Solved

Cisco and MS VPN

Posted on 2004-04-26
5
711 Views
Last Modified: 2013-11-29
We cannot connect through our router to a MS VPN
WE have a CISCO 3620 and here is the ACL. What is missing?

access-list 110 remark .
access-list 110 remark ...
access-list 110 remark This is effectively allows only anyone on our
access-list 110 remark subnet 66.194.227.0/24(class C) to get out of the router
access-list 110 remark .....
access-list 110 permit ip  66.194.227.0 0.0.0.255 any
access-list 110 deny   ip any any
!
!
!
access-list 120 remark .
access-list 120 remark ...
access-list 120 remark The three rules below will effectively block all
access-list 120 remark incoming rfc1918 (Private Internet Addresses).
access-list 120 remark Unless this router is used on a network which is
access-list 120 remark using RFC1918 addresses these IP blocks
access-list 120 remark should be denied from entering or leaving any interface.
access-list 120 remark ....
access-list 120 deny ip  10.0.0.0    0.255.255.255      any log
access-list 120 deny ip  192.168.0.0 0.0.255.255        any log
access-list 120 deny ip  172.16.0.0  0.15.255.255       any log
access-list 120 remark ......
access-list 120 remark .......
access-list 120 remark Deny packets with local host, broadcase and multicast addresses
access-list 120 remark ........
access-list 120 deny ip  127.0.0.0   0.255.255.255  any log
access-list 120 deny ip  255.0.0.0   0.255.255.255  any log
access-list 120 deny ip  224.0.0.0   7.255.255.255  any log
access-list 120 remark .........
access-list 120 remark ..........
access-list 120 remark Deny packets without a IP Address
access-list 120 deny    ip host 0.0.0.0 any log
!
!
access-list 120 remark 1.
access-list 120 remark  Access to commonly available resources
access-list 120 remark        domain (DNS) (UDP - Lookup, TCP - Zone Transfer)
access-list 120 remark        EMail - Smtp and Pop3
access-list 120 remark        FTP
access-list 120 remark        WWW
access-list 120 remark        SSL (443)
access-list 120 remark 1..
access-list 120 permit tcp any host 66.194.227.1  eq 22                 ! Secure Connection
access-list 120 permit udp any host 66.194.227.10 eq domain             ! Cygnus - DNS lookup
access-list 120 permit tcp any host 66.194.227.10 eq domain             ! Cygnus - DNS zone transfer
access-list 120 permit tcp any host 66.194.227.4  eq smtp               ! Titan Exchange Server - Smtp
access-list 120 permit tcp any host 66.194.227.4  eq pop3               ! Titan Exchange Server - POP3
access-list 120 permit tcp any host 66.194.227.4  eq www                ! Titan Exchange Server - Web Mail
access-list 120 permit tcp any host 66.194.227.6  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  range ftp-data ftp    ! Cassiopeia
access-list 120 remark 1...
!
!
!
access-list 120 remark 2.
access-list 120 remark Allow ICMP Replys
access-list 120 remark 2..
access-list 120 permit icmp any any echo-reply
access-list 120 remark 2...
!
!
!
access-list 120 remark 3.
access-list 120 remark  Identitech VPN Access
access-list 120 remark . pptp = 1723 (UDP & TCP)
access-list 120 remark 3..
access-list 120 permit tcp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit udp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit gre  any host 66.194.227.12                        ! Tss-Max Cisco VPN Protocol
!
! Stuff I am trying to get VPN to work
!  l2F = 1701  (UDP & TCP for outgoing connections)
!
access-list 120 permit udp  any any eq 1701             ! Allow users to connect to VPN
access-list 120 permit udp  any any eq 500              ! Allow users to connect to VPN
access-list 120 permit esp  any any                     ! Allow users to connect to VPN
access-list 120 permit ahp  any any                     ! Allow users to connect to VPN
access-list 120 remark 3...
!
!
!
!
!
access-list 120 remark 4.
access-list 120 remark  Remote Connection Programs
access-list 120 remark    Terminal Service - 3389
access-list 120 remark 4..
access-list 120 permit tcp any host 66.194.227.61  eq 3389              ! Glenn's Machine
access-list 120 permit tcp any host 66.194.227.138 eq 3389              ! Pegasus (Mindmill & Praveen SourceSafe)
access-list 120 remark 4...
!
!
!
access-list 120 remark 5.
access-list 120 remark  Completely Open Machines
access-list 120 remark      ...Very Risky...
access-list 120 remark 5..
access-list 120 permit ip any host 66.194.227.235                       ! Milna's Machine
access-list 120 remark 5...
!
!
!
access-list 120 remark 6.
access-list 120 remark     deny all the rest
access-list 120 remark 6..
access-list 120 deny ip any any
!
!
0
Comment
Question by:hglenni
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10923460
Can I assume that this is your local LAN and that acl 110 is applied to the LAN interface "in"
>access-list 110 permit ip  66.194.227.0 0.0.0.255 any

These access-list entries are all you should need for the MS VPN to work (tcp 1723 and GRE):
>access-list 120 permit tcp  any host 66.194.227.12 eq 1723      
>access-list 120 permit gre  any host 66.194.227.12                      

I don't see anything for "established" connections. This should be at the very top of the acl 120:
access-list 120 permit tcp any 66.194.227.0 0.0.0.255 established

You might try adding "log" to the final deny any any to help troubleshoot:
i.e access-list 120 deny ip any any log

Use output of "show ip access-list 120" to see/monitor hits to each line and make sure your TCP 1720 and GRE lines are getting hits. If not, check the default gateway setting for the MS VPN server itself..


0
 

Author Comment

by:hglenni
ID: 10923613
Thank you for your comment
I am going out from my network, and VPN to someone else.
In to mine works.

Thanks

Glenn
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10923789
>I am going out from my network, and VPN to someone else.
Then you need to permit the GRE back in along with TCP 1723 from their IP to your internal IP
0
 

Author Comment

by:hglenni
ID: 10923811
Could you give me an example - like this?
or is there a way to permit it elsewhere
access-list 120 permit gre  any any
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10923931
Yes, but you can lock it down a little using the inside LAN {source} {destination}
access-list 120 permit gre 66.194.227.0 0.0.0.255 any
access-list 120 permit tcp 66.194.227.0 0.0.0.255 any eq 1723

Good luck!


0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
MPLS Network Question 2 35
RIP Routing 5 48
IPv6 Address reservation on Cisco router 3 30
Simple Guest VLAN Help 17 38
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now