hglenni
asked on
Cisco and MS VPN
We cannot connect through our router to a MS VPN
WE have a CISCO 3620 and here is the ACL. What is missing?
access-list 110 remark .
access-list 110 remark ...
access-list 110 remark This is effectively allows only anyone on our
access-list 110 remark subnet 66.194.227.0/24(class C) to get out of the router
access-list 110 remark .....
access-list 110 permit ip 66.194.227.0 0.0.0.255 any
access-list 110 deny ip any any
!
!
!
access-list 120 remark .
access-list 120 remark ...
access-list 120 remark The three rules below will effectively block all
access-list 120 remark incoming rfc1918 (Private Internet Addresses).
access-list 120 remark Unless this router is used on a network which is
access-list 120 remark using RFC1918 addresses these IP blocks
access-list 120 remark should be denied from entering or leaving any interface.
access-list 120 remark ....
access-list 120 deny ip 10.0.0.0 0.255.255.255 any log
access-list 120 deny ip 192.168.0.0 0.0.255.255 any log
access-list 120 deny ip 172.16.0.0 0.15.255.255 any log
access-list 120 remark ......
access-list 120 remark .......
access-list 120 remark Deny packets with local host, broadcase and multicast addresses
access-list 120 remark ........
access-list 120 deny ip 127.0.0.0 0.255.255.255 any log
access-list 120 deny ip 255.0.0.0 0.255.255.255 any log
access-list 120 deny ip 224.0.0.0 7.255.255.255 any log
access-list 120 remark .........
access-list 120 remark ..........
access-list 120 remark Deny packets without a IP Address
access-list 120 deny ip host 0.0.0.0 any log
!
!
access-list 120 remark 1.
access-list 120 remark Access to commonly available resources
access-list 120 remark domain (DNS) (UDP - Lookup, TCP - Zone Transfer)
access-list 120 remark EMail - Smtp and Pop3
access-list 120 remark FTP
access-list 120 remark WWW
access-list 120 remark SSL (443)
access-list 120 remark 1..
access-list 120 permit tcp any host 66.194.227.1 eq 22 ! Secure Connection
access-list 120 permit udp any host 66.194.227.10 eq domain ! Cygnus - DNS lookup
access-list 120 permit tcp any host 66.194.227.10 eq domain ! Cygnus - DNS zone transfer
access-list 120 permit tcp any host 66.194.227.4 eq smtp ! Titan Exchange Server - Smtp
access-list 120 permit tcp any host 66.194.227.4 eq pop3 ! Titan Exchange Server - POP3
access-list 120 permit tcp any host 66.194.227.4 eq www ! Titan Exchange Server - Web Mail
access-list 120 permit tcp any host 66.194.227.6 eq www ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6 eq 443 ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7 eq www ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7 eq 443 ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8 eq www ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8 eq 443 ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6 range ftp-data ftp ! Cassiopeia
access-list 120 remark 1...
!
!
!
access-list 120 remark 2.
access-list 120 remark Allow ICMP Replys
access-list 120 remark 2..
access-list 120 permit icmp any any echo-reply
access-list 120 remark 2...
!
!
!
access-list 120 remark 3.
access-list 120 remark Identitech VPN Access
access-list 120 remark . pptp = 1723 (UDP & TCP)
access-list 120 remark 3..
access-list 120 permit tcp any host 66.194.227.12 eq 1723 ! Tss-Max VPN
access-list 120 permit udp any host 66.194.227.12 eq 1723 ! Tss-Max VPN
access-list 120 permit gre any host 66.194.227.12 ! Tss-Max Cisco VPN Protocol
!
! Stuff I am trying to get VPN to work
! l2F = 1701 (UDP & TCP for outgoing connections)
!
access-list 120 permit udp any any eq 1701 ! Allow users to connect to VPN
access-list 120 permit udp any any eq 500 ! Allow users to connect to VPN
access-list 120 permit esp any any ! Allow users to connect to VPN
access-list 120 permit ahp any any ! Allow users to connect to VPN
access-list 120 remark 3...
!
!
!
!
!
access-list 120 remark 4.
access-list 120 remark Remote Connection Programs
access-list 120 remark Terminal Service - 3389
access-list 120 remark 4..
access-list 120 permit tcp any host 66.194.227.61 eq 3389 ! Glenn's Machine
access-list 120 permit tcp any host 66.194.227.138 eq 3389 ! Pegasus (Mindmill & Praveen SourceSafe)
access-list 120 remark 4...
!
!
!
access-list 120 remark 5.
access-list 120 remark Completely Open Machines
access-list 120 remark ...Very Risky...
access-list 120 remark 5..
access-list 120 permit ip any host 66.194.227.235 ! Milna's Machine
access-list 120 remark 5...
!
!
!
access-list 120 remark 6.
access-list 120 remark deny all the rest
access-list 120 remark 6..
access-list 120 deny ip any any
!
!
WE have a CISCO 3620 and here is the ACL. What is missing?
access-list 110 remark .
access-list 110 remark ...
access-list 110 remark This is effectively allows only anyone on our
access-list 110 remark subnet 66.194.227.0/24(class C) to get out of the router
access-list 110 remark .....
access-list 110 permit ip 66.194.227.0 0.0.0.255 any
access-list 110 deny ip any any
!
!
!
access-list 120 remark .
access-list 120 remark ...
access-list 120 remark The three rules below will effectively block all
access-list 120 remark incoming rfc1918 (Private Internet Addresses).
access-list 120 remark Unless this router is used on a network which is
access-list 120 remark using RFC1918 addresses these IP blocks
access-list 120 remark should be denied from entering or leaving any interface.
access-list 120 remark ....
access-list 120 deny ip 10.0.0.0 0.255.255.255 any log
access-list 120 deny ip 192.168.0.0 0.0.255.255 any log
access-list 120 deny ip 172.16.0.0 0.15.255.255 any log
access-list 120 remark ......
access-list 120 remark .......
access-list 120 remark Deny packets with local host, broadcase and multicast addresses
access-list 120 remark ........
access-list 120 deny ip 127.0.0.0 0.255.255.255 any log
access-list 120 deny ip 255.0.0.0 0.255.255.255 any log
access-list 120 deny ip 224.0.0.0 7.255.255.255 any log
access-list 120 remark .........
access-list 120 remark ..........
access-list 120 remark Deny packets without a IP Address
access-list 120 deny ip host 0.0.0.0 any log
!
!
access-list 120 remark 1.
access-list 120 remark Access to commonly available resources
access-list 120 remark domain (DNS) (UDP - Lookup, TCP - Zone Transfer)
access-list 120 remark EMail - Smtp and Pop3
access-list 120 remark FTP
access-list 120 remark WWW
access-list 120 remark SSL (443)
access-list 120 remark 1..
access-list 120 permit tcp any host 66.194.227.1 eq 22 ! Secure Connection
access-list 120 permit udp any host 66.194.227.10 eq domain ! Cygnus - DNS lookup
access-list 120 permit tcp any host 66.194.227.10 eq domain ! Cygnus - DNS zone transfer
access-list 120 permit tcp any host 66.194.227.4 eq smtp ! Titan Exchange Server - Smtp
access-list 120 permit tcp any host 66.194.227.4 eq pop3 ! Titan Exchange Server - POP3
access-list 120 permit tcp any host 66.194.227.4 eq www ! Titan Exchange Server - Web Mail
access-list 120 permit tcp any host 66.194.227.6 eq www ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6 eq 443 ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7 eq www ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7 eq 443 ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8 eq www ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8 eq 443 ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6 range ftp-data ftp ! Cassiopeia
access-list 120 remark 1...
!
!
!
access-list 120 remark 2.
access-list 120 remark Allow ICMP Replys
access-list 120 remark 2..
access-list 120 permit icmp any any echo-reply
access-list 120 remark 2...
!
!
!
access-list 120 remark 3.
access-list 120 remark Identitech VPN Access
access-list 120 remark . pptp = 1723 (UDP & TCP)
access-list 120 remark 3..
access-list 120 permit tcp any host 66.194.227.12 eq 1723 ! Tss-Max VPN
access-list 120 permit udp any host 66.194.227.12 eq 1723 ! Tss-Max VPN
access-list 120 permit gre any host 66.194.227.12 ! Tss-Max Cisco VPN Protocol
!
! Stuff I am trying to get VPN to work
! l2F = 1701 (UDP & TCP for outgoing connections)
!
access-list 120 permit udp any any eq 1701 ! Allow users to connect to VPN
access-list 120 permit udp any any eq 500 ! Allow users to connect to VPN
access-list 120 permit esp any any ! Allow users to connect to VPN
access-list 120 permit ahp any any ! Allow users to connect to VPN
access-list 120 remark 3...
!
!
!
!
!
access-list 120 remark 4.
access-list 120 remark Remote Connection Programs
access-list 120 remark Terminal Service - 3389
access-list 120 remark 4..
access-list 120 permit tcp any host 66.194.227.61 eq 3389 ! Glenn's Machine
access-list 120 permit tcp any host 66.194.227.138 eq 3389 ! Pegasus (Mindmill & Praveen SourceSafe)
access-list 120 remark 4...
!
!
!
access-list 120 remark 5.
access-list 120 remark Completely Open Machines
access-list 120 remark ...Very Risky...
access-list 120 remark 5..
access-list 120 permit ip any host 66.194.227.235 ! Milna's Machine
access-list 120 remark 5...
!
!
!
access-list 120 remark 6.
access-list 120 remark deny all the rest
access-list 120 remark 6..
access-list 120 deny ip any any
!
!
ASKER
Thank you for your comment
I am going out from my network, and VPN to someone else.
In to mine works.
Thanks
Glenn
I am going out from my network, and VPN to someone else.
In to mine works.
Thanks
Glenn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Could you give me an example - like this?
or is there a way to permit it elsewhere
access-list 120 permit gre any any
or is there a way to permit it elsewhere
access-list 120 permit gre any any
Yes, but you can lock it down a little using the inside LAN {source} {destination}
access-list 120 permit gre 66.194.227.0 0.0.0.255 any
access-list 120 permit tcp 66.194.227.0 0.0.0.255 any eq 1723
Good luck!
access-list 120 permit gre 66.194.227.0 0.0.0.255 any
access-list 120 permit tcp 66.194.227.0 0.0.0.255 any eq 1723
Good luck!
>access-list 110 permit ip 66.194.227.0 0.0.0.255 any
These access-list entries are all you should need for the MS VPN to work (tcp 1723 and GRE):
>access-list 120 permit tcp any host 66.194.227.12 eq 1723
>access-list 120 permit gre any host 66.194.227.12
I don't see anything for "established" connections. This should be at the very top of the acl 120:
access-list 120 permit tcp any 66.194.227.0 0.0.0.255 established
You might try adding "log" to the final deny any any to help troubleshoot:
i.e access-list 120 deny ip any any log
Use output of "show ip access-list 120" to see/monitor hits to each line and make sure your TCP 1720 and GRE lines are getting hits. If not, check the default gateway setting for the MS VPN server itself..