andreacadia
asked on
Cisco router - access list
I am trying to facilitate VPN connectivity to some Nortel Contivity servers so i need to let traffic on UDP 500 into my network as well asp IP protocol 50. I am on the client side of the things. I have configured the following access-list to no avail:
access-list 100 permit udp any any eq 500
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 23
access-list 100 permit esp any any
i then applied the list "in" my public interface...This should also facilitate access to my router via telnet correct??
Please help!
access-list 100 permit udp any any eq 500
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 23
access-list 100 permit esp any any
i then applied the list "in" my public interface...This should also facilitate access to my router via telnet correct??
Please help!
This appears to be correct. Can you post result of "show access-list 100"
Assuming that you are also using NAT, do you have an IOS version that supports nat-transparency?
ASKER
i am using NAT, what is NAT transparency and how can is it relevant to this scenarion? Also, as far as the access-list i posted, I cannot connect via telnet to my router. Any ideas why?
ASKER
btw, i am using the nortel vpn client supplied by the vendor.
You'll have to post your complet config so I can see why you can't telnet..
If you temporally remove the access list, can you telnet? As I suspect you may have more than one problem because your access list should allow you to telnet.
ASKER
Here is the config:
Building configuration...
Current configuration : 3149 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
!
ip subnet-zero
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server xxx.xxx.xxx.xxx
netbios-node-type h-node
lease infinite
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0/0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
half-duplex
!
interface FastEthernet0/0
description Connection to internal network
ip address 192.168.1.1 255.255.255.0
no ip unreachables
ip nat inside
ip route-cache policy
ip policy route-map nachi-worm
speed auto
!
interface Serial1/0
description connection to T1
ip access-group 100 in
backup interface Ethernet0/0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
!
interface Serial1/1
no ip address
shutdown
!
ip nat inside source list 10 interface Serial1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
no ip http server
!
!
access-list 100 permit udp any any eq 500
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 23
access-list 100 permit esp any any
!
!
ip access-list extended nachi-worm
permit icmp any any echo
permit icmp any any echo-reply
!
access-list 10 permit 192.168.1.0 0.0.0.255
route-map nachi-worm permit 10
match ip address nachi-worm
match length 92 92
set interface Null0
!
!
!
snmp-server community public RW
snmp-server enable traps tty
banner motd ^C
Authorized users only.
^C
!
line con 0
password
login
line aux 0
password
login
line vty 0 4
password
login
!
no scheduler allocate
end
#
What IP address are you trying to telnet to?
interface Serial1/0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx <--- this one?
interface Serial1/0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx <--- this one?
ASKER
yes, the serial1/0 interface
Can you post result of
router#sho access-list 100
router#sho access-list 100
ASKER
i cannot post the output from that command because the access-list is not currently on the running config...but what i posted above is what i tested and i was still not able to telnet to the interface...Is the NAT transparency the culprit with respect to the VPN traffic?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so you are saying that since i am running v 12.2 i have to upgrade to 12.2(13)T before the applied access lists will work?
I tested the telnet access by telnet from another computer across the Internet
can you explain what the following statements do:
access-list 100 permit udp any eq domain any
access-list 100 deny ip any any log
I tested the telnet access by telnet from another computer across the Internet
can you explain what the following statements do:
access-list 100 permit udp any eq domain any
access-list 100 deny ip any any log
ASKER
my exact version is 12.2.(11)T2
>i have to upgrade to 12.2(13)T before the applied access lists will work?
Not for the acls to work, but for nat-transparency to work - which you need..
Assuming that you still want your users to access the internet with this acl applied, you need to permit dns name resolution..
access-list 100 permit udp any eq domain any <-- permits the dns replys to come back in
access-list 100 deny ip any any log <-- sends a notice of all denied packets to the log buffer. Very handy when troubleshooting
Not for the acls to work, but for nat-transparency to work - which you need..
Assuming that you still want your users to access the internet with this acl applied, you need to permit dns name resolution..
access-list 100 permit udp any eq domain any <-- permits the dns replys to come back in
access-list 100 deny ip any any log <-- sends a notice of all denied packets to the log buffer. Very handy when troubleshooting
ASKER
also, as far as the access-list you've suggested,
access-list 100 permit ip host <VPN Server IP> any
access-list 100 permit udp any eq domain any
access-list 100 permit icmp any any
access-list 100 permit tdp any any established
access-list 100 permit tcp any host <serial ip> eq telnet
access-list 100 deny ip any any log <== "log" keyword is important for troubleshooting
would this still require the following statement"
access-list 100 permit IP any any
access-list 100 permit ip host <VPN Server IP> any
access-list 100 permit udp any eq domain any
access-list 100 permit icmp any any
access-list 100 permit tdp any any established
access-list 100 permit tcp any host <serial ip> eq telnet
access-list 100 deny ip any any log <== "log" keyword is important for troubleshooting
would this still require the following statement"
access-list 100 permit IP any any
No, it would not require "permit ip any any"
Good troubleshooting tools = "show log" and "sho access-list 100"
Good troubleshooting tools = "show log" and "sho access-list 100"
ASKER
is the 12.2(13)T a direct upgrade path from my currrent version...how shall i proceed with obtaining an upgrade?
Yes, anything in the same major release should be in the direct upgrade path for no charge upgrades.
Do you have a CCO login? Do you have a SmartNet maintenance agreement?
If not, then you will have to purchase an upgrade, or purchase the version that you want on a CD from someplace like http://www.cdw.com
Do you have a CCO login? Do you have a SmartNet maintenance agreement?
If not, then you will have to purchase an upgrade, or purchase the version that you want on a CD from someplace like http://www.cdw.com
ASKER
the above access list results in my citrix client connections failing...
Come on, now! You can't just keep throwing more stuff out here. This is the first time you've mentioned anything about citrix clients. Where are the clients - inside or outside? Where is the server- inside or outside? What client are you using? Web access or Terminal services tcp port 3389? What's in your logs? Does it give you any clues as to what it being denied so that you can adjust your acl accordingly?
I hope you fixed this typo (my bad, sorry) "tdp" should be "tcp", else you break lots of things..
> access-list 100 permit tdp any any established
^^
I hope you fixed this typo (my bad, sorry) "tdp" should be "tcp", else you break lots of things..
> access-list 100 permit tdp any any established
^^
ASKER
sorry about throwing more stuff out there at you like that...what ports for citrix traffic should open open...tcp 1494 and udp 1604?
That's why I asked what client you are using and the relationship of where the client is vs where the server is..
It makes a difference which direction you need to open them up.
I would make sure I lock it down to the client's IP addresses in host specific entries.
Since you didn't show us any static nat statements, can I assume that the client is on the inside and the Citrix server is outside your network?
It makes a difference which direction you need to open them up.
I would make sure I lock it down to the client's IP addresses in host specific entries.
Since you didn't show us any static nat statements, can I assume that the client is on the inside and the Citrix server is outside your network?
ASKER
yes that is a correct assumption...and we are using the ICA client
You can try adding:
Just remember the steps for changing an acl:
1. remove the acl from the interface
interface ser 1/0
no ip access-group 100 in
2. Delete the acl completely
no access-list 100
3. Re-create the acl entirely..
access-list 100 permit ip host <VPN Server IP> any
access-list 100 permit udp any eq domain any
access-list 100 permit icmp any any
access-list 100 permit tcp any any established
access-list 100 permit tcp any host <serial ip> eq telnet
access-list 100 permit tcp host <Citrix server ip> eq 1494 any
access-list 100 deny ip any any log
4. re-apply acl to the interface
interface serial 1/0
ip access-group 100 in
5. Save config..
Just remember the steps for changing an acl:
1. remove the acl from the interface
interface ser 1/0
no ip access-group 100 in
2. Delete the acl completely
no access-list 100
3. Re-create the acl entirely..
access-list 100 permit ip host <VPN Server IP> any
access-list 100 permit udp any eq domain any
access-list 100 permit icmp any any
access-list 100 permit tcp any any established
access-list 100 permit tcp any host <serial ip> eq telnet
access-list 100 permit tcp host <Citrix server ip> eq 1494 any
access-list 100 deny ip any any log
4. re-apply acl to the interface
interface serial 1/0
ip access-group 100 in
5. Save config..
ASKER
thanks alot for all your help irmoore. however i still cannot telnet to the router..very strange.
Yes, very odd...
The permissions are explicit to allow any telnet....
Glad you're working otherwise!
The permissions are explicit to allow any telnet....
Glad you're working otherwise!