1751 12.2(8) to pass PPTP Traffic for VPN?

Discussion in 'Cisco' started by Deborah Roach, Sep 17, 2004.

  1. Hi there,

    I have 2 small things I'm begging for a little help on.

    My client has a Windows PPTP vpn. We have a 1751 for a new FR service for
    them, I have been given the task of putting on a lengthy packet filter, and
    making it allow their VPN traffic.

    I have another client with an 839 running 12.2(15)T8 and the following
    config:

    vpdn-group PPTP_WIN2KClient
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1

    !
    interface Virtual-Template1
    ip unnumbered Ethernet0
    ip mroute-cache
    peer default ip address pool default
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication ms-chap callin
    ppp ipcp dns 10.0.0.2
    ppp ipcp wins 10.0.0.2
    !

    Essentially I want to be able to copy this config over to the 1751 running
    12.2(8) but cannot. I see that 12.1(5) will do what I want but I doubt it is
    wise to go back so many releases.

    Is there a more recent release you can think of that will let me "vpdn"?

    And the blonde question: Will I need to set up usernames and passwords on
    the router as well?!

    Secondly, I am having trouble translating 3 lines of the client's requested
    packet filter into ACLs.

    TCP Any host ports=4662 => 203.26.X.X port=4662

    TCP Any host port in (5900,5999) => 203.26.X.X port=all ports

    TCP 203.134.Y.Y all ports => 203.26.X.X port=2121

    I suppose they will start access-list 101 permit TCP but after that I'm a
    wee bit confuddled.

    Any assistance you can offer would be greatly appreciated.

    Cheers,

    Deb Roach.
    deb @ advancenetit.com
     
    Deborah Roach, Sep 17, 2004
    #1
    1. Advertising

  2. Deborah Roach

    PES Guest

    "Deborah Roach" <> wrote in message
    news:414a3b03$...
    > Hi there,
    >
    > I have 2 small things I'm begging for a little help on.
    >
    > My client has a Windows PPTP vpn. We have a 1751 for a new FR service for
    > them, I have been given the task of putting on a lengthy packet filter,
    > and
    > making it allow their VPN traffic.
    >
    > I have another client with an 839 running 12.2(15)T8 and the following
    > config:
    >
    > vpdn-group PPTP_WIN2KClient
    > ! Default PPTP VPDN group
    > accept-dialin
    > protocol pptp
    > virtual-template 1
    >
    > !
    > interface Virtual-Template1
    > ip unnumbered Ethernet0
    > ip mroute-cache
    > peer default ip address pool default
    > no keepalive
    > ppp encrypt mppe auto required
    > ppp authentication ms-chap callin
    > ppp ipcp dns 10.0.0.2
    > ppp ipcp wins 10.0.0.2
    > !
    >
    > Essentially I want to be able to copy this config over to the 1751 running
    > 12.2(8) but cannot. I see that 12.1(5) will do what I want but I doubt it
    > is
    > wise to go back so many releases.
    >


    I don't think you can get anything in 12.1 train for the 1751. You will
    probably need to purchase an ios version that is a 3des to utilize this on
    the 1751. Just a quick search turned up that vpdn has been supported since
    12.2T on the 1751.

    > Is there a more recent release you can think of that will let me "vpdn"?


    This can be found using the Cisco Software advisor from the web site.

    >
    > And the blonde question: Will I need to set up usernames and passwords on
    > the router as well?!


    Depends on where you configure the aaa authentication to come from. I
    typically pull it from radius, but you may be able to put the info directly
    on the router. If so, it will likely be a later release then 12.2T.

    >
    > Secondly, I am having trouble translating 3 lines of the client's
    > requested
    > packet filter into ACLs.
    >
    > TCP Any host ports=4662 => 203.26.X.X port=4662


    In simplest form (without getting into direction, ack bit etc)

    access-list ### permit|deny any eq 4662 203.26.0.0 0.0.255.255 eq 4662
    >
    > TCP Any host port in (5900,5999) => 203.26.X.X port=all ports


    assuming any host port in 5900 is a range

    access-list ### permit|deny any range 5900 5999 203.26.0.0 0.0.255.255
    >
    > TCP 203.134.Y.Y all ports => 203.26.X.X port=2121


    access-list ### permit|deny 203.134.0.0 0.0.255.255 203.26.0.0 0.0.255.255
    eq 2121

    >
    > I suppose they will start access-list 101 permit TCP but after that I'm a
    > wee bit confuddled.
    >


    I would also strongly suggest the ios fw feature pack, unless you have
    another firewall.

    > Any assistance you can offer would be greatly appreciated.
    >
    > Cheers,
    >
    > Deb Roach.
    > deb @ advancenetit.com
    >
    >
    >
    >
     
    PES, Sep 17, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Fortea
    Replies:
    2
    Views:
    1,089
  2. new2cisco

    CISCO VPN WON'T PASS TRAFFIC

    new2cisco, Apr 1, 2005, in forum: Cisco
    Replies:
    4
    Views:
    4,545
    Ravikumar Eswaran
    Apr 2, 2005
  3. Newbie72

    VPN Not able to pass traffic.

    Newbie72, Jan 6, 2006, in forum: Cisco
    Replies:
    3
    Views:
    2,243
    Newbie72
    Jan 10, 2006
  4. Elia Spadoni
    Replies:
    15
    Views:
    2,961
  5. Giuen
    Replies:
    0
    Views:
    1,527
    Giuen
    Sep 12, 2008
Loading...

Share This Page