Cisco router - access list

I am trying to facilitate VPN connectivity to some Nortel Contivity servers so i need to let traffic on UDP 500 into my network as well asp IP protocol 50.  I am on the client side of the things. I have configured the following access-list to no avail:

access-list 100 permit udp any any eq 500
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 23
access-list 100 permit esp any any

i then applied the list "in" my public interface...This should also facilitate access to my router via telnet correct??

Please help!
andreacadiaAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Well...
  >is what  i tested and i was still not able to telnet to the interface...
How did you test? Did you apply the access-list, then attempt to telnet into the router from somwhere on the internet? Or did you apply the acl, then attempt to telnet to the public IP from inside the network?

>Is the NAT transparency the culprit with respect to the VPN traffic?
Yes, nat-transparency is an issue anytime you have a VPN client on the inside of the network.
Your IOS version must support nat-transparency (you might have to upgrade to a different IOS version - 12.2(13)T - This feature was introduced)

The Nortel Contivity client may not use UDP 10000. I've seen it use in the 43000 range..
Be careful what you block when you setup an access-list that only permits certain things.
You might want to permit IP from the Contivity server host to your interface IP:
   access-list 100 permit ip host <VPN Server IP> any
   access-list 100 permit udp any eq domain any
   access-list 100 permit icmp any any
   access-list 100 permit tdp any any established
   access-list 100 permit tcp any host <serial ip> eq telnet
   access-list 100 deny ip any any log  <== "log" keyword is important for troubleshooting

0
 
lrmooreCommented:
This appears to be correct. Can you post result of "show access-list 100"

0
 
lrmooreCommented:
Assuming that you are also using NAT, do you have an IOS version that supports nat-transparency?
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
andreacadiaAuthor Commented:
i am using NAT, what is NAT transparency and how can is it relevant to this scenarion?  Also, as far as the access-list i posted, I cannot connect via telnet to my router.  Any ideas why?
0
 
andreacadiaAuthor Commented:
btw, i am using the nortel vpn client supplied by the vendor.
0
 
lrmooreCommented:
You'll have to post your complet config so I can see why you can't telnet..
0
 
Dr-IPCommented:
If you temporally remove the access list, can you telnet? As I suspect you may have more than one problem because your access list should allow you to telnet.  
0
 
andreacadiaAuthor Commented:

   Here is the config:


   
Building configuration...                        

Current configuration : 3149 bytes                                  
!
version 12.2            
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
no service password-encryption                              
!
hostname
!
!
ip subnet-zero              
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx                        
no ip dhcp conflict logging                          
ip dhcp excluded-address 192.168.1.200 192.168.1.254                                                    
!
ip dhcp pool DHCP                    
   network 192.168.1.0 255.255.255.0                                                          
   default-router 192.168.1.1                            
   dns-server xxx.xxx.xxx.xxx                                                                
   netbios-node-type h-node                          
   lease infinite                
!
!
!
!
!
interface Null0              
 no ip unreachables                  
!
interface Ethernet0/0                                                            
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx                                      
 half-duplex            
!
interface FastEthernet0/0                        
 description Connection to internal network                                          
 ip address 192.168.1.1 255.255.255.0                                                        
 no ip unreachables                  
 ip nat inside              
 ip route-cache policy                      
 ip policy route-map nachi-worm                              
 speed auto          
!
interface Serial1/0                  
 description connection to T1
 ip access-group 100 in                                              
 backup interface Ethernet0/0                            
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 ip nat outside              
!
interface Serial1/1                  
 no ip address              
 shutdown        
!
ip nat inside source list 10 interface Serial1/0 overload                                                                                                                      
ip classless            
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx                                                                                                            
no ip http server                
!
!
access-list 100 permit udp any any eq 500
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 23
access-list 100 permit esp any any
!
!                                
ip access-list extended nachi-worm                                  
 permit icmp any any echo                        
 permit icmp any any echo-reply                              
!
access-list 10 permit 192.168.1.0 0.0.0.255                                          
                               
route-map nachi-worm permit 10                              
 match ip address nachi-worm                            
 match length 92 92                  
 set interface Null0                    
!
!
!
snmp-server community public RW
snmp-server enable traps tty
banner motd ^C
Authorized users only.
^C
!
line con 0
 password
 login
line aux 0
 password
 login
line vty 0 4
 password
 login
!
no scheduler allocate
end

#
0
 
lrmooreCommented:
What IP address are you trying to telnet to?

interface Serial1/0                                          
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx <--- this one?
0
 
andreacadiaAuthor Commented:
yes, the serial1/0 interface
0
 
lrmooreCommented:
Can you post result of
router#sho access-list 100

0
 
andreacadiaAuthor Commented:
i cannot post the output from that command because the access-list is not currently on the running config...but what i posted above is what  i tested and i was still not able to telnet to the interface...Is the NAT transparency the culprit with respect to the VPN traffic?
0
 
andreacadiaAuthor Commented:
so you are saying that since i am running v 12.2 i have to upgrade to 12.2(13)T before the applied access lists will work?

I tested the telnet access by telnet from another computer across the Internet

can you explain what the following statements do:

 access-list 100 permit udp any eq domain any
 access-list 100 deny ip any any log

0
 
andreacadiaAuthor Commented:
my exact version is 12.2.(11)T2
0
 
lrmooreCommented:
>i have to upgrade to 12.2(13)T before the applied access lists will work?
Not for the acls to work, but for nat-transparency to work - which you need..

Assuming that you still want your users to access the internet with this acl applied, you need to permit dns name resolution..

 access-list 100 permit udp any eq domain any  <-- permits the dns replys to come back in
 access-list 100 deny ip any any log  <-- sends a notice of all denied packets to the log buffer. Very handy when troubleshooting


0
 
andreacadiaAuthor Commented:
also, as far as the access-list you've suggested,

access-list 100 permit ip host <VPN Server IP> any
   access-list 100 permit udp any eq domain any
   access-list 100 permit icmp any any
   access-list 100 permit tdp any any established
   access-list 100 permit tcp any host <serial ip> eq telnet
   access-list 100 deny ip any any log  <== "log" keyword is important for troubleshooting

would this still require the following statement"

access-list 100 permit IP any any
0
 
lrmooreCommented:
No, it would not require "permit ip any any"
Good troubleshooting tools = "show log" and "sho access-list 100"
0
 
andreacadiaAuthor Commented:
is the 12.2(13)T a direct upgrade path from my currrent version...how shall i proceed with obtaining an upgrade?
0
 
lrmooreCommented:
Yes, anything in the same major release should be in the direct upgrade path for no charge upgrades.
Do you have a CCO login? Do you have a SmartNet maintenance agreement?
If not, then you will have to purchase an upgrade, or purchase the version that you want on a CD from someplace like http://www.cdw.com
0
 
andreacadiaAuthor Commented:
the above access list results in my citrix client connections failing...
0
 
lrmooreCommented:
Come on, now! You can't just keep throwing more stuff out here. This is the first time you've mentioned anything about citrix clients. Where are the clients - inside or outside? Where is the server- inside or outside? What client are you using? Web access or Terminal services tcp port 3389? What's in your logs? Does it give you any clues as to what it being denied so that you can adjust your acl accordingly?

I hope you fixed this typo (my bad, sorry) "tdp" should be "tcp", else you break lots of things..

> access-list 100 permit tdp any any established
                                   ^^
0
 
andreacadiaAuthor Commented:
sorry about throwing more stuff out there at you like that...what ports for citrix traffic should open open...tcp 1494 and udp 1604?
0
 
lrmooreCommented:
That's why I asked what client you are using and the relationship of where the client is vs where the server is..
It makes a difference which direction you need to open them up.
I would make sure I lock it down to the client's IP addresses in host specific entries.
Since you didn't show us any static nat statements, can I assume that the client is on the inside and the Citrix server is outside your network?

0
 
andreacadiaAuthor Commented:
yes that is a correct assumption...and we are using the ICA client
0
 
lrmooreCommented:
You can try adding:
Just remember the steps for changing an acl:
  1. remove the acl from the interface
      interface ser 1/0
        no ip access-group 100 in

  2. Delete the acl completely
       no access-list 100

  3. Re-create the acl entirely..

   access-list 100 permit ip host <VPN Server IP> any
   access-list 100 permit udp any eq domain any
   access-list 100 permit icmp any any
   access-list 100 permit tcp any any established
   access-list 100 permit tcp any host <serial ip> eq telnet
   access-list 100 permit tcp host <Citrix server ip> eq 1494 any
   access-list 100 deny ip any any log  

  4. re-apply acl to the interface
      interface serial 1/0
        ip access-group 100 in

  5. Save config..

0
 
andreacadiaAuthor Commented:
thanks alot for all your help irmoore.  however i still cannot telnet to the router..very strange.
0
 
lrmooreCommented:
Yes, very odd...
The permissions are explicit to allow any telnet....

Glad you're working otherwise!

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.