Announcement

Collapse
No announcement yet.

Cisco 1841 VPN pass through

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1841 VPN pass through

    Hi. I work at a small business and am attempting to set up a PPTP VPN for a few of the office personnel with RRAS on the server. The incoming network setup is as follows:

    T1 -> Modem -> Cisco 1841 router -> Cisco Catalyst switch -> LAN with Server and 15 PCs

    The server performs duties as a file and print server, domain controller, DHCP, DNS and (hopefully) VPN. Server has two NICs but only one is currently enabled.

    The Cisco router config is:

    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    no service dhcp
    !
    hostname CISCO_ROUTER
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 xxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone EST -5
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.10.1.1 10.10.1.20
    ip dhcp excluded-address 10.10.1.100 10.10.1.150
    !
    ip dhcp pool DOMAIN
    network 10.10.1.0 255.255.255.0
    dns-server 4.2.2.2
    default-router 10.10.1.1
    lease 0 1
    !
    !
    ip domain name ourdomain.com
    !
    username XXXXXX privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxx
    !
    !
    !
    interface FastEthernet0/0
    description T1
    ip address EXTERNAL_IP 255.255.255.252
    ip access-group 130 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description INTERNAL
    ip address INTERNAL_IP 255.255.255.0
    ip nat inside
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    description INACTIVE
    ip address xx.xx.xx.xx 255.255.255.252
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 101 interface FastEthernet0/0 overload
    ip nat inside source static tcp 10.10.1.10 1723 interface FastEthernet0/0 1723
    ip nat inside source static tcp 10.10.1.10 3389 interface FastEthernet0/0 3389
    !
    access-list 23 permit 10.10.1.0 0.0.0.255
    access-list 101 permit ip any any
    access-list 101 permit gre any any
    !
    control-plane
    !
    !
    line con 0
    login local
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input telnet
    line vty 5 15
    access-class 23 in
    privilege level 15
    login local
    transport input telnet
    !

    When I add ACL:

    access-list 130 permit gre any any
    access-list 130 permit tcp any any eq 1723

    I lose the internet connection. What is wrong the Cisco configuration?
    Thanks in advance.

  • #2
    Re: Cisco 1841 VPN pass through

    You need to turn on CBAC or define all the traffic you want to pass thru. When you turn on 130 you're only allowing GRE and TCP 1723 to come in.

    Comment


    • #3
      Re: Cisco 1841 VPN pass through

      I redid the config as follows:

      Current configuration : 3149 bytes
      !
      version 12.4
      service timestamps debug datetime msec
      service timestamps log datetime msec
      service password-encryption
      no service dhcp
      !
      hostname xxxxxxx
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 51200 warnings
      enable secret xxxxxxxxxxxxxxxxxxxx
      !
      no aaa new-model
      !
      resource policy
      !
      clock timezone EST -5
      mmi polling-interval 60
      no mmi auto-configure
      no mmi pvc
      mmi snmp-timeout 180
      ip subnet-zero
      ip cef
      !
      !
      no ip dhcp use vrf connected
      ip dhcp excluded-address 10.10.1.1 10.10.1.20
      ip dhcp excluded-address 10.10.1.100 10.10.1.150
      !
      ip dhcp pool xxxxxxxx
      network 10.10.1.0 255.255.255.0
      dns-server 4.2.2.2
      default-router 10.10.1.1
      lease 0 1
      !
      !
      ip domain name ourdomain.com
      !
      username xxxxx privilege 15 secret 5 xxxxxxxxxxx

      interface FastEthernet0/0
      description xxxxx
      ip address xx.xx.xx.xx 255.255.255.252
      ip access-group 130 in
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat outside
      duplex auto
      speed auto
      !
      interface FastEthernet0/1
      description xxxxx
      ip address 10.10.1.1 255.255.255.0
      ip nat inside
      duplex auto
      speed auto
      !
      interface Serial0/0/0
      description xxxxx
      ip address xx.xx.xx.xx 255.255.255.252
      shutdown
      !
      ip classless
      ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
      !
      ip http server
      ip http access-class 23
      ip http authentication local
      ip http timeout-policy idle 60 life 86400 requests 10000
      ip nat inside source list 101 interface FastEthernet0/0 overload
      ip nat inside source static tcp 10.10.1.10 1433 interface FastEthernet0/0 1433
      ip nat inside source static tcp 10.10.1.10 23 interface FastEthernet0/0 23
      ip nat inside source static tcp 10.10.1.10 8080 interface FastEthernet0/0 8080
      ip nat inside source static tcp 10.10.1.10 6000 interface FastEthernet0/0 6000
      ip nat inside source static tcp 10.10.1.10 443 interface FastEthernet0/0 443
      ip nat inside source static tcp 10.10.1.10 25 interface FastEthernet0/0 25
      ip nat inside source static tcp 10.10.1.10 110 interface FastEthernet0/0 110
      ip nat inside source static tcp 10.10.1.10 80 interface FastEthernet0/0 80
      ip nat inside source static tcp 10.10.1.10 1723 interface FastEthernet0/0 1723
      ip nat inside source static tcp 10.10.1.10 3389 interface FastEthernet0/0 3389
      !
      access-list 23 permit 10.10.1.0 0.0.0.255
      access-list 101 permit ip any any
      access-list 101 permit gre any any
      access-list 130 permit tcp any any eq telnet
      access-list 130 permit tcp any any eq smtp
      access-list 130 permit tcp any any eq www
      access-list 130 permit tcp any any eq pop3
      access-list 130 permit tcp any any eq 443
      access-list 130 permit tcp any any eq 1433
      access-list 130 permit tcp any any eq 6000
      access-list 130 permit tcp any any eq 8080
      access-list 130 permit udp any any eq domain
      access-list 130 permit icmp any any
      access-list 130 permit gre any any
      access-list 130 permit tcp any any eq 1723
      access-list 130 permit tcp any any eq 3389
      !
      control-plane
      !
      !
      line con 0
      login local
      line aux 0
      line vty 0 4
      access-class 23 in
      privilege level 15
      login local
      transport input telnet
      line vty 5 15
      access-class 23 in
      privilege level 15
      login local
      transport input telnet
      !
      end

      I cannot access the internet with this config. What do I need to change?
      Thanks.

      Comment

      Working...
      X