?
Solved

Ipsec Tunnel to 1710

Posted on 2005-04-12
11
Medium Priority
?
479 Views
Last Modified: 2010-04-17
Hello all I have a 1710 I use at home and I created tunnel to be used with my Cisco vpn client if for some reason I need something off my LAN while at work.
Well, I can connect and authenticate and can ping local addresses but my reply comes back as my public address.  I would like to be able to access other machines on my home network 192.168.x.x but I see on my router log that my acl is denying serveral things.  The 14.1.1.x is my ippool for the vpn group.  My private range at work is 172.28.x.x

Apr 12 09:59:11 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3591) -> 192.168.1.22(445), 1 packet
Apr 12 10:04:52 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3592) -> 192.168.1.22(139), 3 packets
Apr 12 10:04:52 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3591) -> 192.168.1.22(445), 2 packets
0
Comment
Question by:rick_me27
  • 6
  • 5
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13765015
You need to include the pool in your access-list 101

  access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
0
 

Author Comment

by:rick_me27
ID: 13765077
I have done that.  I'll post all my ACLs so you can check them out.

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 101 deny   udp any any eq tftp log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any eq 135 log
access-list 101 deny   tcp any any eq 137 log
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 deny   tcp any any eq 1433 log
access-list 101 deny   tcp any any eq 1434 log
access-list 101 deny   udp any any eq 1433 log
access-list 101 deny   udp any any eq 1434 log
access-list 101 deny   tcp any any eq 2745 log
access-list 101 deny   tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq isakmp
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq non500-isakmp
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp host 24.249.x.x host 66.207.x.x eq 22
access-list 101 permit udp host 204.34.198.41 host 66.207.x.x eq ntp
access-list 101 permit udp host 192.5.41.209 host 66.207.x.x eq ntp
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 net-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 host-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 port-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 packet-too-big
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 administratively-prohibited
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 source-quench
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 ttl-exceeded
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 deny   ip host 66.207.x.x any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 15.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip any any log
access-list 103 permit ip 192.168.0.0 0.0.255.255 14.1.1.0 0.0.0.255
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 permit tcp host 24.249.x.x any eq 22
access-list 110 permit tcp host 24.249.x.x any eq telnet
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13765151
You need to move it up to the top...

Let's look at what you have. According to your log you are being denied ports 139 and 445
access-list 101 deny   udp any any eq tftp log
access-list 101 deny   tcp any any eq 445 log <== denied 14.1.1.x
access-list 101 deny   tcp any any eq 135 log
access-list 101 deny   tcp any any eq 137 log
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 139 log <==denied 14.1.1.x
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 deny   tcp any any eq 1433 log
access-list 101 deny   tcp any any eq 1434 log
access-list 101 deny   udp any any eq 1433 log
access-list 101 deny   udp any any eq 1434 log
access-list 101 deny   tcp any any eq 2745 log
access-list 101 deny   tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 <== NOW you permit, but only after all the other ports have been denied..

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rick_me27
ID: 13765201
ahh.  I see.  so if I permit access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 above what I am denying I should be able to get in to my local lan?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13765403
Yes. Remember that every access-list is processed top-down until the first match.
0
 

Author Comment

by:rick_me27
ID: 13765441
I knew that :)  Just didn't think about it when I was creating these ACLs.   How come when I ping a private address a reply comes back from my public address?
Never seen that before.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13765578
You may be natting icmp through the tunnel? I'd have to see more of your config to figure that out..
I don't see any access-list that looks like part of a route-map applied to NAT.

0
 

Author Comment

by:rick_me27
ID: 13765667
let me show you:



version 12.3
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname RMrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 8024 debugging
enable secret 5 $1$WHbG$NTXKub1AJUZEEIC3hxFLv.
enable password 7 104C1B1853131D05010126202D
!
clock timezone eastern -5
clock summer-time EDT recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip tcp path-mtu-discovery
ip domain name RMrouter.com
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool MainScope
   network 192.168.1.0 255.255.255.0
   dns-server 216.12.23.244
   default-router 192.168.1.1
!
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name firewall_in tcp
ip inspect name firewall_in udp
ip inspect name firewall_in ftp
ip inspect name firewall_in smtp
ip inspect name firewall_in tftp
ip inspect name firewall_in http
ip inspect name firewall_out tcp
ip inspect name firewall_out udp
ip inspect name firewall_out ftp
ip inspect name firewall_out smtp
ip inspect name firewall_out tftp
ip inspect name firewall_out http
ip audit po max-events 100
no ftp-server write-enable
!
!
username rmelki password 7 00060107525F04080224404500
username rtadmin password 7 045802150C2E1D1C5A
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpngroup
 key wildhorses500
 pool ippool
 acl 103
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
 description External Static DSL Interface
 ip address 66.207.x.x 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 half-duplex
 no cdp enable
 crypto map clientmap
!
interface FastEthernet0
 description Inside Static Interface to my LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.207.x.x
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 101 deny   udp any any eq tftp log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any eq 135 log
access-list 101 deny   tcp any any eq 137 log
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 deny   tcp any any eq 1433 log
access-list 101 deny   tcp any any eq 1434 log
access-list 101 deny   udp any any eq 1433 log
access-list 101 deny   udp any any eq 1434 log
access-list 101 deny   tcp any any eq 2745 log
access-list 101 deny   tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq isakmp
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq non500-isakmp
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp host 24.249.x.x host 66.207.x.x eq 22
access-list 101 permit udp host 204.34.198.41 host 66.207.x.x eq ntp
access-list 101 permit udp host 192.5.41.209 host 66.207.x.x eq ntp
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 net-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 host-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 port-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 packet-too-big
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 administratively-prohibited
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 source-quench
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 ttl-exceeded
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 deny   ip host 66.207.x.x any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 15.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip any any log
access-list 103 permit ip 192.168.0.0 0.0.255.255 14.1.1.0 0.0.0.255
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 permit tcp host 24.249.x.x any eq 22
access-list 110 permit tcp host 24.249.x.x any eq telnet
no cdp run
!
banner login ^C
LEGAL NOTICE: This device is currently being monitored for unauthorized access.
All unauthorized access to this device will be researched and remedied
through legal means.  If you are not authorized to access this device
please disconnect immediately to prevent further action.
^C
!
line con 0
 exec-timeout 5 0
 password 7 121B1716440F030A272E28233A
line aux 0
 access-class 2 in
 exec-timeout 0 10
 no exec
line vty 0 4
 access-class 110 in
 exec-timeout 5 0
 password 7 011114050D0F09012C49420210
 transport input telnet ssh
!
ntp clock-period 17168921
ntp server 204.34.198.41 prefer
ntp server 192.5.41.209
end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 13765808
Yes, you are still natting and that is why you see the public IP address.

Replace this:
ip nat inside source list 1 interface Ethernet0 overload
access-list 1 permit 192.168.1.0 0.0.0.255

With this:
  access-list 105 deny ip 192.168.1.0 0.0.0.255 14.1.1.0 0.0.0.255
  access-list 105 permit ip 192.168.1.0 0.0.0.255 any
route-map nonatvpn permit 10
  match ip address 105
ip nat inside source route-map nonatvpn interface Ethernet0 overload



 
0
 

Author Comment

by:rick_me27
ID: 13765870
thanks lrmoore.  That did work.  Have a good one.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13765897
Ditto!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question