1. Home
  2. Cisco Systems
  3. 2620 Router Problem - VPN passthrough

2620 Router Problem - VPN passthrough

I am having a problem establishing a VPN (pptp) sessions from a WinXP client through a Cisco 2620 router to a Watchguard Firebox 1000 firewall end-point. my Cisco configuration is included below. Would some kind soul take a look and let me know where I went wrong?

Thanks Jim

hostname DRIrouter01 ! clock timezone CST -6 ! logging buffered 16384 debugging ! aaa new-model aaa authentication login default local ! username admin password xxxxxxxxxxxxxxxx no logging console enable secret xxxxxxxxxxxxxxxx ! service nagle service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service tcp-keepalives-in service tcp-keepalives-out ! no service pad no cdp run no ip source-route no ip http server no service udp-small-servers no service tcp-small-servers no service finger ! ip tcp selective-ack ip tcp path-mtu-discovery ip name-server 207.191.1.10 ip name-server 207.191.50.10 ip route 0.0.0.0 0.0.0.0 207.201.246.237 ip route 0.0.0.0 0.0.0.0 Serial0/0 ! access-list 101 permit ip any any ! interface Serial0/0 no ip unreachables encaps ppp ip address 207.201.246.238 255.255.255.252 no ip proxy-arp no ip redirects no ip directed-broadcast no ip mroute-cache no fair-queue no shutdown ! interface Serial0/1 no ip unreachables encaps ppp no ip address no ip proxy-arp no ip redirects no ip directed-broadcast no ip mroute-cache no fair-queue shutdown ! interface FastEthernet0/0 ip address 199.227.88.1 255.255.255.192 ip access-group 101 in no ip proxy-arp no ip directed-broadcast no ip redirects no ip unreachables no shutdown duplex auto speed auto

Reply to
Cowboy
Loading thread data ...

PPTP uses GRE (protocol 47) and TCP port 1723

The TCP session is used as a control channel and data is transferred via the GRE tunnel

RFC 2637 - Point-to-Point Tunneling Protocol

RFC 2784 - Generic Routing Encapsulation (GRE)

so try:

no access-list 101

access-list 101 permit ip any any access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any

Reply to
Merv

Ahh.. I forgot about GRE. So the statements of:

access-list 101 permit ip any any access-list 101 permit gre any any

Should suffice. The IP keyword in the first statement should take care of all TCP, UDP, ICMP, any other internet protocol. The second statement's GRE keyword will take care of the Generic Routing Encapsulation.

I'll give it a go. Thanks.

Reply to
Cowboy

tcp and gre are subsets of ip.

formatting link
"To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip."

That "including" should not be read as an exclusive list: the important part there is "any Internet protocol". GRE, AH and ESP are all examples of Internet Protocols, so they are included when you specify "ip".

Reply to
Walter Roberson

Walter is correct that gre is a subset of IP so your original access-list should have worked.

I would configure the access-list so that you can see the access-list match counters at a finer granularity using the "show access-list" command

access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any access-list 101 permit ip any any

I would also configure this access list on the outside serial interface to see if any PPTP packets are arriving at the router.

You might also want to enable netflow on the router

Reply to
Merv

acutally have two access lists one for the serial and one for the Ethenet interface might be better to be able see match counters

access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any access-list 101 permit ip any any

access-list 102 permit tcp any any eq 1723 access-list 102 permit gre any any access-list 102 permit ip any any

int s 0/0 ip access-group 102 in exit

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.