?
Solved

Cisco 2610 Router: Allowing VPN to pass-through

Posted on 2003-03-10
26
Medium Priority
?
497 Views
Last Modified: 2010-04-17
Good Afternoon All,
    I have a Cisco 2600 series router running IOS version 12.0(2a)T1, (fc1). I am trying to allow a Windows 2000 external client VPN to an internal Windows 2000 VPN server using PPTP. I have opened up the PPTP port, mapped from the external public address to the private internal address. I have modified the access lists to allow GRE.
    When the Win2k client attempts to make a VPN connection, he never gets past the password verification stage. I use NETSTAT on the Win2k VPN server and notice the incoming PPTP connection from the outside, but the connection never successfully negotiates.
    When I do a one to one mapping of an internal address with an external address, the VPN works fine, but then I'm stuck with an exposed computer.

Does anyone know how I can get this to work, and if not, if CISCO sells an IOS or add-in for my router to act as the VPN server?

Thanks!!!!!!

Elvis
0
Comment
Question by:ev89pimp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 11
  • +1
26 Comments
 
LVL 7

Expert Comment

by:pedrow
ID: 8105478
You have to use either a 1-1 nat or upgrade to a code version that supports NAT-T (nat transparency):
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

the 1-1 nat is necessary because GRE doesn't use ports per se, which is what PAT needs to do translations.

Just because you've got a 1-1 translation, doesn't mean you're exposed. You can still filter the same way you would with PAT.
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8105571
How would I still filter using 1 to 1 as I would with PAT? Would I put in IP / port restrictions in an access-list on the inbound side of the Serial connection (T1)?

Thanks!!
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8105578
How would I still filter using 1 to 1 as I would with PAT? Would I put in IP / port restrictions in an access-list on the inbound side of the Serial connection (T1)?

Thanks!!
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 7

Expert Comment

by:pedrow
ID: 8105687
Yup!

In general, I only allow things into my network(s) that I know that I want. i.e. if it isn't specifically permitted, it's denied, so the last line of my inbound access-control list is deny any any log :)

It's much easier to just permit stuff you want rather than deny all the things you think are bad individually.

It sounds as if you think that PAT is somehow a security-related feature - don't :)

NAT tranlations can get hacked as easily as the real thing.

A quick example of how the access-list might look:

ip access-list extended untrust-in
 remark ********permit established tcp sessions back in
 permit tcp any any established
 remark *******let ICMP replies in********
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any port-unreachable
 permit icmp any any net-unreachable
 permit icmp any any host-unreachable
 permit icmp any any administratively-prohibited
 permit icmp any any packet-too-big
 deny   icmp any any
 remark *********permit GRE for pptp connections to server foo**
 permit gre any host <public ip address for server foo>
 permit tcp any host <public ip address for server foo> eq 1723
 remark *********deny everything else********
 deny ip any any log

! ** serial interface config to apply this access-list**
int Serial0/0
 ip address <x.x.x.x> 255.255.255.252
 ip access-group untrust-in in
end


Granted, you'll probably want other ports open, especially if you're hosting other services (mail, http, ftp, etc...), but hopefully this should get you started.

Does this help?



0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8106184
So I'll need to put in allowances in the access-list for mail, remote, stuff like that in addition to the NAT translations that I have in place? Sort of like double-security?

Almost there!! :)
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8106520
nat isn't security :) NAT translations just map public addresses to private ones. If there's an active NAT translation, you just have to connect to that public translation to get to the inside host. The host behind the NAT table might be obscured, but not protected.

You only have to allow for services that are hosted on your internal network that are advertised to the internet at large.

i.e. if you have a mail server on your LAN:
 permit tcp any host <smtp server host ip address> eq 25

or a webserver:

 permit tcp any host <webserver host ip address> eq 80

Make sense?

0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8108305
So even though you can do a sweep on my public network ip addresses (some of which only have a single port mapped to an internal ip and port), they are still suseptible to hackers?

   I just tried to add in the access-list to get the job done on the in side of the Serial interface, then added a 1 to 1 mapping of my VPN server to a public IP address and my scanner program sees all of the ports that it shouldn't.. here is the access list I used:

access-list 150 permit tcp any any established
access-list 150 permit gre any host <myhost>
access-list 150 permit tcp any host <myhost> eq 1723
......... yada yada
access-list 150 deny ip any any

What am I doing wrong. The only thing I had established was a telnet session to my router.

Is it something stupid?

Thanks in advancE!!!

E
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8108660
So, if your router has a nat translation that's active, translating an outside port/address to an inside port/address, that outside port/address is vulnerable, barring any filtering into your network. Granted, most dynamic translations get originated on some high-order port, so it may be relatively benign, but just the same, dynamic translations work in both directions.

Did you apply the access-list 150 inbound on your outside serial interface?"

!
int Serial0/0
access-group 150 in
!

When you tried scanning your public IP range, were you scanning from someplace outside your network?

You wanna post some more of your config? i.e. your nat configuration, full interface configs, etc?


0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8110749
Here is my running configuration

Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Gateway
!
enable password <password>
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Ethernet0/0
 description connected to EthernetLAN
 ip address 10.0.0.3 255.255.255.0
 ip access-group 111 in
 no ip directed-broadcast
 ip nat inside
!
interface Serial0/0
 no ip address
 ip access-group 150 in
 ip access-group 111 out
 no ip directed-broadcast
 ip nat outside
 encapsulation frame-relay
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description connected to Internet
 ip address <router IP> 255.255.255.240
 no ip directed-broadcast
 ip nat outside
 frame-relay interface-dlci 989 IETF
!
router rip
 version 2
 passive-interface Serial0/0.1
 network 10.0.0.0
 no auto-summary
!
ip nat pool Gateway-natpool-1 <starting IP>
<ending IP of NAT Pool> netmask 255.255.255.
0
ip nat inside source list 1 pool Gateway-natpool-1 overload
ip nat inside source static tcp 10.0.0.172 8000 <Public IP1> 8000 extendable
........
ip nat inside source static udp 10.0.0.5 110 <Public IP> 110 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 103 permit ip any any
access-list 110 permit gre any host 10.0.0.9
access-list 110 permit ip any any
access-list 111 permit gre any any
access-list 111 permit ip any any
access-list 150 permit tcp any any established
access-list 150 permit gre any host 10.0.0.9
access-list 150 permit tcp any host 10.0.0.9 eq 1723
..........
access-list 150 permit tcp any host 10.0.0.172 eq 8000
access-list 150 deny   ip any any
snmp-server community public RO
snmp-server location Server Room
banner motd <banner>
!
line con 0
 exec-timeout 0 0
 password <password>
 login
 transport input none
line aux 0
line vty 0 4
 password <password>
 login
!
end


Thanks in advance PEdrow!!

0
 
LVL 7

Expert Comment

by:pedrow
ID: 8112282
The ACL permits need to be to the public ip addresses not the private ones :)

I don't see the static NAT map for the inside server address 10.0.0.9

it should be something like this:
ip nat inside source static  10.0.0.9 <Public IP2>

Do you have multiple routers at your facility? if not, you can get rid of rip.
!
router(config)# no router rip
!

Remove acl111 inbound on fa0/0 and outbound on int ser0/0. Looks like all its doing is permitting traffic, so why bother.

add 'log' to the end of your access-list 150 thusly:
access-list 150 deny ip any any log

Access-lists already have an implicit deny at the end. The only reason to have it explicitly in the acl is so you can log hits against the packet filter.

do you use snmp? If so, you should change your community string to something other than 'public' and apply an access-list to the  community line. This way only internal hosts can walk your router. Same goes for your vty interfaces...limit locations from where folks can telnet to your router...I'll re-use your existing access-list 1 as an example:

! the '1' indicates access-list 1...i.e. who can read the router
snmp-server community public RO 1

! this will require you be on an internal lan to telnet to your router
line vty 0 4
access-class 1 in
!

Sorry...scope creep. I can't help myself :)
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8119914
Pedrow,
   I made the appropriate changes to my inbound list on the serial interface:

access-list 150 permit tcp any any established
access-list 150 permit tcp any host <public IP> eq 25
access-list 150 permit tcp any host <public IP> eq 110
access-list 150 permit udp any host <public IP> eq 3826
.........
access-list 150 permit tcp any host <public IP4> eq 8000
access-list 150 deny ip any any log

I have made the static translation for my internal VPN server IP to the public IP address.

When I PCAnywhere into another machine off site and do a port scan, the public IP that is mapped to my internal VPN server shows the machine wide open to the outside :(.

Any idea why?

Thanks pedrow!!!!

E
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8120527
I'm sorry...when i initially told you to apply the access list to ser0/0 i didn't catch that you had a frame relay subif or catch it in your config...the access list needs to be applied to the subinterface, not the main-


interface Serial0/0.1 point-to-point
description connected to Internet
access-group 150 in

so...:

conf t
!
int ser0/0
no access-group 150 in
!
interface Serial0/0.1 point-to-point
access-group 150 in
end
!

0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8120785
argghh, I made the changes and I still can see the ports from the outside. I checked the ports by PCAnywhreing into an outside PC, then scanned, and just for hahas I did it again, this time leap frogging from another PC, same thing..

What a pain eh?

Thanks!!

E
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8120871
argghh, I made the changes and I still can see the ports from the outside. I checked the ports by PCAnywhreing into an outside PC, then scanned, and just for hahas I did it again, this time leap frogging from another PC, same thing..

What a pain eh?

Thanks!!

E
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8120884
argghh, I made the changes and I still can see the ports from the outside. I checked the ports by PCAnywhreing into an outside PC, then scanned, and just for hahas I did it again, this time leap frogging from another PC, same thing..

What a pain eh?

Thanks!!

E
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8121455
Can you re-post your current configuration of your serial interfaces, the access-lists and nat config?

mebbe there's a permit in there that we're not seeing :)
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8121663
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Gateway
!
enable password <password>
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Ethernet0/0
 description connected to EthernetLAN
 ip address 10.0.0.3 255.255.255.0
 ip access-group 111 in
 no ip directed-broadcast
 ip nat inside
!
interface Serial0/0
 no ip address
 no ip directed-broadcast
 ip nat outside
 encapsulation frame-relay
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description connected to Internet
 ip address <public address> 255.255.255.240
 ip access-group 150 in
 no ip directed-broadcast
 ip nat outside
 frame-relay interface-dlci 989 IETF
!
ip nat pool Gateway-natpool-1 <public address> <public address> netmask 255.255.255.
0
ip nat inside source list 1 pool Gateway-natpool-1 overload
ip nat inside source static tcp 10.0.0.172 8000 <public address> 8000 extendable
ip nat inside source static udp 10.0.0.172 8001 <public address> 8001 extendable
ip nat inside source static tcp 10.0.0.167 5631 <public address> 9755 extendable
.......
ip nat inside source static tcp 10.0.0.5 110 <public address> 110 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 103 permit ip any any
access-list 110 permit gre any host 10.0.0.9
access-list 110 permit ip any any
access-list 111 permit gre any any
access-list 111 permit ip any any
access-list 150 permit tcp any any established
access-list 150 permit tcp any host <public address> eq smtp
access-list 150 permit tcp any host <public address> eq pop3
...........
access-list 150 permit udp any host <public address> eq 8001
access-list 150 permit tcp any host <public address> eq 8000
access-list 150 deny   ip any any log
snmp-server community public RO
snmp-server location Server Room
banner motd <banner>
!
line con 0
 exec-timeout 0 0
 password <password>
 login
 transport input none
line aux 0
line vty 0 4
 password <password>
 login
!
end
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8122989
hmmm...

where is acl 103 applied? You should also remove access-list 110 and 111 as well. I don't know where 110 is applied and 111 isn't doing anything, since it's permitting everything.

Are you sure there isn't anything like this in the middle of acl 150(the part you snipped out)?

access-list 150 permit ip any ......



0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8127719
I do have this in my list. can this be a culprit? I've included the entire configuration at the bottom...

access-list 150 permit gre any host 204.60.148.169

Thanks!!

E

Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname <host>
!
enable password <password>
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Ethernet0/0
 description connected to EthernetLAN
 ip address 10.0.0.3 255.255.255.0
 ip access-group 111 in
 no ip directed-broadcast
 ip nat inside
!
interface Serial0/0
 no ip address
 no ip directed-broadcast
 ip nat outside
 encapsulation frame-relay
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description connected to Internet
 ip address <hidden> 255.255.255.240
 ip access-group 150 in
 no ip directed-broadcast
 ip nat outside
 frame-relay interface-dlci 989 IETF
!
ip nat pool Gateway-natpool-1 <hidden> 204.60.148.164 netmask 255.255.255.
0
ip nat inside source list 1 pool Gateway-natpool-1 overload
ip nat inside source static tcp 10.0.0.172 8000 <hidden> 8000 extendable
ip nat inside source static udp 10.0.0.172 8001 <hidden> 8001 extendable
ip nat inside source static tcp 10.0.0.167 5631 <hidden> 9755 extendable
ip nat inside source static udp 10.0.0.167 5632 <hidden> 8634 extendable
ip nat inside source static tcp 10.0.0.166 5631 <hidden> 8989 extendable
ip nat inside source static udp 10.0.0.166 5632 <hidden> 7218 extendable
ip nat inside source static tcp 10.0.0.6 8100 <hidden> 8100 extendable
ip nat inside source static udp 10.0.0.6 8100 <hidden> 8100 extendable
ip nat inside source static tcp 10.0.0.6 5631 <hidden> 4742 extendable
ip nat inside source static udp 10.0.0.6 5632 <hidden> extendable
ip nat inside source static tcp 10.0.0.5 5631 <hidden> 6825 extendable
ip nat inside source static udp 10.0.0.5 5632 <hidden> 5777 extendable
ip nat inside source static udp 10.0.0.4 5632 <hidden> 4978 extendable
ip nat inside source static tcp 10.0.0.4 5631 <hidden> 2600 extendable
ip nat inside source static tcp 10.0.0.5 25 <hidden> 25 extendable
ip nat inside source static tcp 10.0.0.5 110 <hidden> 110 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 103 permit ip any any
access-list 110 permit gre any host 10.0.0.9
access-list 110 permit ip any any
access-list 111 permit gre any any
access-list 111 permit ip any any
access-list 150 permit tcp any any established
access-list 150 permit tcp any host <hidden> eq smtp
access-list 150 permit tcp any host <hidden> eq pop3
access-list 150 permit udp any host <hidden> eq 3826
access-list 150 permit tcp any host <hidden> eq 4742
access-list 150 permit udp any host <hidden> eq 5777
access-list 150 permit tcp any host <hidden> eq 6825
access-list 150 permit udp any host <hidden> eq 4978
access-list 150 permit tcp any host <hidden> eq 2600
access-list 150 permit tcp any host <hidden> eq 8100
access-list 150 permit udp any host <hidden> eq 8100
access-list 150 permit udp any host <hidden> eq 7218
access-list 150 permit tcp any host <hidden> eq 8989
access-list 150 permit udp any host <hidden> eq 8634
access-list 150 permit tcp any host <hidden> eq 9755
access-list 150 permit gre any host <hidden>
access-list 150 permit tcp any host <hidden> eq 1723
access-list 150 permit udp any host <hidden> eq 8001
access-list 150 permit tcp any host <hidden> eq 8000
access-list 150 deny   ip any any log
snmp-server community public RO
snmp-server location <hidden>
banner motd <hidden>
!
line con 0
 exec-timeout 0 0
 password <hidden>
 login
 transport input none
line aux 0
line vty 0 4
 password <hidden>
 login
!
end
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8130685
so, when you say 'wide open' you're seeing ports respond other than what you've permitted? (i.e. you're seeing 139 and 445 open on win2k boxes, http on unpermitted servers, etc...)

The gre permit should be fine...You could possible start restricting some of the from 'any' permits to networks, or even hosts, if you know the origins of them.

You can also see what acl's are getting hit by doing:

router> sh ip access-list 150

it will show the number of hits at the end of each line in the acl in parentheses.

like mine from home kinda looks like this(i use a named access-list instead of a numbered one, but it works the same):

router>sh ip access-list untrust-in
Extended IP access list untrust-in
    permit icmp any any echo-reply (30 matches)
    permit icmp any any time-exceeded (69 matches)
    permit icmp any any port-unreachable (123 matches)
    permit icmp any any net-unreachable
    permit icmp any any host-unreachable (3 matches)
    permit icmp any any administratively-prohibited (102 matches)
    permit icmp any any packet-too-big
    deny icmp any any (43133 matches)
[....]

This way you can see what acl's are getting matched when you scan. The other thing you can also do, is if you think that there is a particular line that you think might be the issue, you can add the 'log' switch to the end of the acl line and that line will log source/source port and dest/dest port. This is also a good way to help try and identify where the problem might be.

You can also try seeing if moving the 'permit tcp any any established' further down on the list changes how many hits the other acl lines log.

0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8136600
ITs weird, when I initiate the command:

Gateway#sh access-lists

I get the following:

Standard IP access list 1
    permit 10.0.0.0, wildcard bits 0.0.0.255
Extended IP access list 103
    permit ip any any
Extended IP access list 110
    permit gre any host 10.0.0.9
    permit ip any any (1557065 matches)
Gateway#

Notice that list 150 is not showing up? Why?

Thanks!

E
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8138065
possibly a bug. What version of IOS 12.0 are you using?

do a sh ver :)

also, remove acl 110 because it isn't doing anything.

so, what happens if you say specifically

sh ip access-list 150
?
0
 
LVL 1

Author Comment

by:ev89pimp
ID: 8138716
Here is my version output:
--------------------------------------
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-D-M), Version 12.0(2a)T1,  RELEASE SOFTWARE (fc1)

Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Wed 06-Jan-99 05:56 by dschwart
Image text-base: 0x80008088, data-base: 0x807516FC

ROM: System Bootstrap, Version 11.3(2)XA3, PLATFORM SPECIFIC RELEASE SOFTWARE (f
c1)
--------------------------------------

If I do the sh command for ip access-list 150, I get nothing. Just the prompt comes back...

--------------------------------------
Gateway>sh ip access-list 150

Gateway>
--------------------------------------

E
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8141419
well, that's a rather old version of code and T train is generally the buggiest of the trains. I didn't see anything with the Cisco bug tool that was an exact match on this, but there were quite a number of access-list related ones as well as NAT bugs.

It doesn't make sense that you can't show access-list 150 if it's applied to the frame-relay subif.

If you don't have a service contract or access to download/upgrade your code, you might wanna investigate if that's something you can swing. If not, you might wanna try the Microsoft solution to misbehaving operating systems and reload it and see if that clears up the problem.

0
 
LVL 3

Accepted Solution

by:
RouterDude earned 1000 total points
ID: 8198862
Try this instead;

ip nat inside source static (inside address) (outside address)

access-list 102 permit 47 any host (PPTP server address)
access-list 102 permit tcp any host ^^^^^^^^^^^^^^^^^ eq 1723
access-list 102 deny any host ^^^^^^^^^^^^^^^^^
access list permit ip any any

Apply this to the outside nat interface

Cisco GRE and PPTP protocol 47 are not the same in older versions of IOS and that may be whats failing.

Remember you cannot port the address it must be fully mapped 1:1 for the protocol 47 to pass through.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8637191
ev89pimp,
No comment has been added lately (71 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to pedrow

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/
0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question