Cisco 827/827H/837 Firewall PPTP Configuration
This recipe is designed for those Cisco 827’s and 827H's that have the firewall and DES/3DES [aka VPN] feature set. This recipe enables PPTP to allow remote users to VPN in.
Gotcha #1: PPTP will NOT work if the user has the same local network numbering as the networking they are trying to VPN into. For example, if they use 192.168.1.x at home, then PPTP will NOT work if the network they are trying to VPN into also uses 192.168.1.x. Make sure they are different!
Gotcha #2: This configuration will NOT work on most 12.2(2) IOS images, or early 12.2(1) IOS images. Please use the software versions that IFM recommends. Also pay special attention to any memory requirements mentioned.
Gotcha #3: This configuration will NOT work on the Cisco SOHO97.
To use this configuration, download the template file, 827_fw_pptp_nz.tpl, and use Cisco FastStep to install it. After installing the template, you need to use HyperTerminal to add some users accounts. This is done with the following commands:
enable
config terminal
username <username> password <password>
… repeat to create as many users as required …
copy running-config startup-config
|
A configuration created with this template will look something like:
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
logging buffered 4096 debugging
!
username <user 1> password <password 1>
username <user 2> password <password 2>
username <user 3> password <password 3>
!
!
ip subnet-zero
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.2.254
!
ip dhcp pool dhcppool
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
!
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
!
ip inspect name Dialer_0 tcp
ip inspect name Dialer_0 udp
ip inspect name Dialer_0 cuseeme
ip inspect name Dialer_0 ftp
ip inspect name Dialer_0 h323
ip inspect name Dialer_0 rcmd
ip inspect name Dialer_0 realaudio
ip inspect name Dialer_0 streamworks
ip inspect name Dialer_0 vdolive
ip inspect name Dialer_0 sqlnet
ip inspect name Dialer_0 tftp
!
interface Loopback0
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0
ip address 192.168.2.254 255.255.255.0
ip access-group 102 in
ip nat inside
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool pptp
ppp encrypt mppe 40
ppp authentication ms-chap
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Dialer0
bandwidth 640
ip address negotiated
ip inspect Dialer_0 out
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username <username> password <password>
ppp ipcp dns request
no cdp enable
!
ip nat inside source list 1 interface Dialer0 overload
ip local pool pptp 192.168.3.1 192.168.3.253
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
banner motd |Original config (c)IFM NZ Ltd sales@ifm.net.nz, prepared by IFM NZ Ltd/pid@ifm.net.nz|
!
line vty 0 4
access-class 1 in
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.2.0 0.0.0.255
!
access-list 101 remark Traffic allowed to enter the router from Internet
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 deny ip any any log
!
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 deny udp any any eq tftp
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip any host 192.168.2.254
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
!
dialer-list 1 protocol ip permit
|
