Solved

Cisco and MS VPN

Posted on 2004-04-26
5
734 Views
Last Modified: 2013-11-29
We cannot connect through our router to a MS VPN
WE have a CISCO 3620 and here is the ACL. What is missing?

access-list 110 remark .
access-list 110 remark ...
access-list 110 remark This is effectively allows only anyone on our
access-list 110 remark subnet 66.194.227.0/24(class C) to get out of the router
access-list 110 remark .....
access-list 110 permit ip  66.194.227.0 0.0.0.255 any
access-list 110 deny   ip any any
!
!
!
access-list 120 remark .
access-list 120 remark ...
access-list 120 remark The three rules below will effectively block all
access-list 120 remark incoming rfc1918 (Private Internet Addresses).
access-list 120 remark Unless this router is used on a network which is
access-list 120 remark using RFC1918 addresses these IP blocks
access-list 120 remark should be denied from entering or leaving any interface.
access-list 120 remark ....
access-list 120 deny ip  10.0.0.0    0.255.255.255      any log
access-list 120 deny ip  192.168.0.0 0.0.255.255        any log
access-list 120 deny ip  172.16.0.0  0.15.255.255       any log
access-list 120 remark ......
access-list 120 remark .......
access-list 120 remark Deny packets with local host, broadcase and multicast addresses
access-list 120 remark ........
access-list 120 deny ip  127.0.0.0   0.255.255.255  any log
access-list 120 deny ip  255.0.0.0   0.255.255.255  any log
access-list 120 deny ip  224.0.0.0   7.255.255.255  any log
access-list 120 remark .........
access-list 120 remark ..........
access-list 120 remark Deny packets without a IP Address
access-list 120 deny    ip host 0.0.0.0 any log
!
!
access-list 120 remark 1.
access-list 120 remark  Access to commonly available resources
access-list 120 remark        domain (DNS) (UDP - Lookup, TCP - Zone Transfer)
access-list 120 remark        EMail - Smtp and Pop3
access-list 120 remark        FTP
access-list 120 remark        WWW
access-list 120 remark        SSL (443)
access-list 120 remark 1..
access-list 120 permit tcp any host 66.194.227.1  eq 22                 ! Secure Connection
access-list 120 permit udp any host 66.194.227.10 eq domain             ! Cygnus - DNS lookup
access-list 120 permit tcp any host 66.194.227.10 eq domain             ! Cygnus - DNS zone transfer
access-list 120 permit tcp any host 66.194.227.4  eq smtp               ! Titan Exchange Server - Smtp
access-list 120 permit tcp any host 66.194.227.4  eq pop3               ! Titan Exchange Server - POP3
access-list 120 permit tcp any host 66.194.227.4  eq www                ! Titan Exchange Server - Web Mail
access-list 120 permit tcp any host 66.194.227.6  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.7  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq www                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.8  eq 443                ! Cassiopeia
access-list 120 permit tcp any host 66.194.227.6  range ftp-data ftp    ! Cassiopeia
access-list 120 remark 1...
!
!
!
access-list 120 remark 2.
access-list 120 remark Allow ICMP Replys
access-list 120 remark 2..
access-list 120 permit icmp any any echo-reply
access-list 120 remark 2...
!
!
!
access-list 120 remark 3.
access-list 120 remark  Identitech VPN Access
access-list 120 remark . pptp = 1723 (UDP & TCP)
access-list 120 remark 3..
access-list 120 permit tcp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit udp  any host 66.194.227.12 eq 1723                ! Tss-Max VPN
access-list 120 permit gre  any host 66.194.227.12                        ! Tss-Max Cisco VPN Protocol
!
! Stuff I am trying to get VPN to work
!  l2F = 1701  (UDP & TCP for outgoing connections)
!
access-list 120 permit udp  any any eq 1701             ! Allow users to connect to VPN
access-list 120 permit udp  any any eq 500              ! Allow users to connect to VPN
access-list 120 permit esp  any any                     ! Allow users to connect to VPN
access-list 120 permit ahp  any any                     ! Allow users to connect to VPN
access-list 120 remark 3...
!
!
!
!
!
access-list 120 remark 4.
access-list 120 remark  Remote Connection Programs
access-list 120 remark    Terminal Service - 3389
access-list 120 remark 4..
access-list 120 permit tcp any host 66.194.227.61  eq 3389              ! Glenn's Machine
access-list 120 permit tcp any host 66.194.227.138 eq 3389              ! Pegasus (Mindmill & Praveen SourceSafe)
access-list 120 remark 4...
!
!
!
access-list 120 remark 5.
access-list 120 remark  Completely Open Machines
access-list 120 remark      ...Very Risky...
access-list 120 remark 5..
access-list 120 permit ip any host 66.194.227.235                       ! Milna's Machine
access-list 120 remark 5...
!
!
!
access-list 120 remark 6.
access-list 120 remark     deny all the rest
access-list 120 remark 6..
access-list 120 deny ip any any
!
!
0
Comment
Question by:hglenni
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10923460
Can I assume that this is your local LAN and that acl 110 is applied to the LAN interface "in"
>access-list 110 permit ip  66.194.227.0 0.0.0.255 any

These access-list entries are all you should need for the MS VPN to work (tcp 1723 and GRE):
>access-list 120 permit tcp  any host 66.194.227.12 eq 1723      
>access-list 120 permit gre  any host 66.194.227.12                      

I don't see anything for "established" connections. This should be at the very top of the acl 120:
access-list 120 permit tcp any 66.194.227.0 0.0.0.255 established

You might try adding "log" to the final deny any any to help troubleshoot:
i.e access-list 120 deny ip any any log

Use output of "show ip access-list 120" to see/monitor hits to each line and make sure your TCP 1720 and GRE lines are getting hits. If not, check the default gateway setting for the MS VPN server itself..


0
 

Author Comment

by:hglenni
ID: 10923613
Thank you for your comment
I am going out from my network, and VPN to someone else.
In to mine works.

Thanks

Glenn
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10923789
>I am going out from my network, and VPN to someone else.
Then you need to permit the GRE back in along with TCP 1723 from their IP to your internal IP
0
 

Author Comment

by:hglenni
ID: 10923811
Could you give me an example - like this?
or is there a way to permit it elsewhere
access-list 120 permit gre  any any
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10923931
Yes, but you can lock it down a little using the inside LAN {source} {destination}
access-list 120 permit gre 66.194.227.0 0.0.0.255 any
access-list 120 permit tcp 66.194.227.0 0.0.0.255 any eq 1723

Good luck!


0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question