp any any eq 1723
> access-list 101 permit gre any any
>

In article < .com>,
Merv <> wrote:
>> I am having a problem establishing a VPN (pptp) sessions

>> access-list 101 permit ip any any


>PPTP uses GRE (protocol 47) and TCP port 1723

>so try:


> access-list 101 permit ip any any
> access-list 101 permit tcp any any eq 1723
> access-list 101 permit gre any any

tcp and gre are subsets of ip.

http://www.cisco.com/en/US/products/...html#wp1017448

"To match any Internet protocol (including ICMP, TCP, and UDP) use the
keyword ip."

That "including" should not be read as an exclusive list: the important
part there is "any Internet protocol". GRE, AH and ESP are all examples
of Internet Protocols, so they are included when you specify "ip".

> tcp and gre are subsets of ip.

Walter is correct that gre is a subset of IP so your original
access-list should have worked.

I would configure the access-list so that you can see the access-list
match counters at a finer granularity using the "show access-list"
command

access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit ip any any

I would also configure this access list on the outside serial interface
to see if any PPTP packets are arriving at the router.

You might also want to enable netflow on the router

acutally have two access lists one for the serial and one for the
Ethenet interface might be better to be able see match counters

access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit ip any any

access-list 102 permit tcp any any eq 1723
access-list 102 permit gre any any
access-list 102 permit ip any any

int s 0/0
ip access-group 102 in
exit