无法连接到网络外的 PPTP 服务器

无法连接到网络外的 PPTP 服务器

我正在尝试配置运行 IOS 15 的 Cisco 881,以允许 pptp 连接到网络外部的服务器。我知道 PPTP 服务器配置正确,因为 a) 它是一个客户端 VPN,并且 b) 它在从 881 外部连接时可以正常工作。我遗漏了什么?

!
! Last configuration change at 10:18:57 PCTime Tue Oct 19 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
no logging console
enable secret 5 $/
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1169761916
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1169761916
 revocation-check none
 rsakeypair TP-self-signed-1169761916
!
!
crypto pki certificate chain TP-self-signed-1169761916
 certificate self-signed 01
   quit
no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.100.0.1 10.100.10.0
ip dhcp excluded-address 10.100.10.255 10.100.255.254
ip dhcp excluded-address 10.10.100.1 10.10.100.40
ip dhcp excluded-address 10.10.100.150 10.10.100.250
!
ip dhcp pool ccp-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 68.87.71.226 68.87.73.242 
   default-router 10.10.10.1 
!
ip dhcp pool gpool
   import all
   network 10.100.10.0 255.255.255.0
   dns-server 68.87.71.226 68.87.73.242 
   default-router 10.100.10.1 
!
ip dhcp pool wpool
   import all
   network 10.10.100.0 255.255.255.0
   dns-server 10.10.100.20 68.87.73.242 
   default-router 10.10.100.1 
!
ip dhcp pool wgroup
   origin file wgroup.txt
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name viridianspark.com
ip name-server 68.87.71.226
ip name-server 68.87.73.242
no ipv6 cef
!
!
!
!!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-ssh
 match protocol ssh
class-map type inspect match-any pptp-out
 match access-group name VPN-out
 match protocol pptp
class-map type inspect match-any ccp-pptp
 match protocol pptp
 match protocol icmp
 match protocol http
 match protocol tcp
 match access-group 110
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect ccp-permit-ssh
 class type inspect ccp-ssh
  inspect 
 class type inspect ccp-pptp
  inspect 
 class type inspect pptp-out
  pass
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect pptp-out
  pass
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-in source out-zone destination in-zone
 service-policy type inspect ccp-permit-ssh
! 
!
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
 switchport access vlan 2
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 173.166.76.217 255.255.255.252
 ip access-group VPN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 arp timeout 0
!         
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.100.1 255.255.255.0
 ip access-group 102 in
 ip helper-address 10.10.100.104
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
interface Vlan3
 ip address 10.100.10.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source list 3 interface FastEthernet4 overload
ip nat inside source list 4 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.100.20 80 external 80 extendable
ip nat inside source static udp 10.10.100.20 80 external 80 extendable
ip nat inside source static tcp 10.10.100.20 22 external 2222 extendable
ip nat inside source static tcp 10.10.100.39 3389 external 3389 extendable
ip nat inside source static tcp 10.10.100.20 6060 external 6060 extendable
ip route 0.0.0.0 0.0.0.0 
!
ip access-list extended VPN
 permit ip 10.0.0.0 0.255.255.255 any
 permit icmp any any
 permit tcp any host 10.10.100.20 eq 2222
 permit ip any any
 permit tcp any host 10.10.100.20 eq 47
 permit tcp any host 10.10.100.20 eq 1723
 permit tcp any host 10.10.100.20 eq www
 permit tcp any host 10.10.100.39 eq 3389
 permit tcp any host 10.10.100.20 eq 6060
ip access-list extended VPN-out
 permit tcp any any eq 47
 permit tcp any any eq 1723
 permit gre any any
!
logging trap debugging
logging 10.10.100.22
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.10.100.0 0.0.0.255
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 10.100.10.0 0.0.0.255
access-list 101 permit ip 10.100.10.0 0.0.0.255 10.100.10.0 0.0.0.255
access-list 101 deny   icmp 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 deny   ip 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.100.10.0 0.0.0.255 any
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 permit tcp any any eq 3689
access-list 102 permit ip 10.10.100.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 102 permit ip 10.10.100.0 0.0.0.255 any
access-list 102 permit udp any any eq bootpc
access-list 102 permit udp any any eq bootps
access-list 102 permit udp 10.10.100.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 5353
access-list 102 permit udp any any eq 5353
access-list 102 permit tcp 10.10.100.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3689
access-list 110 permit ip host external host 10.10.100.39
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CCC
Welcome to the jungle.

^C
banner login ^CCCIf a router goes down and no one is around to browse the internet, did it drop any packets
^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

答案1

您可能会考虑删除:

允许 TCP 任何主机 10.10.100.20 eq 47

允许 tcp 任何 eq 47

因为它们可能与以下内容相冲突(或至少是多余的):

允许 gre 任何任何

答案2

从策略映射类型检查 ccp-inspect 中删除 class class-default,这样应该可以

答案3

问题出在内部 AP 固件上,将其降级至 IOS 12.4 后,PPTP 现在可以正常工作

相关内容