[c-nsp] CBAC PPTP outbound issue to server on same isp subnet - 2811

false jctx09 at yahoo.com
Thu Mar 7 10:36:47 EST 2013 

I am using MS VPN/PPTP client. This client works fine from home but not at the office. At our office, we have a 192.168.2.0 /24 subnet. We have two DSL connections from the same provider. Both of these DSL connections are in the same Class C subnet. One DSL is used for the office users and one is used for a completely, separate/isolated test environment. I need to be able to PPTP into the test environment fw (71.x.x.50) from the local office lan. I am sitting behind a 2811 using CBAC for outbound traffic and an ACL for inbound traffic. I can't even telnet to port 23 and the log only shows this generic message:

 
002027: Mar  4 17:27:19.861 CST: %FW-6-SESS_AUDIT_TRAIL_START: Start pptp session: initiator (192.168.2.120:51094) -- responder (71.x.x.x:1723)
002028: Mar  4 17:27:42.226 CST: %FW-6-SESS_AUDIT_TRAIL: Stop pptp session: initiator (192.168.2.120:51094) sent 364 bytes -- responder (71.x.x.x:1723) sent 352 bytes

Here is my config. What should I change, please?

ip inspect name Outbound sip
ip inspect name Outbound tftp
ip inspect name Outbound tcp
ip inspect name Outbound udp
ip inspect name Outbound icmp router-traffic
ip inspect name Outbound pptp audit-trail on timeout 3600


interface FastEthernet0/0
  ip address 71.x.x.120 255.255.255.0
ip access-group 105 in
no ip unreachables
ip flow ingress
ip flow egress
ip nat outside
ip inspect Outbound out
ip virtual-reassembly
duplex auto
speed auto

 
access-list 105 permit gre any any
access-list 105 permit tcp any host 71.x.x.x. eq 22
access-list 105 permit udp any host 71.x.x.x eq 5060
access-list 105 permit tcp any any eq 1723

No-nat ACL for site-to-site VPN but these VPNS go out a separate private line T-1 interface.
access-list 175 deny   ip 192.168.2.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 175 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any

ip nat inside source route-map nonat interface FastEthernet0/0 overload


Thank you,

More information about the cisco-nsp mailing list