MS Exchange over a Cisco router to router VPN connection

homeofmike
homeofmike used Ask the Experts™
on
I have the following:

client pc -> RemoteOfficeRouter -> (vpn connection) -> MainSiteRouter -> exchange server

The pc's at the remote offices were configured to connect to exchange via the valid external address for the exchange server.  This access quit working, for three of five sites, when the respective service providers started blocking port 135.

I have modified the configuration of the client pc to connect via the internal private address of the exchange server (over the vpn tunnel).  Ethertraces show the following:
     client pc sends from port (random, 1526 in this case) -> port (135) on the server
     server responds from port (135) to the client port (1526)
     client pc never sees the server response.  

All other types of traffic, terminal connections to mainframe, etcetera, work correctly.  I am thinking some sort of routing or acl problem, and I sure could use some help!  Router configurations below (some items deleted for security reasons):

MainOfficeRouter config ---------------------------------------------------
version 12.2

no parser cache

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service udp-small-servers

service tcp-small-servers


hostname xxx
boot system flash

logging queue-limit 100

logging buffered 4096 debugging

logging console emergencies
ip subnet-zero
crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 5

 hash md5

 authentication pre-share

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 lifetime 600

crypto isakmp key xxx




!

crypto isakmp client configuration group groupname

 key  xxx

 pool groupname

!

crypto isakmp client configuration group groupname1

 key xxx


 pool ippool01

 acl 131

!

!

crypto ipsec transform-set P2High01 esp-3des esp-md5-hmac

crypto ipsec transform-set P2High02 esp-3des esp-sha-hmac

crypto ipsec transform-set P2Basic01 esp-des esp-md5-hmac

!

crypto map RmtOffice01 13 ipsec-isakmp

 description GW-GW to remote site


 set peer (validipaddress)

 set transform-set P2High02 P2High01

 match address 114



interface Ethernet0

 ip address (valid) 255.255.255.0

 ip nat outside

 half-duplex

 crypto map RmtOffice01

!

interface FastEthernet0

 ip address 10.x.x.x 255.255.255.0

 ip nat inside

 no ip mroute-cache

 speed auto

 half-duplex
 
ip nat translation tcp-timeout 1440

ip nat translation finrst-timeout 240

ip nat translation syn-timeout 240

ip nat translation dns-timeout 120

ip nat translation port-timeout udp 53 120

ip nat pool pub-01 x.x.x.x x.x.x.x netmask 255.255.255.0

ip nat inside source route-map to_internet pool pub-01 overload

ip nat inside source static tcp 10.x.x.x x.x.x.x portnum extendable




ip classless

ip route 0.0.0.0 0.0.0.0 externalip permanent



access-list 1 permit 12.222.19.135

access-list 4 permit 10.x.x.x (of remote site) 0.0.0.255

access-list 100 permit ip 10.x.x.x (central site) 0.0.0.255 any

access-list 100 permit ip 10.16.18.0 (remote site ... duplicate) 0.0.0.255 any

access-list 114 remark remoteoffice GW-GW access list

access-list 114 permit ip 10.x.x.x (central) 0.0.0.255 10.x.x.64 0.0.0.31

!

route-map to_internet permit 10

 match ip address 100

!

line con 0

line aux 0

line vty 0 4

 exec-timeout 30 0

line vty 5 15

!


RemoteOfficeRouter config ---------------------------------------------------
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxx
!
memory-size iomem 20
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 lifetime 600
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
crypto isakmp key xxx address (centralofficevalidip)
!
crypto ipsec transform-set p2high01 esp-3des esp-md5-hmac
crypto ipsec transform-set p2high02 esp-3des esp-md5-hmac
crypto ipsec transform-set p2basic01 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map MainOffice01 11 ipsec-isakmp
 description GW-GW to CentralOffice
 set peer (CentralOfficeValidIP)
 set transform-set p2high02 p2high01
 match address 111
!
interface Ethernet0
 description DSL connection
 ip address x.x.x.x 255.255.255.248
 ip nat outside
 half-duplex
 crypto map MainOffice01
!
interface FastEthernet0
 description Connection to Local LAN
 ip address 10.x.x.65 255.255.255.224
 ip helper-address 10.x.x.x
 ip nat inside
 speed auto
!
ip nat translation tcp-timeout 1440
ip nat translation finrst-timeout 240
ip nat translation syn-timeout 240
ip nat translation dns-timeout 120
ip nat translation port-timeout udp 53 120
ip nat inside source list 199 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x permanent
ip pim bidir-enable
!
access-list 99 permit 10.x.x.x(CentralSite) 0.0.0.255
access-list 111 remark MainOffice GW-GW access list
access-list 111 permit ip 10.x.x.64 0.0.0.31 10.x.x.x(central) 0.0.0.255
access-list 111 remark MainOffice GW-GW access list
access-list 112 permit ip 10.x.x.64 0.0.0.31 192.168.97.0 0.0.0.255
access-list 113 permit ip 10.x.x.64 0.0.0.31 any
access-list 198 permit ip 10.x.x.0 0.0.0.255 any
access-list 198 permit ip host 10.(internal IP of mail server) any
!
line con 0
line aux 0
line vty 0 4
line vty 5 15
!
end


 

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Unless I'm missing something, none of your access lists are assigned to any of the interfaces.

Commented:
What IP address does the server think the client is?  It's replying to the right port, maybe not the right address?  Is the server sending back the traffic over the Internet, and not to the VPN tunnel?

inet²
Sr. Systems Engineer
Top Expert 2008
Commented:
Since you're using all private addressing inside, there is no security issue with using the real addresses:
Knowing the "real" addresses will help troubleshoot acl/mask issues
>interface FastEthernet0
>ip address 10.x.x.x 255.255.255.0

>set transform-set p2high02 p2high01
typically, we only use one transform-set per policy

Remote office:
>interface FastEthernet0
>ip helper-address 10.x.x.x
Are you trying to use a DHCP server at the central site, through the VPN tunnel? Is that working?

>ip nat inside source list 199 interface Ethernet0 overload
But, you do not have any ACL 199 defined...??
We also usually use a route-map with the nat so that traffic between offices is not natted, as in the following example:

Where you have:
>ip nat inside source list 199 interface Ethernet0 overload

consider:
ip nat inside source route-map nonat interface Ethernet0 overload
!
access-list 199 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255 <- local lan to remote lan/mask
access-list 199 permit ip 10.1.2.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 199
!

Reference:
http://www.cisco.com/warp/public/707/overload_private.shtml

Author

Commented:
Thanks to lrmoore for pointing me in the right direction!

The solution was NAT statements that were sending the packet out to the internet instead of through the vpn tunnel.  
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Glad to help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial