pptp pass thru cisco 857

Discussion in 'Cisco' started by mbanyon@hotmail.com, Jul 26, 2006.

  1. Guest

    Hi, i need to let pptp pass thru my cisco 857 so that a remote user can
    vpn to a win2003 rras server.
    I think there is a problem with GRE, as the software vpn tries to
    connect but times out verifying password. I configured the cisco
    through sdm, see below for my config.
    Any help appreciated


    Building configuration...

    Current configuration : 10457 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname yourname
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$S4TK$CJHdWoE/dSaDJH5q7Ik3w/
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone PCTime 12
    clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
    ip subnet-zero
    no ip source-route
    !
    !
    ip cef
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name yourdomain.com
    ip name-server 192.168.0.10
    ip name-server 202.27.158.40
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    crypto pki trustpoint TP-self-signed-737607701
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-737607701
    revocation-check none
    rsakeypair TP-self-signed-737607701
    !
    !
    crypto pki certificate chain TP-self-signed-737607701
    certificate self-signed 01
    3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101
    04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D
    43657274
    69666963 6174652D 37333736 30373730 31301E17 0D303230 33303130
    30303733
    395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403
    1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3733
    37363037
    37303130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
    02818100
    C32CD2E1 74F4AC03 32422F7C 627E743B F5BB623F E10AE4AA AD406F72
    FBE7D014
    A30B3274 F7380AB4 3319455F 7B4C5F44 E5A19D93 C4D44723 9BED0B8E
    4C038A8F
    1942BA3C 4AC04AE6 184239B5 B9FB8F8E 0E61AF40 34E8DB2F 640B05B1
    43ED0913
    6EC05300 A53AD8D3 FBF8FFA1 CBB32F6D 8191851D B7E97296 C1E3B6CC
    075AB3EF
    02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022
    0603551D
    11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63
    6F6D301F
    0603551D 23041830 16801490 0E7E2463 ED1C33DF F893219C 6DA77B8B
    84A53630
    1D060355 1D0E0416 0414900E 7E2463ED 1C33DFF8 93219C6D A77B8B84
    A536300D
    06092A86 4886F70D 01010405 00038181 009C0A3C 5FF4CC14 6E5F9985
    8BAAC6CD
    1C0B2E07 745758BA 95F2E0AD C2527F14 D2487329 828D0FC7 D87020B9
    91B8FA79
    31834A88 9BE225FC 8744EAF4 1D67F03A ECAAB074 0A4D1753 1FF9D51A
    9EF10464
    1BD31EC6 F9D7090C 97BF58FD 3E60DBC0 739E9421 BA1C30B6 B74F7786
    BAD855A7
    55643C51 5990BD8C FC257018 328FF4CE DC
    quit
    username admin privilege 15 secret 5 $1$81IM$ppdgknZs/gzklUyPPg61
    username simon secret 5 $1$7P1F$4HUTD59PkxWdO5Zdxw/0
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group remoteusers
    key sultan
    dns 192.168.0.10 202.27.158.40
    domain xxxx.local
    pool SDM_POOL_2
    acl 106
    save-password
    include-local-lan
    max-users 1
    netmask 255.255.255.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $FW_OUTSIDE$$ES_WAN$
    pvc 0/100
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 192.168.0.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    ip access-group 107 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password 7 0518130xxx354xx
    ppp pap sent-username password 7 08xxx21D180B4540
    !
    ip local pool SDM_POOL_1 192.168.0.180 192.168.0.185
    ip local pool SDM_POOL_2 192.168.0.186
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source static tcp 192.168.0.10 1723 interface Dialer0
    1723
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.0.10 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.0.10 443 interface Dialer0 443
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 remark gre
    access-list 101 permit gre any any log
    access-list 101 permit tcp any any eq 443
    access-list 101 remark pptp 1723
    access-list 101 permit tcp any eq 1723 any eq 1723 log
    access-list 101 permit tcp any any eq www
    access-list 101 permit ip host 192.168.0.186 host 192.168.0.10
    access-list 101 remark icmp 180
    access-list 101 permit icmp host 192.168.0.186 host 192.168.0.10
    access-list 101 remark udp 180
    access-list 101 permit udp host 192.168.0.186 host 192.168.0.10
    access-list 101 remark tcp 180
    access-list 101 permit tcp host 192.168.0.186 host 192.168.0.10
    access-list 101 permit ip host 192.168.0.180 any
    access-list 101 permit ip host 192.168.0.181 any
    access-list 101 permit ip host 192.168.0.182 any
    access-list 101 permit ip host 192.168.0.183 any
    access-list 101 permit ip host 192.168.0.184 any
    access-list 101 permit ip host 192.168.0.185 any
    access-list 101 permit ip host 192.168.0.180 192.168.0.0 0.0.0.255
    access-list 101 permit ip host 192.168.0.181 192.168.0.0 0.0.0.255
    access-list 101 permit ip host 192.168.0.182 192.168.0.0 0.0.0.255
    access-list 101 permit ip host 192.168.0.183 192.168.0.0 0.0.0.255
    access-list 101 permit ip host 192.168.0.184 192.168.0.0 0.0.0.255
    access-list 101 permit ip host 192.168.0.185 192.168.0.0 0.0.0.255
    access-list 101 permit udp any any eq non500-isakmp
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit esp any any
    access-list 101 permit ahp any any
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 102 remark SDM_ACL Category=4
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 103 remark SDM_ACL Category=2
    access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.186
    access-list 103 deny ip any host 192.168.0.180
    access-list 103 deny ip any host 192.168.0.181
    access-list 103 deny ip any host 192.168.0.182
    access-list 103 deny ip any host 192.168.0.183
    access-list 103 deny ip any host 192.168.0.184
    access-list 103 deny ip any host 192.168.0.185
    access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.180
    access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.181
    access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.182
    access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.183
    access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.184
    access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.185
    access-list 103 permit ip 192.168.0.0 0.0.0.255 any
    access-list 104 remark SDM_ACL Category=4
    access-list 104 permit ip 192.168.0.0 0.0.0.255 any
    access-list 105 remark SDM_ACL Category=4
    access-list 105 permit ip 192.168.0.0 0.0.0.255 any
    access-list 106 remark SDM_ACL Category=4
    access-list 106 permit ip 192.168.0.0 0.0.0.255 any
    access-list 107 remark auto generated by SDM firewall configuration
    access-list 107 remark SDM_ACL Category=1
    access-list 107 remark gre
    access-list 107 permit gre any any
    access-list 107 permit tcp any any eq 1723
    access-list 107 permit tcp any any eq 443
    access-list 107 permit tcp any any eq www
    access-list 107 permit udp host 202.27.158.40 eq domain any
    access-list 107 permit icmp any any echo-reply
    access-list 107 permit icmp any any time-exceeded
    access-list 107 permit icmp any any unreachable
    access-list 107 deny ip 10.0.0.0 0.255.255.255 any
    access-list 107 deny ip 172.16.0.0 0.15.255.255 any
    access-list 107 deny ip 192.168.0.0 0.0.255.255 any
    access-list 107 deny ip 127.0.0.0 0.255.255.255 any
    access-list 107 deny ip host 255.255.255.255 any
    access-list 107 deny ip host 0.0.0.0 any
    access-list 107 deny ip any any log
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 103
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    no modem enable
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end
     
    , Jul 26, 2006
    #1
    1. Advertising

  2. Merv Guest

    Allow GRE in access-list 100
     
    Merv, Aug 5, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    7
    Views:
    4,677
  2. Rob
    Replies:
    1
    Views:
    5,398
    Igor Mamuzic
    Aug 31, 2006
  3. Steven
    Replies:
    0
    Views:
    995
    Steven
    Jan 17, 2008
  4. Replies:
    1
    Views:
    6,759
    flamer
    Apr 29, 2008
  5. Replies:
    21
    Views:
    1,531
    Shauna
    Aug 26, 2008
Loading...

Share This Page