无法连接到networking外的PPTP服务器

我试图configuration我的思科881运行IOS 15允许pptp连接到服务器之外的networking。 我知道PPTP服务器configuration正确，因为a）它是一个客户端的VPN，和b）它从881外部连接时工作。我错过了什么？

! ! Last configuration change at 10:18:57 PCTime Tue Oct 19 2010 by admin ! version 15.0 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname router ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 no logging buffered no logging console enable secret 5 $/ ! no aaa new-model memory-size iomem 10 clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! crypto pki trustpoint TP-self-signed-1169761916 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1169761916 revocation-check none rsakeypair TP-self-signed-1169761916 ! ! crypto pki certificate chain TP-self-signed-1169761916 certificate self-signed 01 quit no ip source-route ! ! ip dhcp excluded-address 10.0.0.1 ip dhcp excluded-address 10.100.0.1 10.100.10.0 ip dhcp excluded-address 10.100.10.255 10.100.255.254 ip dhcp excluded-address 10.10.100.1 10.10.100.40 ip dhcp excluded-address 10.10.100.150 10.10.100.250 ! ip dhcp pool ccp-pool1 import all network 10.10.10.0 255.255.255.0 dns-server 68.87.71.226 68.87.73.242 default-router 10.10.10.1 ! ip dhcp pool gpool import all network 10.100.10.0 255.255.255.0 dns-server 68.87.71.226 68.87.73.242 default-router 10.100.10.1 ! ip dhcp pool wpool import all network 10.10.100.0 255.255.255.0 dns-server 10.10.100.20 68.87.73.242 default-router 10.10.100.1 ! ip dhcp pool wgroup origin file wgroup.txt ! ! ip cef no ip bootp server no ip domain lookup ip domain name viridianspark.com ip name-server 68.87.71.226 ip name-server 68.87.73.242 no ipv6 cef ! ! ! !! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any ccp-ssh match protocol ssh class-map type inspect match-any pptp-out match access-group name VPN-out match protocol pptp class-map type inspect match-any ccp-pptp match protocol pptp match protocol icmp match protocol http match protocol tcp match access-group 110 class-map type inspect match-all ccp-invalid-src match access-group 100 class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all ccp-protocol-http match protocol http ! ! policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access inspect class class-default pass policy-map type inspect ccp-permit-ssh class type inspect ccp-ssh inspect class type inspect ccp-pptp inspect class type inspect pptp-out pass class class-default pass policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect class type inspect ccp-insp-traffic inspect class type inspect pptp-out pass class class-default drop policy-map type inspect ccp-permit class class-default drop ! zone security out-zone zone security in-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit zone-pair security ccp-zp-out-in source out-zone destination in-zone service-policy type inspect ccp-permit-ssh ! ! ! ! ! ! ! interface FastEthernet0 switchport access vlan 2 ! interface FastEthernet1 switchport access vlan 2 ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 2 ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$ ip address 173.166.76.217 255.255.255.252 ip access-group VPN in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto ! interface wlan-ap0 description Service module interface to manage the embedded AP ip unnumbered Vlan1 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP switchport mode trunk ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1452 ! interface Vlan2 ip address 10.10.100.1 255.255.255.0 ip access-group 102 in ip helper-address 10.10.100.104 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ! interface Vlan3 ip address 10.100.10.1 255.255.255.0 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ! ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source list 2 interface FastEthernet4 overload ip nat inside source list 3 interface FastEthernet4 overload ip nat inside source list 4 interface FastEthernet4 overload ip nat inside source static tcp 10.10.100.20 80 external 80 extendable ip nat inside source static udp 10.10.100.20 80 external 80 extendable ip nat inside source static tcp 10.10.100.20 22 external 2222 extendable ip nat inside source static tcp 10.10.100.39 3389 external 3389 extendable ip nat inside source static tcp 10.10.100.20 6060 external 6060 extendable ip route 0.0.0.0 0.0.0.0 ! ip access-list extended VPN permit ip 10.0.0.0 0.255.255.255 any permit icmp any any permit tcp any host 10.10.100.20 eq 2222 permit ip any any permit tcp any host 10.10.100.20 eq 47 permit tcp any host 10.10.100.20 eq 1723 permit tcp any host 10.10.100.20 eq www permit tcp any host 10.10.100.39 eq 3389 permit tcp any host 10.10.100.20 eq 6060 ip access-list extended VPN-out permit tcp any any eq 47 permit tcp any any eq 1723 permit gre any any ! logging trap debugging logging 10.10.100.22 access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 2 remark CCP_ACL Category=2 access-list 2 permit 10.10.10.0 0.0.0.255 access-list 3 remark CCP_ACL Category=2 access-list 3 permit 10.10.100.0 0.0.0.255 access-list 4 remark CCP_ACL Category=2 access-list 4 permit 10.100.10.0 0.0.0.255 access-list 101 permit ip 10.100.10.0 0.0.0.255 10.100.10.0 0.0.0.255 access-list 101 deny icmp 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 101 deny ip 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 101 permit ip 10.100.10.0 0.0.0.255 any access-list 101 permit udp any any eq bootpc access-list 101 permit udp any any eq bootps access-list 101 permit tcp any any eq 3689 access-list 102 permit ip 10.10.100.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 102 permit ip 10.10.100.0 0.0.0.255 any access-list 102 permit udp any any eq bootpc access-list 102 permit udp any any eq bootps access-list 102 permit udp 10.10.100.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 5353 access-list 102 permit udp any any eq 5353 access-list 102 permit tcp 10.10.100.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3689 access-list 110 permit ip host external host 10.10.100.39 no cdp run ! ! ! ! ! control-plane ! banner exec ^CCC Welcome to the jungle. ^C banner login ^CCCIf a router goes down and no one is around to browse the internet, did it drop any packets ^C ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line 2 no activation-character no exec transport preferred none transport input all line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end