Announcement

Collapse
No announcement yet.

Configuring Cisco 1811W for VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuring Cisco 1811W for VPN

    Hi, I am new to these great forums. Although I have visited before, I have not posted.

    I just replaced a Linksys router with a Cisco 1811W. I was able to migrate most of the services successfully but don't know how to tackle VPN configuration.

    I want to configure VPN to allow access to the Microsoft VPN on a SBS 2003 server behind the router by a Microsoft VPN client from any ip. What do I need to do to accomplish this? Although I am somewhat familiar with CLI, I mostly use SDM GUI.

    Any help would be GREATLY appreciated.

  • #2
    Re: Configuring Cisco 1811W for VPN

    So you just need to allow PPTP to passthrough which means you need to allow tcp 1723 for PPTP and protocol 43 for GRE.

    At the minimum you need an ACL coming inbound on the outside interface allowing tcp port 1723 and GRE (protocol 47) to your public ip. Then need a static nat for tcp 1723 fowarding to the internal ip of your server.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Configuring Cisco 1811W for VPN

      Auglan,

      Thanks for your response. I think I have in place what you suggested but it does not work. Will you be able to point out what's missing/wrong if I post the running config?

      Thanks again.

      Comment


      • #4
        Re: Configuring Cisco 1811W for VPN

        Sure post your config. Just remember to mask your public ip's and passwords.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Configuring Cisco 1811W for VPN

          I uploaded the configuration file SDMConfig.txt. Thank you.
          Attached Files

          Comment


          • #6
            Re: Configuring Cisco 1811W for VPN

            Have you monitored any pptp traffic coming in the router? The SDM does let you monitor active traffic flows. If its being denied that should give you an indication on where to look next. Im no ZBF expert but that is where I would start. Have someone from the outside try and connect and monitor the flow to see if you can see anything in the logs etc.


            Also I found this:

            ip port-map user-GRE-MARRS port tcp 47 description user-GRE-MARRS

            GRE isn't a port, it has its own transport protocol 47 so i dont know if you can match that in your port-map. So everything linked to that port map is probably not doing anything


            I would add this to your ACL 100 just to rule out any rules blocking it inbound form the outside

            permit gre any any
            permit tcp any any eq 1723
            Last edited by auglan; 30th December 2011, 19:54.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Configuring Cisco 1811W for VPN

              In addition to what auglan stated, I copied your config into a GNS3 simulator. Looks like SDM did a good job a configuring ZBF. I encountered no problems with inside->outside traffic (nat overload) -or- outside->inside traffic (ip nat static...). Deep packet inspection was also working.

              Since I have never used SDM to configure a router or used PPTP as a VPN (only IPSEC or SSL), I did find the following link that might point you in the right direction on making the necessary changes to your ZBF configuration to accept and permit PPTP passthrough connections. Plus, it reinforces what Auglan stated (GRE is a protocol, not a port).

              http://siskiyoutech.com/blog/?m=200907

              Good luck

              Comment


              • #8
                Re: Configuring Cisco 1811W for VPN

                I did a little digging around and I dont think you can match gre as a protocol but you can match it in an acl. You also need to make sure gre is allowed in both directions, so your outbound policy needs to allow gre as well. Also dont inspect it just allow it to pass.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment

                Working...
                X