Register

Forgot Password

Site FAQ

Home > IT Answers > Networking > VPN Pass-Through Cisco 871

Nfantis

55 pts.

VPN Pass-Through Cisco 871

Cisco 871, VPN, VPN issue, VPN Passthrough, Cisco Routers, Router configuration

Hi All,

I'm trying to setup VPN pass-through on a Cisco 871 router. I have to admit, I'm not very knowledgeable on VPN, let alone doing it on a Cisco router. I referenced a Cisco document building this config, but can't seem to get it to work.

Here's where I am currently at: I can access the Internet from the internal network. Before setting up the policy-maps, I was able to ping the Internet facing address. Now I can't ping it at all, so I'm assuming there's something wrong there. I ran a debug statement on the policy-map and it is passing traffic. I just think I'm missing one or two commands but don't know for sure.

Below is the config. Thanks in advance for the help! Nick

show run
 Building configuration...
 
 Current configuration : 3529 bytes
 !
 version 12.4
 no service pad
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 !
 hostname Greco871
 !
 boot-start-marker
 boot-end-marker
 !
 !
 no aaa new-model
 !
 !
 ip cef
 no ip dhcp use vrf connected
 ip dhcp excluded-address 192.168.1.1 192.168.1.35
 ip dhcp excluded-address 192.168.1.200 192.168.1.250
 !
 ip dhcp pool Internal
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1 
    domain-name greco.local
    dns-server 68.9.16.30 68.9.16.245 
 !
 !
 ip auth-proxy max-nodata-conns 3
 ip admission max-nodata-conns 3
 ip domain name nlr.corp
 ip host mattsrv 192.168.1.5
 !
 vpdn enable
 !
 vpdn-group 1
 ! Default PPTP VPDN group
  accept-dialin
   protocol pptp
   virtual-template 1
 !
 !
 !
 ! 
 !
 archive
  log config
   hidekeys
 !
 !
 !
 class-map type inspect match-all PPTP-Pass-Through-Traffic
  match access-group name PPTP-PASS-THROUGH
 class-map type inspect match-any All-Traffic
  match protocol tcp
  match protocol udp
  match protocol icmp
 class-map type inspect match-all Router-Access-Traffic
  match access-group name Router-Access
 class-map type inspect match-all PPTP-Terminated-Traffic
  match access-group name PPTP-Terminated
 !
 !
 policy-map type inspect PPTP-In-Policy
  class type inspect All-Traffic
   inspect
  class class-default
   drop
 policy-map type inspect In-Out-Policy
  class type inspect PPTP-Pass-Through-Traffic
   pass
  class type inspect All-Traffic
   inspect
  class class-default
   drop
 policy-map type inspect Out-In-Policy
  class type inspect PPTP-Pass-Through-Traffic
   pass
  class class-default
   drop
 policy-map type inspect Out-Self-Policy
  class type inspect Router-Access-Traffic
   pass
  class type inspect PPTP-Terminated-Traffic
   pass
  class class-default
   drop
 !
 zone security outside
 zone security inside
 zone security pptp
 zone-pair security outside-self source outside destination self
  service-policy type inspect Out-Self-Policy
 zone-pair security pptp-in source pptp destination inside
  service-policy type inspect PPTP-In-Policy
 zone-pair security inside-outside source inside destination outside
  service-policy type inspect In-Out-Policy
 !
 !
 !
 interface FastEthernet0
 !
 interface FastEthernet1
 !
 interface FastEthernet2
 !
 interface FastEthernet3
 !
 interface FastEthernet4
  ip address 68.109.233.18 255.255.255.224
  ip verify unicast reverse-path
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  zone-member security outside
  ip route-cache flow
  duplex auto
  speed auto
 !
 interface Virtual-Template1 
  ip unnumbered FastEthernet4
  zone-member security pptp
  peer default ip address dhcp-pool 
  ppp authentication chap ms-chap
 !
 interface Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  zone-member security inside
 !
 ip forward-protocol nd
 ip route 0.0.0.0 0.0.0.0 68.109.233.1
 !
 no ip http server
 no ip http secure-server
 ip nat inside source static tcp 192.168.1.100 1723 interface FastEthernet4 1723
 ip nat inside source list AllowNAT interface FastEthernet4 overload
 !
 ip access-list standard AllowNAT
  permit 192.168.1.0 0.0.0.255
 !
 ip access-list extended PPTP-PASS-THROUGH
  permit gre any any
 ip access-list extended PPTP-TERMINATED
  permit gre any any
  permit tcp any any eq 1723
 ip access-list extended Router-Access
  permit tcp any any eq 22
  permit tcp any any eq telnet
  permit tcp any any eq 443
 !
 !
 !
 !
 control-plane
 !
 !
 line con 0
  no modem enable
  speed 115200
 line aux 0
 line vty 0 4
 !
 scheduler max-task-time 5000
 end

Software/Hardware used:
Cisco 871

ASKED: Aug 14 2009 7:44 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

BlankReg

11280 pts.

RATE THIS ANSWER

0
Click to Vote:

The first thing to identify is the type of VPN you want to use (from the config I presume this is PPTP ?). In the question you said pass-through, so this would mean that whatever terminates the VPN is on the inside network, and the terminator is not the router itself. Is this correct ? It would seem to be confirmed by the nat statement, so I presume that the terminator is the internal system with the IP address 192.168.1.100 , so again can you confirm this ?

Finally, I presume the router is used just for Internet access from the inside, and to access the PPTP server from the outside ?

If we can clarify this, then we can write a cleaner config that will do exactly what you need.

Last Answered: Aug 14 2009 9:08 PM GMT by BlankReg

11280 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Nfantis 55 pts. | Aug 17 2009 1:19PM GMT

Hi BlankReg,

Thanks for the prompt resonse! Yes, I do want to use PPTP. The VPN is terminated on the inside network to a Window server with a 192.168.1.100 IP address. The router is also used for Internet access from the inside and to access the PPTP server from the outside.

So essentially, yes to all of your questions

Nfantis 55 pts. | Aug 18 2009 3:30PM GMT

Would using access-lists rather than policy maps be an acceptable way to handle this?

BlankReg 11280 pts. | Aug 19 2009 7:36AM GMT

I think you are correct. I would configure the NAT and just use access-lists to allow the PPTP traffic to the server. So you are looking at sometihng like the following

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no ip domain-lookup
!
hostname Greco871
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
ip dhcp excluded-address 192.168.1.1 192.168.1.35
ip dhcp excluded-address 192.168.1.200 192.168.1.250
!
ip dhcp pool Internal
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name greco.local
dns-server 68.9.16.30 68.9.16.245
!
ip domain name nlr.corp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 68.109.233.18 255.255.255.224
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security outside
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
!
ip route 0.0.0.0 0.0.0.0 68.109.233.1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.100 1723 interface FastEthernet4 1723
ip nat inside source list AllowNAT interface FastEthernet4 overload
!
ip access-list standard AllowNAT
permit 192.168.1.0 0.0.0.255
!
ip access-list extended Outside-In
permit tcp any host 68.109.233.18 eq 1723
{add any other things you need to permit}
!
!
line con 0
no modem enable
speed 115200
line aux 0
line vty 0 4
!
end

You also need to exclude the IP address of the PPTP server from the DHCP scope you have configured, so add the line

ip dhcp excluded-address 192.168.1.100

as well. Oterwise you will have some horrible problems if this address is given out to a PC as well !

I am not clear if you have the firewall version of the IOS software ? If you do then include all the ‘inspect’ commands, and don’t forget to include the ‘ip inspect name standard pptp’, if you don’t then you need to include lines in the access-list to allow the Internet access replies for the lan users. I would recommend that you use the firewall IOS, or get a small ASA5505 to protect your network.

Hope this helps.

BlankReg 11280 pts. | Aug 19 2009 7:39AM GMT

Ooops, forgot to apply the access list to the interface - silly me !

interface FastEthernet4
ip access-group Internet-In in

And if you do have the firewall IOS you also need to include the command

ip inspect standard in

on that same interface.

BlankReg 11280 pts. | Aug 19 2009 7:41AM GMT

The old Reg is having a bad one today !

The line should, of course, be

interface FastEthernet4
ip access-group Outside-In in

to match the access list we created.

I am now going to lie down in a darkened room and have a little rest

Nfantis 55 pts. | Aug 19 2009 12:26PM GMT

Thanks for the very detailed feedback BlankReg. I’m going to give this a shot this evening and I’ll let you know how it works.

Nfantis 55 pts. | Aug 25 2009 8:17PM GMT

Okay sorry for the delay but no luck yet.

However, it does seem that connection requests are being forwarded to the server. I tailed the PPTP log and it receives a request and sends an acknowledgement, but that just repeats 4 times or so then quits. Possibly an addressing issue on the outbound packet?

Is there a good debug command to try out to see what’s happening at the router?

I’ll post the config later this evening, I forgot to copy the updated over before I left last week.

Thanks

Nfantis 55 pts. | Aug 26 2009 2:35PM GMT

Just wanted to provide an update…

Interestingly enough, VPN is now working! I have no idea what changed since I last tested it, but I’ve verified from multiple PCs and outside Internet connections that I can get in.

Thanks for all your help BlankReg, I certainly appreciate it!

BlankReg 11280 pts. | Aug 26 2009 3:30PM GMT

Glad to help, and glad it is now working

You may need to add the keyword ‘extendable’ at the end of the nat for the pptp server, that should make it definately trigger in both directions (I think that’s what it does, the Cisco description is not too clear). So maybe what happened is that it workied in one direction, then when that was in the table it can work in the other, but not the other way round (if you can follow that ?).

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map