VPN Pass-Through Cisco 871
Hi All,
I'm trying to setup VPN pass-through on a Cisco 871 router. I have to admit, I'm not very knowledgeable on VPN, let alone doing it on a Cisco router. I referenced a Cisco document building this config, but can't seem to get it to work.
Here's where I am currently at: I can access the Internet from the internal network. Before setting up the policy-maps, I was able to ping the Internet facing address. Now I can't ping it at all, so I'm assuming there's something wrong there. I ran a debug statement on the policy-map and it is passing traffic. I just think I'm missing one or two commands but don't know for sure.
Below is the config. Thanks in advance for the help! Nick
Software/Hardware used:
Cisco 871
show run Building configuration... Current configuration : 3529 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Greco871 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.35 ip dhcp excluded-address 192.168.1.200 192.168.1.250 ! ip dhcp pool Internal import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 domain-name greco.local dns-server 68.9.16.30 68.9.16.245 ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip domain name nlr.corp ip host mattsrv 192.168.1.5 ! vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! ! ! ! archive log config hidekeys ! ! ! class-map type inspect match-all PPTP-Pass-Through-Traffic match access-group name PPTP-PASS-THROUGH class-map type inspect match-any All-Traffic match protocol tcp match protocol udp match protocol icmp class-map type inspect match-all Router-Access-Traffic match access-group name Router-Access class-map type inspect match-all PPTP-Terminated-Traffic match access-group name PPTP-Terminated ! ! policy-map type inspect PPTP-In-Policy class type inspect All-Traffic inspect class class-default drop policy-map type inspect In-Out-Policy class type inspect PPTP-Pass-Through-Traffic pass class type inspect All-Traffic inspect class class-default drop policy-map type inspect Out-In-Policy class type inspect PPTP-Pass-Through-Traffic pass class class-default drop policy-map type inspect Out-Self-Policy class type inspect Router-Access-Traffic pass class type inspect PPTP-Terminated-Traffic pass class class-default drop ! zone security outside zone security inside zone security pptp zone-pair security outside-self source outside destination self service-policy type inspect Out-Self-Policy zone-pair security pptp-in source pptp destination inside service-policy type inspect PPTP-In-Policy zone-pair security inside-outside source inside destination outside service-policy type inspect In-Out-Policy ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address 68.109.233.18 255.255.255.224 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security outside ip route-cache flow duplex auto speed auto ! interface Virtual-Template1 ip unnumbered FastEthernet4 zone-member security pptp peer default ip address dhcp-pool ppp authentication chap ms-chap ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security inside ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 68.109.233.1 ! no ip http server no ip http secure-server ip nat inside source static tcp 192.168.1.100 1723 interface FastEthernet4 1723 ip nat inside source list AllowNAT interface FastEthernet4 overload ! ip access-list standard AllowNAT permit 192.168.1.0 0.0.0.255 ! ip access-list extended PPTP-PASS-THROUGH permit gre any any ip access-list extended PPTP-TERMINATED permit gre any any permit tcp any any eq 1723 ip access-list extended Router-Access permit tcp any any eq 22 permit tcp any any eq telnet permit tcp any any eq 443 ! ! ! ! control-plane ! ! line con 0 no modem enable speed 115200 line aux 0 line vty 0 4 ! scheduler max-task-time 5000 end
Software/Hardware used:
Cisco 871
ASKED:
August 14, 2009 7:44 PM
UPDATED:
August 26, 2009 3:30 PM
Answer Wiki:
The first thing to identify is the type of VPN you want to use (from the config I presume this is PPTP ?). In the question you said pass-through, so this would mean that whatever terminates the VPN is on the inside network, and the terminator is not the router itself. Is this correct ? It would seem to be confirmed by the nat statement, so I presume that the terminator is the internal system with the IP address 192.168.1.100 , so again can you confirm this ?
Finally, I presume the router is used just for Internet access from the inside, and to access the PPTP server from the outside ?
If we can clarify this, then we can write a cleaner config that will do exactly what you need.
To see all answers submitted to the Answer Wiki: View Answer History.
Hi BlankReg,
Thanks for the prompt resonse! Yes, I do want to use PPTP. The VPN is terminated on the inside network to a Window server with a 192.168.1.100 IP address. The router is also used for Internet access from the inside and to access the PPTP server from the outside.
So essentially, yes to all of your questions
Would using access-lists rather than policy maps be an acceptable way to handle this?
I think you are correct. I would configure the NAT and just use access-lists to allow the PPTP traffic to the server. So you are looking at sometihng like the following
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no ip domain-lookup
!
hostname Greco871
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
ip dhcp excluded-address 192.168.1.1 192.168.1.35
ip dhcp excluded-address 192.168.1.200 192.168.1.250
!
ip dhcp pool Internal
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name greco.local
dns-server 68.9.16.30 68.9.16.245
!
ip domain name nlr.corp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 68.109.233.18 255.255.255.224
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security outside
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
!
ip route 0.0.0.0 0.0.0.0 68.109.233.1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.100 1723 interface FastEthernet4 1723
ip nat inside source list AllowNAT interface FastEthernet4 overload
!
ip access-list standard AllowNAT
permit 192.168.1.0 0.0.0.255
!
ip access-list extended Outside-In
permit tcp any host 68.109.233.18 eq 1723
{add any other things you need to permit}
!
!
line con 0
no modem enable
speed 115200
line aux 0
line vty 0 4
!
end
You also need to exclude the IP address of the PPTP server from the DHCP scope you have configured, so add the line
ip dhcp excluded-address 192.168.1.100
as well. Oterwise you will have some horrible problems if this address is given out to a PC as well !
I am not clear if you have the firewall version of the IOS software ? If you do then include all the ‘inspect’ commands, and don’t forget to include the ‘ip inspect name standard pptp’, if you don’t then you need to include lines in the access-list to allow the Internet access replies for the lan users. I would recommend that you use the firewall IOS, or get a small ASA5505 to protect your network.
Hope this helps.
Ooops, forgot to apply the access list to the interface – silly me !
interface FastEthernet4
ip access-group Internet-In in
And if you do have the firewall IOS you also need to include the command
ip inspect standard in
on that same interface.
The old Reg is having a bad one today !
The line should, of course, be
interface FastEthernet4
ip access-group Outside-In in
to match the access list we created.
I am now going to lie down in a darkened room and have a little rest
Thanks for the very detailed feedback BlankReg. I’m going to give this a shot this evening and I’ll let you know how it works.
Okay sorry for the delay but no luck yet.
However, it does seem that connection requests are being forwarded to the server. I tailed the PPTP log and it receives a request and sends an acknowledgement, but that just repeats 4 times or so then quits. Possibly an addressing issue on the outbound packet?
Is there a good debug command to try out to see what’s happening at the router?
I’ll post the config later this evening, I forgot to copy the updated over before I left last week.
Thanks
Just wanted to provide an update…
Interestingly enough, VPN is now working! I have no idea what changed since I last tested it, but I’ve verified from multiple PCs and outside Internet connections that I can get in.
Thanks for all your help BlankReg, I certainly appreciate it!
Glad to help, and glad it is now working
You may need to add the keyword ‘extendable’ at the end of the nat for the pptp server, that should make it definately trigger in both directions (I think that’s what it does, the Cisco description is not too clear). So maybe what happened is that it workied in one direction, then when that was in the table it can work in the other, but not the other way round (if you can follow that ?).