Solved

Cisco router - access list

Posted on 2004-10-08
27
862 Views
Last Modified: 2010-04-17
I am trying to facilitate VPN connectivity to some Nortel Contivity servers so i need to let traffic on UDP 500 into my network as well asp IP protocol 50.  I am on the client side of the things. I have configured the following access-list to no avail:

access-list 100 permit udp any any eq 500
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 23
access-list 100 permit esp any any

i then applied the list "in" my public interface...This should also facilitate access to my router via telnet correct??

Please help!
0
Comment
Question by:andreacadia
  • 13
  • 13
27 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12263439
This appears to be correct. Can you post result of "show access-list 100"

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12263442
Assuming that you are also using NAT, do you have an IOS version that supports nat-transparency?
0
 

Author Comment

by:andreacadia
ID: 12264141
i am using NAT, what is NAT transparency and how can is it relevant to this scenarion?  Also, as far as the access-list i posted, I cannot connect via telnet to my router.  Any ideas why?
0
 

Author Comment

by:andreacadia
ID: 12264165
btw, i am using the nortel vpn client supplied by the vendor.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12264939
You'll have to post your complet config so I can see why you can't telnet..
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12268800
If you temporally remove the access list, can you telnet? As I suspect you may have more than one problem because your access list should allow you to telnet.  
0
 

Author Comment

by:andreacadia
ID: 12278512

   Here is the config:


   
Building configuration...                        

Current configuration : 3149 bytes                                  
!
version 12.2            
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
no service password-encryption                              
!
hostname
!
!
ip subnet-zero              
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx                        
no ip dhcp conflict logging                          
ip dhcp excluded-address 192.168.1.200 192.168.1.254                                                    
!
ip dhcp pool DHCP                    
   network 192.168.1.0 255.255.255.0                                                          
   default-router 192.168.1.1                            
   dns-server xxx.xxx.xxx.xxx                                                                
   netbios-node-type h-node                          
   lease infinite                
!
!
!
!
!
interface Null0              
 no ip unreachables                  
!
interface Ethernet0/0                                                            
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx                                      
 half-duplex            
!
interface FastEthernet0/0                        
 description Connection to internal network                                          
 ip address 192.168.1.1 255.255.255.0                                                        
 no ip unreachables                  
 ip nat inside              
 ip route-cache policy                      
 ip policy route-map nachi-worm                              
 speed auto          
!
interface Serial1/0                  
 description connection to T1
 ip access-group 100 in                                              
 backup interface Ethernet0/0                            
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 ip nat outside              
!
interface Serial1/1                  
 no ip address              
 shutdown        
!
ip nat inside source list 10 interface Serial1/0 overload                                                                                                                      
ip classless            
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx                                                                                                            
no ip http server                
!
!
access-list 100 permit udp any any eq 500
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 23
access-list 100 permit esp any any
!
!                                
ip access-list extended nachi-worm                                  
 permit icmp any any echo                        
 permit icmp any any echo-reply                              
!
access-list 10 permit 192.168.1.0 0.0.0.255                                          
                               
route-map nachi-worm permit 10                              
 match ip address nachi-worm                            
 match length 92 92                  
 set interface Null0                    
!
!
!
snmp-server community public RW
snmp-server enable traps tty
banner motd ^C
Authorized users only.
^C
!
line con 0
 password
 login
line aux 0
 password
 login
line vty 0 4
 password
 login
!
no scheduler allocate
end

#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12278608
What IP address are you trying to telnet to?

interface Serial1/0                                          
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx <--- this one?
0
 

Author Comment

by:andreacadia
ID: 12278763
yes, the serial1/0 interface
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12278875
Can you post result of
router#sho access-list 100

0
 

Author Comment

by:andreacadia
ID: 12279123
i cannot post the output from that command because the access-list is not currently on the running config...but what i posted above is what  i tested and i was still not able to telnet to the interface...Is the NAT transparency the culprit with respect to the VPN traffic?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12279241
Well...
  >is what  i tested and i was still not able to telnet to the interface...
How did you test? Did you apply the access-list, then attempt to telnet into the router from somwhere on the internet? Or did you apply the acl, then attempt to telnet to the public IP from inside the network?

>Is the NAT transparency the culprit with respect to the VPN traffic?
Yes, nat-transparency is an issue anytime you have a VPN client on the inside of the network.
Your IOS version must support nat-transparency (you might have to upgrade to a different IOS version - 12.2(13)T - This feature was introduced)

The Nortel Contivity client may not use UDP 10000. I've seen it use in the 43000 range..
Be careful what you block when you setup an access-list that only permits certain things.
You might want to permit IP from the Contivity server host to your interface IP:
   access-list 100 permit ip host <VPN Server IP> any
   access-list 100 permit udp any eq domain any
   access-list 100 permit icmp any any
   access-list 100 permit tdp any any established
   access-list 100 permit tcp any host <serial ip> eq telnet
   access-list 100 deny ip any any log  <== "log" keyword is important for troubleshooting

0
 

Author Comment

by:andreacadia
ID: 12279635
so you are saying that since i am running v 12.2 i have to upgrade to 12.2(13)T before the applied access lists will work?

I tested the telnet access by telnet from another computer across the Internet

can you explain what the following statements do:

 access-list 100 permit udp any eq domain any
 access-list 100 deny ip any any log

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:andreacadia
ID: 12279899
my exact version is 12.2.(11)T2
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280049
>i have to upgrade to 12.2(13)T before the applied access lists will work?
Not for the acls to work, but for nat-transparency to work - which you need..

Assuming that you still want your users to access the internet with this acl applied, you need to permit dns name resolution..

 access-list 100 permit udp any eq domain any  <-- permits the dns replys to come back in
 access-list 100 deny ip any any log  <-- sends a notice of all denied packets to the log buffer. Very handy when troubleshooting


0
 

Author Comment

by:andreacadia
ID: 12280073
also, as far as the access-list you've suggested,

access-list 100 permit ip host <VPN Server IP> any
   access-list 100 permit udp any eq domain any
   access-list 100 permit icmp any any
   access-list 100 permit tdp any any established
   access-list 100 permit tcp any host <serial ip> eq telnet
   access-list 100 deny ip any any log  <== "log" keyword is important for troubleshooting

would this still require the following statement"

access-list 100 permit IP any any
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280214
No, it would not require "permit ip any any"
Good troubleshooting tools = "show log" and "sho access-list 100"
0
 

Author Comment

by:andreacadia
ID: 12280469
is the 12.2(13)T a direct upgrade path from my currrent version...how shall i proceed with obtaining an upgrade?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280543
Yes, anything in the same major release should be in the direct upgrade path for no charge upgrades.
Do you have a CCO login? Do you have a SmartNet maintenance agreement?
If not, then you will have to purchase an upgrade, or purchase the version that you want on a CD from someplace like http://www.cdw.com
0
 

Author Comment

by:andreacadia
ID: 12289765
the above access list results in my citrix client connections failing...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12289943
Come on, now! You can't just keep throwing more stuff out here. This is the first time you've mentioned anything about citrix clients. Where are the clients - inside or outside? Where is the server- inside or outside? What client are you using? Web access or Terminal services tcp port 3389? What's in your logs? Does it give you any clues as to what it being denied so that you can adjust your acl accordingly?

I hope you fixed this typo (my bad, sorry) "tdp" should be "tcp", else you break lots of things..

> access-list 100 permit tdp any any established
                                   ^^
0
 

Author Comment

by:andreacadia
ID: 12291082
sorry about throwing more stuff out there at you like that...what ports for citrix traffic should open open...tcp 1494 and udp 1604?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12291200
That's why I asked what client you are using and the relationship of where the client is vs where the server is..
It makes a difference which direction you need to open them up.
I would make sure I lock it down to the client's IP addresses in host specific entries.
Since you didn't show us any static nat statements, can I assume that the client is on the inside and the Citrix server is outside your network?

0
 

Author Comment

by:andreacadia
ID: 12291382
yes that is a correct assumption...and we are using the ICA client
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12291482
You can try adding:
Just remember the steps for changing an acl:
  1. remove the acl from the interface
      interface ser 1/0
        no ip access-group 100 in

  2. Delete the acl completely
       no access-list 100

  3. Re-create the acl entirely..

   access-list 100 permit ip host <VPN Server IP> any
   access-list 100 permit udp any eq domain any
   access-list 100 permit icmp any any
   access-list 100 permit tcp any any established
   access-list 100 permit tcp any host <serial ip> eq telnet
   access-list 100 permit tcp host <Citrix server ip> eq 1494 any
   access-list 100 deny ip any any log  

  4. re-apply acl to the interface
      interface serial 1/0
        ip access-group 100 in

  5. Save config..

0
 

Author Comment

by:andreacadia
ID: 12292477
thanks alot for all your help irmoore.  however i still cannot telnet to the router..very strange.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12292629
Yes, very odd...
The permissions are explicit to allow any telnet....

Glad you're working otherwise!

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now