Cisco 827/827H/837 Firewall PPTP Configuration

This recipe is designed for those Cisco 827’s and 827H's that have the firewall and DES/3DES [aka VPN] feature set. This recipe enables PPTP to allow remote users to VPN in.

Gotcha #1: PPTP will NOT work if the user has the same local network numbering as the networking they are trying to VPN into. For example, if they use 192.168.1.x at home, then PPTP will NOT work if the network they are trying to VPN into also uses 192.168.1.x. Make sure they are different!

Gotcha #2: This configuration will NOT work on most 12.2(2) IOS images, or early 12.2(1) IOS images. Please use the software versions that IFM recommends. Also pay special attention to any memory requirements mentioned.

Gotcha #3: This configuration will NOT work on the Cisco SOHO97.

To use this configuration, download the template file, 827_fw_pptp_nz.tpl, and use Cisco FastStep to install it. After installing the template, you need to use HyperTerminal to add some users accounts. This is done with the following commands:

                    enable
                    config terminal
                    username <username> password <password>
                    … repeat to create as many users as required …
                    copy running-config startup-config
                    

A configuration created with this template will look something like:

                    no service pad
                    service timestamps debug uptime
                    service timestamps log uptime
                    service password-encryption
                    !
                    hostname router
                    !
                    logging buffered 4096 debugging
                    !
                    username <user 1> password <password 1>
                    username <user 2> password <password 2>
                    username <user 3> password <password 3>
                    !
                    !
                    ip subnet-zero
                    ip dhcp excluded-address 192.168.1.1 192.168.1.100
                    ip dhcp excluded-address 192.168.2.254
                    !
                    ip dhcp pool dhcppool
                      import all
                      network 192.168.2.0 255.255.255.0
                      default-router 192.168.2.254
                    !
                    vpdn enable
                    !
                    vpdn-group pptp
                      ! Default PPTP VPDN group
                      accept-dialin
                        protocol pptp
                        virtual-template 1
                    !
                    clock timezone NZST 12
                    clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
                    !
                    ip inspect name Dialer_0 tcp
                    ip inspect name Dialer_0 udp
                    ip inspect name Dialer_0 cuseeme
                    ip inspect name Dialer_0 ftp
                    ip inspect name Dialer_0 h323
                    ip inspect name Dialer_0 rcmd
                    ip inspect name Dialer_0 realaudio
                    ip inspect name Dialer_0 streamworks
                    ip inspect name Dialer_0 vdolive
                    ip inspect name Dialer_0 sqlnet
                    ip inspect name Dialer_0 tftp
                    !
                    interface Loopback0
                      ip address 192.168.3.254 255.255.255.0
                    !
                    interface Ethernet0
                      ip address 192.168.2.254 255.255.255.0
                      ip access-group 102 in
                      ip nat inside
                    !
                    interface Virtual-Template1
                      ip unnumbered Loopback0
                      peer default ip address pool pptp
                      ppp encrypt mppe 40
                      ppp authentication ms-chap
                    !
                    interface ATM0
                      no ip address
                      no atm ilmi-keepalive
                      dsl operating-mode auto
                    !
                    interface ATM0.1 point-to-point
                      pvc 0/100
                        encapsulation aal5mux ppp dialer
                        dialer pool-member 1
                    !
                    interface Dialer0
                      bandwidth 640
                      ip address negotiated
                      ip inspect Dialer_0 out
                      ip access-group 101 in
                      no ip redirects
                      no ip unreachables
                      ip nat outside
                      encapsulation ppp
                      dialer pool 1
                      dialer-group 1
                      ppp pap sent-username <username> password <password>
                      ppp ipcp dns request
                      no cdp enable
                    !
                    ip nat inside source list 1 interface Dialer0 overload
                    ip local pool pptp 192.168.3.1 192.168.3.253
                    ip classless
                    ip route 0.0.0.0 0.0.0.0 Dialer0
                    no ip http server
                    !
                    banner motd |Original config (c)IFM Ltd sales@ifm.net.nz, prepared by IFM Ltd/pid@ifm.net.nz|
                    !
                    line vty 0 4
                      access-class 1 in
                    !
                    access-list 1 remark The local LAN.
                    access-list 1 permit 192.168.2.0 0.0.0.255
                    !
                    access-list 101 remark Traffic allowed to enter the router from Internet
                    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
                    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
                    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
                    access-list 101 deny ip any host 255.255.255.255
                    access-list 101 permit udp any eq isakmp any eq isakmp
                    access-list 101 permit tcp any any eq 1723
                    access-list 101 permit gre any any
                    access-list 101 permit icmp any any unreachable
                    access-list 101 permit icmp any any echo-reply
                    access-list 101 permit icmp any any packet-too-big
                    access-list 101 permit icmp any any time-exceeded
                    access-list 101 permit icmp any any traceroute
                    access-list 101 permit icmp any any administratively-prohibited
                    access-list 101 permit icmp any any echo
                    access-list 101 deny ip any any log
                    !
                    access-list 102 remark Traffic allowed to enter the router from the Ethernet
                    access-list 102 deny udp any any eq tftp
                    access-list 102 permit ip 192.168.2.0 0.0.0.255 any
                    access-list 102 permit ip any host 192.168.2.254
                    access-list 102 permit ip any host 255.255.255.255
                    access-list 102 deny ip any any log
                    !
                    dialer-list 1 protocol ip permit
                    

Cisco Systems Partner - Premier Certified