Ipsec Tunnel to 1710

Hello all I have a 1710 I use at home and I created tunnel to be used with my Cisco vpn client if for some reason I need something off my LAN while at work.
Well, I can connect and authenticate and can ping local addresses but my reply comes back as my public address.  I would like to be able to access other machines on my home network 192.168.x.x but I see on my router log that my acl is denying serveral things.  The 14.1.1.x is my ippool for the vpn group.  My private range at work is 172.28.x.x

Apr 12 09:59:11 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3591) -> 192.168.1.22(445), 1 packet
Apr 12 10:04:52 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3592) -> 192.168.1.22(139), 3 packets
Apr 12 10:04:52 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3591) -> 192.168.1.22(445), 2 packets
rick_me27Asked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Yes, you are still natting and that is why you see the public IP address.

Replace this:
ip nat inside source list 1 interface Ethernet0 overload
access-list 1 permit 192.168.1.0 0.0.0.255

With this:
  access-list 105 deny ip 192.168.1.0 0.0.0.255 14.1.1.0 0.0.0.255
  access-list 105 permit ip 192.168.1.0 0.0.0.255 any
route-map nonatvpn permit 10
  match ip address 105
ip nat inside source route-map nonatvpn interface Ethernet0 overload



 
0
 
lrmooreCommented:
You need to include the pool in your access-list 101

  access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
0
 
rick_me27Author Commented:
I have done that.  I'll post all my ACLs so you can check them out.

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 101 deny   udp any any eq tftp log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any eq 135 log
access-list 101 deny   tcp any any eq 137 log
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 deny   tcp any any eq 1433 log
access-list 101 deny   tcp any any eq 1434 log
access-list 101 deny   udp any any eq 1433 log
access-list 101 deny   udp any any eq 1434 log
access-list 101 deny   tcp any any eq 2745 log
access-list 101 deny   tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq isakmp
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq non500-isakmp
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp host 24.249.x.x host 66.207.x.x eq 22
access-list 101 permit udp host 204.34.198.41 host 66.207.x.x eq ntp
access-list 101 permit udp host 192.5.41.209 host 66.207.x.x eq ntp
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 net-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 host-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 port-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 packet-too-big
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 administratively-prohibited
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 source-quench
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 ttl-exceeded
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 deny   ip host 66.207.x.x any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 15.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip any any log
access-list 103 permit ip 192.168.0.0 0.0.255.255 14.1.1.0 0.0.0.255
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 permit tcp host 24.249.x.x any eq 22
access-list 110 permit tcp host 24.249.x.x any eq telnet
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
lrmooreCommented:
You need to move it up to the top...

Let's look at what you have. According to your log you are being denied ports 139 and 445
access-list 101 deny   udp any any eq tftp log
access-list 101 deny   tcp any any eq 445 log <== denied 14.1.1.x
access-list 101 deny   tcp any any eq 135 log
access-list 101 deny   tcp any any eq 137 log
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 139 log <==denied 14.1.1.x
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 deny   tcp any any eq 1433 log
access-list 101 deny   tcp any any eq 1434 log
access-list 101 deny   udp any any eq 1433 log
access-list 101 deny   udp any any eq 1434 log
access-list 101 deny   tcp any any eq 2745 log
access-list 101 deny   tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 <== NOW you permit, but only after all the other ports have been denied..

0
 
rick_me27Author Commented:
ahh.  I see.  so if I permit access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 above what I am denying I should be able to get in to my local lan?
0
 
lrmooreCommented:
Yes. Remember that every access-list is processed top-down until the first match.
0
 
rick_me27Author Commented:
I knew that :)  Just didn't think about it when I was creating these ACLs.   How come when I ping a private address a reply comes back from my public address?
Never seen that before.
0
 
lrmooreCommented:
You may be natting icmp through the tunnel? I'd have to see more of your config to figure that out..
I don't see any access-list that looks like part of a route-map applied to NAT.

0
 
rick_me27Author Commented:
let me show you:



version 12.3
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname RMrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 8024 debugging
enable secret 5 $1$WHbG$NTXKub1AJUZEEIC3hxFLv.
enable password 7 104C1B1853131D05010126202D
!
clock timezone eastern -5
clock summer-time EDT recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip tcp path-mtu-discovery
ip domain name RMrouter.com
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool MainScope
   network 192.168.1.0 255.255.255.0
   dns-server 216.12.23.244
   default-router 192.168.1.1
!
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name firewall_in tcp
ip inspect name firewall_in udp
ip inspect name firewall_in ftp
ip inspect name firewall_in smtp
ip inspect name firewall_in tftp
ip inspect name firewall_in http
ip inspect name firewall_out tcp
ip inspect name firewall_out udp
ip inspect name firewall_out ftp
ip inspect name firewall_out smtp
ip inspect name firewall_out tftp
ip inspect name firewall_out http
ip audit po max-events 100
no ftp-server write-enable
!
!
username rmelki password 7 00060107525F04080224404500
username rtadmin password 7 045802150C2E1D1C5A
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpngroup
 key wildhorses500
 pool ippool
 acl 103
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
 description External Static DSL Interface
 ip address 66.207.x.x 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 half-duplex
 no cdp enable
 crypto map clientmap
!
interface FastEthernet0
 description Inside Static Interface to my LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.207.x.x
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 101 deny   udp any any eq tftp log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any eq 135 log
access-list 101 deny   tcp any any eq 137 log
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 deny   tcp any any eq 1433 log
access-list 101 deny   tcp any any eq 1434 log
access-list 101 deny   udp any any eq 1433 log
access-list 101 deny   udp any any eq 1434 log
access-list 101 deny   tcp any any eq 2745 log
access-list 101 deny   tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq isakmp
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq non500-isakmp
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp host 24.249.x.x host 66.207.x.x eq 22
access-list 101 permit udp host 204.34.198.41 host 66.207.x.x eq ntp
access-list 101 permit udp host 192.5.41.209 host 66.207.x.x eq ntp
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 net-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 host-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 port-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 packet-too-big
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 administratively-prohibited
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 source-quench
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 ttl-exceeded
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 deny   ip host 66.207.x.x any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 15.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip any any log
access-list 103 permit ip 192.168.0.0 0.0.255.255 14.1.1.0 0.0.0.255
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 permit tcp host 24.249.x.x any eq 22
access-list 110 permit tcp host 24.249.x.x any eq telnet
no cdp run
!
banner login ^C
LEGAL NOTICE: This device is currently being monitored for unauthorized access.
All unauthorized access to this device will be researched and remedied
through legal means.  If you are not authorized to access this device
please disconnect immediately to prevent further action.
^C
!
line con 0
 exec-timeout 5 0
 password 7 121B1716440F030A272E28233A
line aux 0
 access-class 2 in
 exec-timeout 0 10
 no exec
line vty 0 4
 access-class 110 in
 exec-timeout 5 0
 password 7 011114050D0F09012C49420210
 transport input telnet ssh
!
ntp clock-period 17168921
ntp server 204.34.198.41 prefer
ntp server 192.5.41.209
end
0
 
rick_me27Author Commented:
thanks lrmoore.  That did work.  Have a good one.
0
 
lrmooreCommented:
Ditto!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.