VPN Pass-Through Cisco 871

55 pts.
Tags:
Cisco 871
Cisco Routers
Router configuration
VPN
VPN issue
VPN Passthrough
Hi All, I'm trying to setup VPN pass-through on a Cisco 871 router.  I have to admit, I'm not very knowledgeable on VPN, let alone doing it on a Cisco router.  I referenced a Cisco document building this config, but can't seem to get it to work. Here's where I am currently at:  I can access the Internet from the internal network.  Before setting up the policy-maps, I was able to ping the Internet facing address.  Now I can't ping it at all, so I'm assuming there's something wrong there.  I ran a debug statement on the policy-map and it is passing traffic.  I just think I'm missing one or two commands but don't know for sure. Below is the config. Thanks in advance for the help!   Nick
show run
Building configuration...

Current configuration : 3529 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Greco871
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.35
ip dhcp excluded-address 192.168.1.200 192.168.1.250
!
ip dhcp pool Internal
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   domain-name greco.local
   dns-server 68.9.16.30 68.9.16.245 
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name nlr.corp
ip host mattsrv 192.168.1.5
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
! 
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-all PPTP-Pass-Through-Traffic
 match access-group name PPTP-PASS-THROUGH
class-map type inspect match-any All-Traffic
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all Router-Access-Traffic
 match access-group name Router-Access
class-map type inspect match-all PPTP-Terminated-Traffic
 match access-group name PPTP-Terminated
!
!
policy-map type inspect PPTP-In-Policy
 class type inspect All-Traffic
  inspect
 class class-default
  drop
policy-map type inspect In-Out-Policy
 class type inspect PPTP-Pass-Through-Traffic
  pass
 class type inspect All-Traffic
  inspect
 class class-default
  drop
policy-map type inspect Out-In-Policy
 class type inspect PPTP-Pass-Through-Traffic
  pass
 class class-default
  drop
policy-map type inspect Out-Self-Policy
 class type inspect Router-Access-Traffic
  pass
 class type inspect PPTP-Terminated-Traffic
  pass
 class class-default
  drop
!
zone security outside
zone security inside
zone security pptp
zone-pair security outside-self source outside destination self
 service-policy type inspect Out-Self-Policy
zone-pair security pptp-in source pptp destination inside
 service-policy type inspect PPTP-In-Policy
zone-pair security inside-outside source inside destination outside
 service-policy type inspect In-Out-Policy
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 68.109.233.18 255.255.255.224
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security outside
 ip route-cache flow
 duplex auto
 speed auto
!
interface Virtual-Template1 
 ip unnumbered FastEthernet4
 zone-member security pptp
 peer default ip address dhcp-pool 
 ppp authentication chap ms-chap
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 68.109.233.1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.100 1723 interface FastEthernet4 1723
ip nat inside source list AllowNAT interface FastEthernet4 overload
!
ip access-list standard AllowNAT
 permit 192.168.1.0 0.0.0.255
!
ip access-list extended PPTP-PASS-THROUGH
 permit gre any any
ip access-list extended PPTP-TERMINATED
 permit gre any any
 permit tcp any any eq 1723
ip access-list extended Router-Access
 permit tcp any any eq 22
 permit tcp any any eq telnet
 permit tcp any any eq 443
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
 speed 115200
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end


Software/Hardware used:
Cisco 871
ASKED: August 14, 2009  7:44 PM
UPDATED: August 26, 2009  3:30 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

The first thing to identify is the type of VPN you want to use (from the config I presume this is PPTP ?). In the question you said pass-through, so this would mean that whatever terminates the VPN is on the inside network, and the terminator is not the router itself. Is this correct ? It would seem to be confirmed by the nat statement, so I presume that the terminator is the internal system with the IP address 192.168.1.100 , so again can you confirm this ?

Finally, I presume the router is used just for Internet access from the inside, and to access the PPTP server from the outside ?

If we can clarify this, then we can write a cleaner config that will do exactly what you need.

Discuss This Question: 9  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Nfantis
    Hi BlankReg, Thanks for the prompt resonse! Yes, I do want to use PPTP. The VPN is terminated on the inside network to a Window server with a 192.168.1.100 IP address. The router is also used for Internet access from the inside and to access the PPTP server from the outside. So essentially, yes to all of your questions :)
    55 pointsBadges:
    report
  • Nfantis
    Would using access-lists rather than policy maps be an acceptable way to handle this?
    55 pointsBadges:
    report
  • BlankReg
    I think you are correct. I would configure the NAT and just use access-lists to allow the PPTP traffic to the server. So you are looking at sometihng like the following no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption no ip domain-lookup ! hostname Greco871 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ip dhcp excluded-address 192.168.1.1 192.168.1.35 ip dhcp excluded-address 192.168.1.200 192.168.1.250 ! ip dhcp pool Internal import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 domain-name greco.local dns-server 68.9.16.30 68.9.16.245 ! ip domain name nlr.corp ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address 68.109.233.18 255.255.255.224 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security outside ip route-cache flow duplex auto speed auto ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security inside ! ip route 0.0.0.0 0.0.0.0 68.109.233.1 ! no ip http server no ip http secure-server ip nat inside source static tcp 192.168.1.100 1723 interface FastEthernet4 1723 ip nat inside source list AllowNAT interface FastEthernet4 overload ! ip access-list standard AllowNAT permit 192.168.1.0 0.0.0.255 ! ip access-list extended Outside-In permit tcp any host 68.109.233.18 eq 1723 {add any other things you need to permit} ! ! line con 0 no modem enable speed 115200 line aux 0 line vty 0 4 ! end You also need to exclude the IP address of the PPTP server from the DHCP scope you have configured, so add the line ip dhcp excluded-address 192.168.1.100 as well. Oterwise you will have some horrible problems if this address is given out to a PC as well ! I am not clear if you have the firewall version of the IOS software ? If you do then include all the 'inspect' commands, and don't forget to include the 'ip inspect name standard pptp', if you don't then you need to include lines in the access-list to allow the Internet access replies for the lan users. I would recommend that you use the firewall IOS, or get a small ASA5505 to protect your network. Hope this helps.
    12,325 pointsBadges:
    report
  • BlankReg
    Ooops, forgot to apply the access list to the interface - silly me ! interface FastEthernet4 ip access-group Internet-In in And if you do have the firewall IOS you also need to include the command ip inspect standard in on that same interface.
    12,325 pointsBadges:
    report
  • BlankReg
    The old Reg is having a bad one today ! The line should, of course, be interface FastEthernet4 ip access-group Outside-In in to match the access list we created. I am now going to lie down in a darkened room and have a little rest ;-)
    12,325 pointsBadges:
    report
  • Nfantis
    Thanks for the very detailed feedback BlankReg. I'm going to give this a shot this evening and I'll let you know how it works.
    55 pointsBadges:
    report
  • Nfantis
    Okay sorry for the delay but no luck yet. However, it does seem that connection requests are being forwarded to the server. I tailed the PPTP log and it receives a request and sends an acknowledgement, but that just repeats 4 times or so then quits. Possibly an addressing issue on the outbound packet? Is there a good debug command to try out to see what's happening at the router? I'll post the config later this evening, I forgot to copy the updated over before I left last week. Thanks
    55 pointsBadges:
    report
  • Nfantis
    Just wanted to provide an update... Interestingly enough, VPN is now working! I have no idea what changed since I last tested it, but I've verified from multiple PCs and outside Internet connections that I can get in. Thanks for all your help BlankReg, I certainly appreciate it!
    55 pointsBadges:
    report
  • BlankReg
    Glad to help, and glad it is now working :-) You may need to add the keyword 'extendable' at the end of the nat for the pptp server, that should make it definately trigger in both directions (I think that's what it does, the Cisco description is not too clear). So maybe what happened is that it workied in one direction, then when that was in the table it can work in the other, but not the other way round (if you can follow that ?).
    12,325 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following