Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 757
  • Last Modified:

Cisco and MS VPN

We cannot connect through our router to a MS VPN
WE have a CISCO 3620 and here is the ACL. What is missing?

access-list 110 remark .
access-list 110 remark ...
access-list 110 remark This is effectively allows only anyone on our
access-list 110 remark subnet 66.194.227.0/24(class C) to get out of the router
access-list 110 remark .....
access-list 110 permit ip  66.194.227.0 0.0.0.255 any
access-list 110 deny   ip any any
!
!
!
access-list 120 remark .
access-list 120 remark ...
access-list 120 remark The three rules below will effectively block all
access-list 120 remark incoming rfc1918 (Private Internet Addresses).
access-list 120 remark Unless this router is used on a network which is
access-list 120 remark using RFC1918 addresses these IP blocks
access-list 120 remark should be denied from entering or leaving any interface.
access-list 120 remark ....
access-list 120 deny ip  10.0.0.0    0.255.255.255      any log
access-list 120 deny ip  192.168.0.0 0.0.255.255        any log
access-list 120 deny ip  172.16.0.0  0.15.255.255       any log
access-list 120 remark ......
access-list 120 remark .......
access-list 120 remark Deny packets with local host, broadcase and multicast addresses
access-list 120 remark ........
access-list 120 deny ip  127.0.0.0   0.255.255.255  any log
access-list 120 deny ip  255.0.0.0   0.255.255.255  any log
access-list 120 deny ip  224.0.0.0   7.255.255.255  any log
access-list 120 remark .........
access-list 120 remark ..........
access-list 120 remark Deny packets without a IP Address
access-list 120 deny    ip host 0.0.0.0 any log
!
!
access-list 120 remark 1.
access-list 120 remark  Access to commonly available resources
access-list 120 remark        domain (DNS) (UDP - Lookup, TCP - Zone Transfer)
access-list 120 remark        EMail - Smtp and Pop3
access-list 120 remark        FTP
access-list 120 remark        WWW
access-list 120 remark        SSL (443)
access-list 120 remark 1..
access-list 120 permit tcp any host 66.194.227.1  eq 22                 ! Secure Connection
access-list 120 permit udp any host 66.194.227.10 eq domain             ! Cygnus - DNS lookup
access-list 120 permit tcp any host 66.194.227.10 eq domain             ! Cygnus - DNS zone transfer
access-list 120 permit tcp any host 66.194.227.4  eq smtp               ! Titan Exchange Server - Smtp
access-list 120 permit tcp any host 66.194.227.4  eq pop3               ! Titan Exchange Server - POP3
access-list 120 permit tcp any host 66.194.227.4  eq www                ! Titan Exchange Server - Web Mail
access-list 120 permit tcp any host 66.194.227.6  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  range ftp-data ftp    ! Cassiopeia
access-list 120 remark 1...
!
!
!
access-list 120 remark 2.
access-list 120 remark Allow ICMP Replys
access-list 120 remark 2..
access-list 120 permit icmp any any echo-reply
access-list 120 remark 2...
!
!
!
access-list 120 remark 3.
access-list 120 remark  Identitech VPN Access
access-list 120 remark . pptp = 1723 (UDP & TCP)
access-list 120 remark 3..
access-list 120 permit tcp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit udp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit gre  any host 66.194.227.12                        ! Tss-Max Cisco VPN Protocol
!
! Stuff I am trying to get VPN to work
!  l2F = 1701  (UDP & TCP for outgoing connections)
!
access-list 120 permit udp  any any eq 1701             ! Allow users to connect to VPN
access-list 120 permit udp  any any eq 500              ! Allow users to connect to VPN
access-list 120 permit esp  any any                     ! Allow users to connect to VPN
access-list 120 permit ahp  any any                     ! Allow users to connect to VPN
access-list 120 remark 3...
!
!
!
!
!
access-list 120 remark 4.
access-list 120 remark  Remote Connection Programs
access-list 120 remark    Terminal Service - 3389
access-list 120 remark 4..
access-list 120 permit tcp any host 66.194.227.61  eq 3389              ! Glenn's Machine
access-list 120 permit tcp any host 66.194.227.138 eq 3389              ! Pegasus (Mindmill & Praveen SourceSafe)
access-list 120 remark 4...
!
!
!
access-list 120 remark 5.
access-list 120 remark  Completely Open Machines
access-list 120 remark      ...Very Risky...
access-list 120 remark 5..
access-list 120 permit ip any host 66.194.227.235                       ! Milna's Machine
access-list 120 remark 5...
!
!
!
access-list 120 remark 6.
access-list 120 remark     deny all the rest
access-list 120 remark 6..
access-list 120 deny ip any any
!
!
0
hglenni
Asked:
hglenni
  • 3
  • 2
1 Solution
 
lrmooreCommented:
Can I assume that this is your local LAN and that acl 110 is applied to the LAN interface "in"
>access-list 110 permit ip  66.194.227.0 0.0.0.255 any

These access-list entries are all you should need for the MS VPN to work (tcp 1723 and GRE):
>access-list 120 permit tcp  any host 66.194.227.12 eq 1723      
>access-list 120 permit gre  any host 66.194.227.12                      

I don't see anything for "established" connections. This should be at the very top of the acl 120:
access-list 120 permit tcp any 66.194.227.0 0.0.0.255 established

You might try adding "log" to the final deny any any to help troubleshoot:
i.e access-list 120 deny ip any any log

Use output of "show ip access-list 120" to see/monitor hits to each line and make sure your TCP 1720 and GRE lines are getting hits. If not, check the default gateway setting for the MS VPN server itself..


0
 
hglenniAuthor Commented:
Thank you for your comment
I am going out from my network, and VPN to someone else.
In to mine works.

Thanks

Glenn
0
 
lrmooreCommented:
>I am going out from my network, and VPN to someone else.
Then you need to permit the GRE back in along with TCP 1723 from their IP to your internal IP
0
 
hglenniAuthor Commented:
Could you give me an example - like this?
or is there a way to permit it elsewhere
access-list 120 permit gre  any any
0
 
lrmooreCommented:
Yes, but you can lock it down a little using the inside LAN {source} {destination}
access-list 120 permit gre 66.194.227.0 0.0.0.255 any
access-list 120 permit tcp 66.194.227.0 0.0.0.255 any eq 1723

Good luck!


0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now