![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
We have a Cisco 892 with this configuration.
I got several laptops that needs to connect to windows server with pptp. They are using the windows connection manager. We can connect to the windows pptp server for hours sometimes.But, sometimes we can just connect about 5 minutes. Is there something wrong in my configuration ?
The errors the clients are getting are this : Link to VPN server failed, OR ERROR 619 or ERROR 651....
I though the QOS was messing with this but it seems pretty random
Prehaps my ACL are messy ?
Thanks
Cisco 892 !
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Quantis891
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.1.1.201 10.1.1.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Quantum
import all
network 10.1.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.1.1.1
netbios-name-server 10.1.1.253
lease infinite
!
!
ip cef
no ip bootp server
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn **********
!
!
object-group service Srvloc
description Srvloc Port 427
udp lt 427
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any PPTP
match protocol pptp
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol smtp
match protocol pop3
match protocol dns
match protocol secure-pop3
match protocol imap
class-map match-any VoIP
match protocol skype
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any VPN
match protocol pptp
match protocol gre
match protocol l2tp
match protocol ipsec
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
!
!
policy-map type inspect VPN
class type inspect SDM_GRE
inspect
class type inspect PPTP
inspect
policy-map QoS
class VoIP
priority percent 15
set dscp ef
class VPN
priority percent 40
class WebEmail
bandwidth remaining percent 40
class class-default
bandwidth remaining percent 35
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport trunk native vlan 2
shutdown
!
!
interface FastEthernet1
shutdown
!
!
interface FastEthernet2
shutdown
!
!
interface FastEthernet3
shutdown
!
!
interface FastEthernet4
shutdown
!
!
interface FastEthernet5
shutdown
!
!
interface FastEthernet6
shutdown
!
!
interface FastEthernet7
switchport access vlan 2
switchport trunk native vlan 2
!
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0
description $ETH-WAN$$FW_OUTSIDE$
bandwidth 2048
ip address dhcp client-id GigabitEthernet0 hostname nostromo
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
service-policy output QoS
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.248
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
!
interface Vlan2
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface GigabitEthernet0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
logging 10.1.1.253
access-list 1 remark INSIDE_IF=Vlan2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 12 permit any
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq 22
access-list 100 deny tcp any host 10.10.10.1 eq www
access-list 100 deny tcp any host 10.10.10.1 eq 443
access-list 100 deny tcp any host 10.10.10.1 eq cmd
access-list 100 deny udp any host 10.10.10.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq telnet
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 22
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq www
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 443
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq cmd
access-list 103 permit tcp any any eq 1723
access-list 103 remark GRE
access-list 103 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 deny udp any any eq 427
access-list 103 deny tcp any host 10.1.1.1 eq telnet
access-list 103 deny tcp any host 10.1.1.1 eq 22
access-list 103 deny tcp any host 10.1.1.1 eq www
access-list 103 deny tcp any host 10.1.1.1 eq 443
access-list 103 deny tcp any host 10.1.1.1 eq cmd
access-list 103 deny udp any host 10.1.1.1 eq snmp
access-list 103 permit ip any any
no cdp run
I got several laptops that needs to connect to windows server with pptp. They are using the windows connection manager. We can connect to the windows pptp server for hours sometimes.But, sometimes we can just connect about 5 minutes. Is there something wrong in my configuration ?
The errors the clients are getting are this : Link to VPN server failed, OR ERROR 619 or ERROR 651....
I though the QOS was messing with this but it seems pretty random
Prehaps my ACL are messy ?Thanks
Cisco 892 !
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Quantis891
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.1.1.201 10.1.1.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Quantum
import all
network 10.1.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.1.1.1
netbios-name-server 10.1.1.253
lease infinite
!
!
ip cef
no ip bootp server
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn **********
!
!
object-group service Srvloc
description Srvloc Port 427
udp lt 427
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any PPTP
match protocol pptp
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol smtp
match protocol pop3
match protocol dns
match protocol secure-pop3
match protocol imap
class-map match-any VoIP
match protocol skype
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any VPN
match protocol pptp
match protocol gre
match protocol l2tp
match protocol ipsec
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
!
!
policy-map type inspect VPN
class type inspect SDM_GRE
inspect
class type inspect PPTP
inspect
policy-map QoS
class VoIP
priority percent 15
set dscp ef
class VPN
priority percent 40
class WebEmail
bandwidth remaining percent 40
class class-default
bandwidth remaining percent 35
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport trunk native vlan 2
shutdown
!
!
interface FastEthernet1
shutdown
!
!
interface FastEthernet2
shutdown
!
!
interface FastEthernet3
shutdown
!
!
interface FastEthernet4
shutdown
!
!
interface FastEthernet5
shutdown
!
!
interface FastEthernet6
shutdown
!
!
interface FastEthernet7
switchport access vlan 2
switchport trunk native vlan 2
!
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0
description $ETH-WAN$$FW_OUTSIDE$
bandwidth 2048
ip address dhcp client-id GigabitEthernet0 hostname nostromo
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
service-policy output QoS
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.248
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
!
interface Vlan2
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface GigabitEthernet0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
logging 10.1.1.253
access-list 1 remark INSIDE_IF=Vlan2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 12 permit any
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq 22
access-list 100 deny tcp any host 10.10.10.1 eq www
access-list 100 deny tcp any host 10.10.10.1 eq 443
access-list 100 deny tcp any host 10.10.10.1 eq cmd
access-list 100 deny udp any host 10.10.10.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq telnet
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 22
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq www
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 443
access-list 103 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq cmd
access-list 103 permit tcp any any eq 1723
access-list 103 remark GRE
access-list 103 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 deny udp any any eq 427
access-list 103 deny tcp any host 10.1.1.1 eq telnet
access-list 103 deny tcp any host 10.1.1.1 eq 22
access-list 103 deny tcp any host 10.1.1.1 eq www
access-list 103 deny tcp any host 10.1.1.1 eq 443
access-list 103 deny tcp any host 10.1.1.1 eq cmd
access-list 103 deny udp any host 10.1.1.1 eq snmp
access-list 103 permit ip any any
no cdp run