Hi, i need to let pptp pass thru my cisco 857 so that a remote user can vpn to a win2003 rras server. I think there is a problem with GRE, as the software vpn tries to connect but times out verifying password. I configured the cisco through sdm, see below for my config. Any help appreciated
Building configuration...
Current configuration : 10457 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname yourname ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 $1$S4TK$CJHdWoE/dSaDJH5q7Ik3w/ ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! clock timezone PCTime 12 clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00 ip subnet-zero no ip source-route ! ! ip cef ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip tcp synwait-time 10 no ip bootp server ip domain name yourdomain.com ip name-server 192.168.0.10 ip name-server 202.27.158.40 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-737607701 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-737607701 revocation-check none rsakeypair TP-self-signed-737607701 ! ! crypto pki certificate chain TP-self-signed-737607701 certificate self-signed 01 3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101
04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 37333736 30373730 31301E17 0D303230 33303130 30303733 395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3733 37363037 37303130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C32CD2E1 74F4AC03 32422F7C 627E743B F5BB623F E10AE4AA AD406F72 FBE7D014 A30B3274 F7380AB4 3319455F 7B4C5F44 E5A19D93 C4D44723 9BED0B8E 4C038A8F 1942BA3C 4AC04AE6 184239B5 B9FB8F8E 0E61AF40 34E8DB2F 640B05B1 43ED0913 6EC05300 A53AD8D3 FBF8FFA1 CBB32F6D 8191851D B7E97296 C1E3B6CC 075AB3EF 02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D 11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F 0603551D 23041830 16801490 0E7E2463 ED1C33DF F893219C 6DA77B8B 84A53630 1D060355 1D0E0416 0414900E 7E2463ED 1C33DFF8 93219C6D A77B8B84 A536300D 06092A86 4886F70D 01010405 00038181 009C0A3C 5FF4CC14 6E5F9985 8BAAC6CD 1C0B2E07 745758BA 95F2E0AD C2527F14 D2487329 828D0FC7 D87020B9 91B8FA79 31834A88 9BE225FC 8744EAF4 1D67F03A ECAAB074 0A4D1753 1FF9D51A 9EF10464 1BD31EC6 F9D7090C 97BF58FD 3E60DBC0 739E9421 BA1C30B6 B74F7786 BAD855A7 55643C51 5990BD8C FC257018 328FF4CE DC quit username admin privilege 15 secret 5 $1$81IM$ppdgknZs/gzklUyPPg61 username simon secret 5 $1$7P1F$4HUTD59PkxWdO5Zdxw/0 ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group remoteusers key sultan dns 192.168.0.10 202.27.158.40 domain xxxx.local pool SDM_POOL_2 acl 106 save-password include-local-lan max-users 1 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $FW_OUTSIDE$$ES_WAN$ pvc 0/100 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.0.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 107 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_LOW out ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname snipped-for-privacy@xtra.co.nz ppp chap password 7 0518130xxx354xx ppp pap sent-username snipped-for-privacy@xtra.co.nz password 7 08xxx21D180B4540 ! ip local pool SDM_POOL_1 192.168.0.180 192.168.0.185 ip local pool SDM_POOL_2 192.168.0.186 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source static tcp 192.168.0.10 1723 interface Dialer0 1723 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip nat inside source static tcp 192.168.0.10 80 interface Dialer0 80 ip nat inside source static tcp 192.168.0.10 443 interface Dialer0 443 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 remark gre access-list 101 permit gre any any log access-list 101 permit tcp any any eq 443 access-list 101 remark pptp 1723 access-list 101 permit tcp any eq 1723 any eq 1723 log access-list 101 permit tcp any any eq www access-list 101 permit ip host 192.168.0.186 host 192.168.0.10 access-list 101 remark icmp 180 access-list 101 permit icmp host 192.168.0.186 host 192.168.0.10 access-list 101 remark udp 180 access-list 101 permit udp host 192.168.0.186 host 192.168.0.10 access-list 101 remark tcp 180 access-list 101 permit tcp host 192.168.0.186 host 192.168.0.10 access-list 101 permit ip host 192.168.0.180 any access-list 101 permit ip host 192.168.0.181 any access-list 101 permit ip host 192.168.0.182 any access-list 101 permit ip host 192.168.0.183 any access-list 101 permit ip host 192.168.0.184 any access-list 101 permit ip host 192.168.0.185 any access-list 101 permit ip host 192.168.0.180 192.168.0.0 0.0.0.255 access-list 101 permit ip host 192.168.0.181 192.168.0.0 0.0.0.255 access-list 101 permit ip host 192.168.0.182 192.168.0.0 0.0.0.255 access-list 101 permit ip host 192.168.0.183 192.168.0.0 0.0.0.255 access-list 101 permit ip host 192.168.0.184 192.168.0.0 0.0.0.255 access-list 101 permit ip host 192.168.0.185 192.168.0.0 0.0.0.255 access-list 101 permit udp any any eq non500-isakmp access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit ahp any any access-list 101 deny ip 192.168.0.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark SDM_ACL Category=4 access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 103 remark SDM_ACL Category=2 access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.186 access-list 103 deny ip any host 192.168.0.180 access-list 103 deny ip any host 192.168.0.181 access-list 103 deny ip any host 192.168.0.182 access-list 103 deny ip any host 192.168.0.183 access-list 103 deny ip any host 192.168.0.184 access-list 103 deny ip any host 192.168.0.185 access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.180 access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.181 access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.182 access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.183 access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.184 access-list 103 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.185 access-list 103 permit ip 192.168.0.0 0.0.0.255 any access-list 104 remark SDM_ACL Category=4 access-list 104 permit ip 192.168.0.0 0.0.0.255 any access-list 105 remark SDM_ACL Category=4 access-list 105 permit ip 192.168.0.0 0.0.0.255 any access-list 106 remark SDM_ACL Category=4 access-list 106 permit ip 192.168.0.0 0.0.0.255 any access-list 107 remark auto generated by SDM firewall configuration access-list 107 remark SDM_ACL Category=1 access-list 107 remark gre access-list 107 permit gre any any access-list 107 permit tcp any any eq 1723 access-list 107 permit tcp any any eq 443 access-list 107 permit tcp any any eq www access-list 107 permit udp host 202.27.158.40 eq domain any access-list 107 permit icmp any any echo-reply access-list 107 permit icmp any any time-exceeded access-list 107 permit icmp any any unreachable access-list 107 deny ip 10.0.0.0 0.255.255.255 any access-list 107 deny ip 172.16.0.0 0.15.255.255 any access-list 107 deny ip 192.168.0.0 0.0.255.255 any access-list 107 deny ip 127.0.0.0 0.255.255.255 any access-list 107 deny ip host 255.255.255.255 any access-list 107 deny ip host 0.0.0.0 any access-list 107 deny ip any any log dialer-list 1 protocol ip permit no cdp run route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end