homeofmike
asked on
MS Exchange over a Cisco router to router VPN connection
I have the following:
client pc -> RemoteOfficeRouter -> (vpn connection) -> MainSiteRouter -> exchange server
The pc's at the remote offices were configured to connect to exchange via the valid external address for the exchange server. This access quit working, for three of five sites, when the respective service providers started blocking port 135.
I have modified the configuration of the client pc to connect via the internal private address of the exchange server (over the vpn tunnel). Ethertraces show the following:
client pc sends from port (random, 1526 in this case) -> port (135) on the server
server responds from port (135) to the client port (1526)
client pc never sees the server response.
All other types of traffic, terminal connections to mainframe, etcetera, work correctly. I am thinking some sort of routing or acl problem, and I sure could use some help! Router configurations below (some items deleted for security reasons):
MainOfficeRouter config -------------------------- ---------- ---------- -----
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
hostname xxx
boot system flash
logging queue-limit 100
logging buffered 4096 debugging
logging console emergencies
ip subnet-zero
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
lifetime 600
crypto isakmp key xxx
!
crypto isakmp client configuration group groupname
key xxx
pool groupname
!
crypto isakmp client configuration group groupname1
key xxx
pool ippool01
acl 131
!
!
crypto ipsec transform-set P2High01 esp-3des esp-md5-hmac
crypto ipsec transform-set P2High02 esp-3des esp-sha-hmac
crypto ipsec transform-set P2Basic01 esp-des esp-md5-hmac
!
crypto map RmtOffice01 13 ipsec-isakmp
description GW-GW to remote site
set peer (validipaddress)
set transform-set P2High02 P2High01
match address 114
interface Ethernet0
ip address (valid) 255.255.255.0
ip nat outside
half-duplex
crypto map RmtOffice01
!
interface FastEthernet0
ip address 10.x.x.x 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
ip nat translation tcp-timeout 1440
ip nat translation finrst-timeout 240
ip nat translation syn-timeout 240
ip nat translation dns-timeout 120
ip nat translation port-timeout udp 53 120
ip nat pool pub-01 x.x.x.x x.x.x.x netmask 255.255.255.0
ip nat inside source route-map to_internet pool pub-01 overload
ip nat inside source static tcp 10.x.x.x x.x.x.x portnum extendable
ip classless
ip route 0.0.0.0 0.0.0.0 externalip permanent
access-list 1 permit 12.222.19.135
access-list 4 permit 10.x.x.x (of remote site) 0.0.0.255
access-list 100 permit ip 10.x.x.x (central site) 0.0.0.255 any
access-list 100 permit ip 10.16.18.0 (remote site ... duplicate) 0.0.0.255 any
access-list 114 remark remoteoffice GW-GW access list
access-list 114 permit ip 10.x.x.x (central) 0.0.0.255 10.x.x.64 0.0.0.31
!
route-map to_internet permit 10
match ip address 100
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
line vty 5 15
!
RemoteOfficeRouter config -------------------------- ---------- ---------- -----
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxx
!
memory-size iomem 20
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 5
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
lifetime 600
!
crypto isakmp policy 11
encr 3des
authentication pre-share
crypto isakmp key xxx address (centralofficevalidip)
!
crypto ipsec transform-set p2high01 esp-3des esp-md5-hmac
crypto ipsec transform-set p2high02 esp-3des esp-md5-hmac
crypto ipsec transform-set p2basic01 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map MainOffice01 11 ipsec-isakmp
description GW-GW to CentralOffice
set peer (CentralOfficeValidIP)
set transform-set p2high02 p2high01
match address 111
!
interface Ethernet0
description DSL connection
ip address x.x.x.x 255.255.255.248
ip nat outside
half-duplex
crypto map MainOffice01
!
interface FastEthernet0
description Connection to Local LAN
ip address 10.x.x.65 255.255.255.224
ip helper-address 10.x.x.x
ip nat inside
speed auto
!
ip nat translation tcp-timeout 1440
ip nat translation finrst-timeout 240
ip nat translation syn-timeout 240
ip nat translation dns-timeout 120
ip nat translation port-timeout udp 53 120
ip nat inside source list 199 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x permanent
ip pim bidir-enable
!
access-list 99 permit 10.x.x.x(CentralSite) 0.0.0.255
access-list 111 remark MainOffice GW-GW access list
access-list 111 permit ip 10.x.x.64 0.0.0.31 10.x.x.x(central) 0.0.0.255
access-list 111 remark MainOffice GW-GW access list
access-list 112 permit ip 10.x.x.64 0.0.0.31 192.168.97.0 0.0.0.255
access-list 113 permit ip 10.x.x.64 0.0.0.31 any
access-list 198 permit ip 10.x.x.0 0.0.0.255 any
access-list 198 permit ip host 10.(internal IP of mail server) any
!
line con 0
line aux 0
line vty 0 4
line vty 5 15
!
end
client pc -> RemoteOfficeRouter -> (vpn connection) -> MainSiteRouter -> exchange server
The pc's at the remote offices were configured to connect to exchange via the valid external address for the exchange server. This access quit working, for three of five sites, when the respective service providers started blocking port 135.
I have modified the configuration of the client pc to connect via the internal private address of the exchange server (over the vpn tunnel). Ethertraces show the following:
client pc sends from port (random, 1526 in this case) -> port (135) on the server
server responds from port (135) to the client port (1526)
client pc never sees the server response.
All other types of traffic, terminal connections to mainframe, etcetera, work correctly. I am thinking some sort of routing or acl problem, and I sure could use some help! Router configurations below (some items deleted for security reasons):
MainOfficeRouter config --------------------------
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
hostname xxx
boot system flash
logging queue-limit 100
logging buffered 4096 debugging
logging console emergencies
ip subnet-zero
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
lifetime 600
crypto isakmp key xxx
!
crypto isakmp client configuration group groupname
key xxx
pool groupname
!
crypto isakmp client configuration group groupname1
key xxx
pool ippool01
acl 131
!
!
crypto ipsec transform-set P2High01 esp-3des esp-md5-hmac
crypto ipsec transform-set P2High02 esp-3des esp-sha-hmac
crypto ipsec transform-set P2Basic01 esp-des esp-md5-hmac
!
crypto map RmtOffice01 13 ipsec-isakmp
description GW-GW to remote site
set peer (validipaddress)
set transform-set P2High02 P2High01
match address 114
interface Ethernet0
ip address (valid) 255.255.255.0
ip nat outside
half-duplex
crypto map RmtOffice01
!
interface FastEthernet0
ip address 10.x.x.x 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
half-duplex
ip nat translation tcp-timeout 1440
ip nat translation finrst-timeout 240
ip nat translation syn-timeout 240
ip nat translation dns-timeout 120
ip nat translation port-timeout udp 53 120
ip nat pool pub-01 x.x.x.x x.x.x.x netmask 255.255.255.0
ip nat inside source route-map to_internet pool pub-01 overload
ip nat inside source static tcp 10.x.x.x x.x.x.x portnum extendable
ip classless
ip route 0.0.0.0 0.0.0.0 externalip permanent
access-list 1 permit 12.222.19.135
access-list 4 permit 10.x.x.x (of remote site) 0.0.0.255
access-list 100 permit ip 10.x.x.x (central site) 0.0.0.255 any
access-list 100 permit ip 10.16.18.0 (remote site ... duplicate) 0.0.0.255 any
access-list 114 remark remoteoffice GW-GW access list
access-list 114 permit ip 10.x.x.x (central) 0.0.0.255 10.x.x.64 0.0.0.31
!
route-map to_internet permit 10
match ip address 100
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
line vty 5 15
!
RemoteOfficeRouter config --------------------------
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxx
!
memory-size iomem 20
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 5
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
lifetime 600
!
crypto isakmp policy 11
encr 3des
authentication pre-share
crypto isakmp key xxx address (centralofficevalidip)
!
crypto ipsec transform-set p2high01 esp-3des esp-md5-hmac
crypto ipsec transform-set p2high02 esp-3des esp-md5-hmac
crypto ipsec transform-set p2basic01 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map MainOffice01 11 ipsec-isakmp
description GW-GW to CentralOffice
set peer (CentralOfficeValidIP)
set transform-set p2high02 p2high01
match address 111
!
interface Ethernet0
description DSL connection
ip address x.x.x.x 255.255.255.248
ip nat outside
half-duplex
crypto map MainOffice01
!
interface FastEthernet0
description Connection to Local LAN
ip address 10.x.x.65 255.255.255.224
ip helper-address 10.x.x.x
ip nat inside
speed auto
!
ip nat translation tcp-timeout 1440
ip nat translation finrst-timeout 240
ip nat translation syn-timeout 240
ip nat translation dns-timeout 120
ip nat translation port-timeout udp 53 120
ip nat inside source list 199 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x permanent
ip pim bidir-enable
!
access-list 99 permit 10.x.x.x(CentralSite) 0.0.0.255
access-list 111 remark MainOffice GW-GW access list
access-list 111 permit ip 10.x.x.64 0.0.0.31 10.x.x.x(central) 0.0.0.255
access-list 111 remark MainOffice GW-GW access list
access-list 112 permit ip 10.x.x.64 0.0.0.31 192.168.97.0 0.0.0.255
access-list 113 permit ip 10.x.x.64 0.0.0.31 any
access-list 198 permit ip 10.x.x.0 0.0.0.255 any
access-list 198 permit ip host 10.(internal IP of mail server) any
!
line con 0
line aux 0
line vty 0 4
line vty 5 15
!
end
Unless I'm missing something, none of your access lists are assigned to any of the interfaces.
What IP address does the server think the client is? It's replying to the right port, maybe not the right address? Is the server sending back the traffic over the Internet, and not to the VPN tunnel?
inet²
inet²
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to lrmoore for pointing me in the right direction!
The solution was NAT statements that were sending the packet out to the internet instead of through the vpn tunnel.
The solution was NAT statements that were sending the packet out to the internet instead of through the vpn tunnel.
Glad to help!