Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco and MS VPN

Posted on 2004-04-26
5
Medium Priority
?
749 Views
Last Modified: 2013-11-29
We cannot connect through our router to a MS VPN
WE have a CISCO 3620 and here is the ACL. What is missing?

access-list 110 remark .
access-list 110 remark ...
access-list 110 remark This is effectively allows only anyone on our
access-list 110 remark subnet 66.194.227.0/24(class C) to get out of the router
access-list 110 remark .....
access-list 110 permit ip  66.194.227.0 0.0.0.255 any
access-list 110 deny   ip any any
!
!
!
access-list 120 remark .
access-list 120 remark ...
access-list 120 remark The three rules below will effectively block all
access-list 120 remark incoming rfc1918 (Private Internet Addresses).
access-list 120 remark Unless this router is used on a network which is
access-list 120 remark using RFC1918 addresses these IP blocks
access-list 120 remark should be denied from entering or leaving any interface.
access-list 120 remark ....
access-list 120 deny ip  10.0.0.0    0.255.255.255      any log
access-list 120 deny ip  192.168.0.0 0.0.255.255        any log
access-list 120 deny ip  172.16.0.0  0.15.255.255       any log
access-list 120 remark ......
access-list 120 remark .......
access-list 120 remark Deny packets with local host, broadcase and multicast addresses
access-list 120 remark ........
access-list 120 deny ip  127.0.0.0   0.255.255.255  any log
access-list 120 deny ip  255.0.0.0   0.255.255.255  any log
access-list 120 deny ip  224.0.0.0   7.255.255.255  any log
access-list 120 remark .........
access-list 120 remark ..........
access-list 120 remark Deny packets without a IP Address
access-list 120 deny    ip host 0.0.0.0 any log
!
!
access-list 120 remark 1.
access-list 120 remark  Access to commonly available resources
access-list 120 remark        domain (DNS) (UDP - Lookup, TCP - Zone Transfer)
access-list 120 remark        EMail - Smtp and Pop3
access-list 120 remark        FTP
access-list 120 remark        WWW
access-list 120 remark        SSL (443)
access-list 120 remark 1..
access-list 120 permit tcp any host 66.194.227.1  eq 22                 ! Secure Connection
access-list 120 permit udp any host 66.194.227.10 eq domain             ! Cygnus - DNS lookup
access-list 120 permit tcp any host 66.194.227.10 eq domain             ! Cygnus - DNS zone transfer
access-list 120 permit tcp any host 66.194.227.4  eq smtp               ! Titan Exchange Server - Smtp
access-list 120 permit tcp any host 66.194.227.4  eq pop3               ! Titan Exchange Server - POP3
access-list 120 permit tcp any host 66.194.227.4  eq www                ! Titan Exchange Server - Web Mail
access-list 120 permit tcp any host 66.194.227.6  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  range ftp-data ftp    ! Cassiopeia
access-list 120 remark 1...
!
!
!
access-list 120 remark 2.
access-list 120 remark Allow ICMP Replys
access-list 120 remark 2..
access-list 120 permit icmp any any echo-reply
access-list 120 remark 2...
!
!
!
access-list 120 remark 3.
access-list 120 remark  Identitech VPN Access
access-list 120 remark . pptp = 1723 (UDP & TCP)
access-list 120 remark 3..
access-list 120 permit tcp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit udp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit gre  any host 66.194.227.12                        ! Tss-Max Cisco VPN Protocol
!
! Stuff I am trying to get VPN to work
!  l2F = 1701  (UDP & TCP for outgoing connections)
!
access-list 120 permit udp  any any eq 1701             ! Allow users to connect to VPN
access-list 120 permit udp  any any eq 500              ! Allow users to connect to VPN
access-list 120 permit esp  any any                     ! Allow users to connect to VPN
access-list 120 permit ahp  any any                     ! Allow users to connect to VPN
access-list 120 remark 3...
!
!
!
!
!
access-list 120 remark 4.
access-list 120 remark  Remote Connection Programs
access-list 120 remark    Terminal Service - 3389
access-list 120 remark 4..
access-list 120 permit tcp any host 66.194.227.61  eq 3389              ! Glenn's Machine
access-list 120 permit tcp any host 66.194.227.138 eq 3389              ! Pegasus (Mindmill & Praveen SourceSafe)
access-list 120 remark 4...
!
!
!
access-list 120 remark 5.
access-list 120 remark  Completely Open Machines
access-list 120 remark      ...Very Risky...
access-list 120 remark 5..
access-list 120 permit ip any host 66.194.227.235                       ! Milna's Machine
access-list 120 remark 5...
!
!
!
access-list 120 remark 6.
access-list 120 remark     deny all the rest
access-list 120 remark 6..
access-list 120 deny ip any any
!
!
0
Comment
Question by:hglenni
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10923460
Can I assume that this is your local LAN and that acl 110 is applied to the LAN interface "in"
>access-list 110 permit ip  66.194.227.0 0.0.0.255 any

These access-list entries are all you should need for the MS VPN to work (tcp 1723 and GRE):
>access-list 120 permit tcp  any host 66.194.227.12 eq 1723      
>access-list 120 permit gre  any host 66.194.227.12                      

I don't see anything for "established" connections. This should be at the very top of the acl 120:
access-list 120 permit tcp any 66.194.227.0 0.0.0.255 established

You might try adding "log" to the final deny any any to help troubleshoot:
i.e access-list 120 deny ip any any log

Use output of "show ip access-list 120" to see/monitor hits to each line and make sure your TCP 1720 and GRE lines are getting hits. If not, check the default gateway setting for the MS VPN server itself..


0
 

Author Comment

by:hglenni
ID: 10923613
Thank you for your comment
I am going out from my network, and VPN to someone else.
In to mine works.

Thanks

Glenn
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 10923789
>I am going out from my network, and VPN to someone else.
Then you need to permit the GRE back in along with TCP 1723 from their IP to your internal IP
0
 

Author Comment

by:hglenni
ID: 10923811
Could you give me an example - like this?
or is there a way to permit it elsewhere
access-list 120 permit gre  any any
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10923931
Yes, but you can lock it down a little using the inside LAN {source} {destination}
access-list 120 permit gre 66.194.227.0 0.0.0.255 any
access-list 120 permit tcp 66.194.227.0 0.0.0.255 any eq 1723

Good luck!


0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This program is used to assist in finding and resolving common problems with wireless connections.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question