Solved

Cisco and MS VPN

Posted on 2004-04-26
5
717 Views
Last Modified: 2013-11-29
We cannot connect through our router to a MS VPN
WE have a CISCO 3620 and here is the ACL. What is missing?

access-list 110 remark .
access-list 110 remark ...
access-list 110 remark This is effectively allows only anyone on our
access-list 110 remark subnet 66.194.227.0/24(class C) to get out of the router
access-list 110 remark .....
access-list 110 permit ip  66.194.227.0 0.0.0.255 any
access-list 110 deny   ip any any
!
!
!
access-list 120 remark .
access-list 120 remark ...
access-list 120 remark The three rules below will effectively block all
access-list 120 remark incoming rfc1918 (Private Internet Addresses).
access-list 120 remark Unless this router is used on a network which is
access-list 120 remark using RFC1918 addresses these IP blocks
access-list 120 remark should be denied from entering or leaving any interface.
access-list 120 remark ....
access-list 120 deny ip  10.0.0.0    0.255.255.255      any log
access-list 120 deny ip  192.168.0.0 0.0.255.255        any log
access-list 120 deny ip  172.16.0.0  0.15.255.255       any log
access-list 120 remark ......
access-list 120 remark .......
access-list 120 remark Deny packets with local host, broadcase and multicast addresses
access-list 120 remark ........
access-list 120 deny ip  127.0.0.0   0.255.255.255  any log
access-list 120 deny ip  255.0.0.0   0.255.255.255  any log
access-list 120 deny ip  224.0.0.0   7.255.255.255  any log
access-list 120 remark .........
access-list 120 remark ..........
access-list 120 remark Deny packets without a IP Address
access-list 120 deny    ip host 0.0.0.0 any log
!
!
access-list 120 remark 1.
access-list 120 remark  Access to commonly available resources
access-list 120 remark        domain (DNS) (UDP - Lookup, TCP - Zone Transfer)
access-list 120 remark        EMail - Smtp and Pop3
access-list 120 remark        FTP
access-list 120 remark        WWW
access-list 120 remark        SSL (443)
access-list 120 remark 1..
access-list 120 permit tcp any host 66.194.227.1  eq 22                 ! Secure Connection
access-list 120 permit udp any host 66.194.227.10 eq domain             ! Cygnus - DNS lookup
access-list 120 permit tcp any host 66.194.227.10 eq domain             ! Cygnus - DNS zone transfer
access-list 120 permit tcp any host 66.194.227.4  eq smtp               ! Titan Exchange Server - Smtp
access-list 120 permit tcp any host 66.194.227.4  eq pop3               ! Titan Exchange Server - POP3
access-list 120 permit tcp any host 66.194.227.4  eq www                ! Titan Exchange Server - Web Mail
access-list 120 permit tcp any host 66.194.227.6  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  range ftp-data ftp    ! Cassiopeia
access-list 120 remark 1...
!
!
!
access-list 120 remark 2.
access-list 120 remark Allow ICMP Replys
access-list 120 remark 2..
access-list 120 permit icmp any any echo-reply
access-list 120 remark 2...
!
!
!
access-list 120 remark 3.
access-list 120 remark  Identitech VPN Access
access-list 120 remark . pptp = 1723 (UDP & TCP)
access-list 120 remark 3..
access-list 120 permit tcp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit udp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit gre  any host 66.194.227.12                        ! Tss-Max Cisco VPN Protocol
!
! Stuff I am trying to get VPN to work
!  l2F = 1701  (UDP & TCP for outgoing connections)
!
access-list 120 permit udp  any any eq 1701             ! Allow users to connect to VPN
access-list 120 permit udp  any any eq 500              ! Allow users to connect to VPN
access-list 120 permit esp  any any                     ! Allow users to connect to VPN
access-list 120 permit ahp  any any                     ! Allow users to connect to VPN
access-list 120 remark 3...
!
!
!
!
!
access-list 120 remark 4.
access-list 120 remark  Remote Connection Programs
access-list 120 remark    Terminal Service - 3389
access-list 120 remark 4..
access-list 120 permit tcp any host 66.194.227.61  eq 3389              ! Glenn's Machine
access-list 120 permit tcp any host 66.194.227.138 eq 3389              ! Pegasus (Mindmill & Praveen SourceSafe)
access-list 120 remark 4...
!
!
!
access-list 120 remark 5.
access-list 120 remark  Completely Open Machines
access-list 120 remark      ...Very Risky...
access-list 120 remark 5..
access-list 120 permit ip any host 66.194.227.235                       ! Milna's Machine
access-list 120 remark 5...
!
!
!
access-list 120 remark 6.
access-list 120 remark     deny all the rest
access-list 120 remark 6..
access-list 120 deny ip any any
!
!
0
Comment
Question by:hglenni
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10923460
Can I assume that this is your local LAN and that acl 110 is applied to the LAN interface "in"
>access-list 110 permit ip  66.194.227.0 0.0.0.255 any

These access-list entries are all you should need for the MS VPN to work (tcp 1723 and GRE):
>access-list 120 permit tcp  any host 66.194.227.12 eq 1723      
>access-list 120 permit gre  any host 66.194.227.12                      

I don't see anything for "established" connections. This should be at the very top of the acl 120:
access-list 120 permit tcp any 66.194.227.0 0.0.0.255 established

You might try adding "log" to the final deny any any to help troubleshoot:
i.e access-list 120 deny ip any any log

Use output of "show ip access-list 120" to see/monitor hits to each line and make sure your TCP 1720 and GRE lines are getting hits. If not, check the default gateway setting for the MS VPN server itself..


0
 

Author Comment

by:hglenni
ID: 10923613
Thank you for your comment
I am going out from my network, and VPN to someone else.
In to mine works.

Thanks

Glenn
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10923789
>I am going out from my network, and VPN to someone else.
Then you need to permit the GRE back in along with TCP 1723 from their IP to your internal IP
0
 

Author Comment

by:hglenni
ID: 10923811
Could you give me an example - like this?
or is there a way to permit it elsewhere
access-list 120 permit gre  any any
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10923931
Yes, but you can lock it down a little using the inside LAN {source} {destination}
access-list 120 permit gre 66.194.227.0 0.0.0.255 any
access-list 120 permit tcp 66.194.227.0 0.0.0.255 any eq 1723

Good luck!


0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now