rick_me27
asked on
Ipsec Tunnel to 1710
Hello all I have a 1710 I use at home and I created tunnel to be used with my Cisco vpn client if for some reason I need something off my LAN while at work.
Well, I can connect and authenticate and can ping local addresses but my reply comes back as my public address. I would like to be able to access other machines on my home network 192.168.x.x but I see on my router log that my acl is denying serveral things. The 14.1.1.x is my ippool for the vpn group. My private range at work is 172.28.x.x
Apr 12 09:59:11 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3591) -> 192.168.1.22(445), 1 packet
Apr 12 10:04:52 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3592) -> 192.168.1.22(139), 3 packets
Apr 12 10:04:52 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3591) -> 192.168.1.22(445), 2 packets
Well, I can connect and authenticate and can ping local addresses but my reply comes back as my public address. I would like to be able to access other machines on my home network 192.168.x.x but I see on my router log that my acl is denying serveral things. The 14.1.1.x is my ippool for the vpn group. My private range at work is 172.28.x.x
Apr 12 09:59:11 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3591) -> 192.168.1.22(445), 1 packet
Apr 12 10:04:52 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3592) -> 192.168.1.22(139), 3 packets
Apr 12 10:04:52 EDT: %SEC-6-IPACCESSLOGP: list 101 denied tcp 14.1.1.104(3591) -> 192.168.1.22(445), 2 packets
ASKER
I have done that. I'll post all my ACLs so you can check them out.
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 101 deny udp any any eq tftp log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny tcp any any eq 135 log
access-list 101 deny tcp any any eq 137 log
access-list 101 deny tcp any any eq 138 log
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny tcp any any eq 1433 log
access-list 101 deny tcp any any eq 1434 log
access-list 101 deny udp any any eq 1433 log
access-list 101 deny udp any any eq 1434 log
access-list 101 deny tcp any any eq 2745 log
access-list 101 deny tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq isakmp
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq non500-isakmp
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp host 24.249.x.x host 66.207.x.x eq 22
access-list 101 permit udp host 204.34.198.41 host 66.207.x.x eq ntp
access-list 101 permit udp host 192.5.41.209 host 66.207.x.x eq ntp
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 net-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 host-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 port-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 packet-too-big
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 administratively-prohibite d
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 source-quench
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 ttl-exceeded
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 deny ip host 66.207.x.x any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 15.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 103 permit ip 192.168.0.0 0.0.255.255 14.1.1.0 0.0.0.255
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 permit tcp host 24.249.x.x any eq 22
access-list 110 permit tcp host 24.249.x.x any eq telnet
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 101 deny udp any any eq tftp log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny tcp any any eq 135 log
access-list 101 deny tcp any any eq 137 log
access-list 101 deny tcp any any eq 138 log
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny tcp any any eq 1433 log
access-list 101 deny tcp any any eq 1434 log
access-list 101 deny udp any any eq 1433 log
access-list 101 deny udp any any eq 1434 log
access-list 101 deny tcp any any eq 2745 log
access-list 101 deny tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq isakmp
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq non500-isakmp
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp host 24.249.x.x host 66.207.x.x eq 22
access-list 101 permit udp host 204.34.198.41 host 66.207.x.x eq ntp
access-list 101 permit udp host 192.5.41.209 host 66.207.x.x eq ntp
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 net-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 host-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 port-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 packet-too-big
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 administratively-prohibite
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 source-quench
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 ttl-exceeded
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 deny ip host 66.207.x.x any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 15.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 103 permit ip 192.168.0.0 0.0.255.255 14.1.1.0 0.0.0.255
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 permit tcp host 24.249.x.x any eq 22
access-list 110 permit tcp host 24.249.x.x any eq telnet
You need to move it up to the top...
Let's look at what you have. According to your log you are being denied ports 139 and 445
access-list 101 deny udp any any eq tftp log
access-list 101 deny tcp any any eq 445 log <== denied 14.1.1.x
access-list 101 deny tcp any any eq 135 log
access-list 101 deny tcp any any eq 137 log
access-list 101 deny tcp any any eq 138 log
access-list 101 deny tcp any any eq 139 log <==denied 14.1.1.x
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny tcp any any eq 1433 log
access-list 101 deny tcp any any eq 1434 log
access-list 101 deny udp any any eq 1433 log
access-list 101 deny udp any any eq 1434 log
access-list 101 deny tcp any any eq 2745 log
access-list 101 deny tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 <== NOW you permit, but only after all the other ports have been denied..
Let's look at what you have. According to your log you are being denied ports 139 and 445
access-list 101 deny udp any any eq tftp log
access-list 101 deny tcp any any eq 445 log <== denied 14.1.1.x
access-list 101 deny tcp any any eq 135 log
access-list 101 deny tcp any any eq 137 log
access-list 101 deny tcp any any eq 138 log
access-list 101 deny tcp any any eq 139 log <==denied 14.1.1.x
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny tcp any any eq 1433 log
access-list 101 deny tcp any any eq 1434 log
access-list 101 deny udp any any eq 1433 log
access-list 101 deny udp any any eq 1434 log
access-list 101 deny tcp any any eq 2745 log
access-list 101 deny tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 <== NOW you permit, but only after all the other ports have been denied..
ASKER
ahh. I see. so if I permit access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 above what I am denying I should be able to get in to my local lan?
Yes. Remember that every access-list is processed top-down until the first match.
ASKER
I knew that :) Just didn't think about it when I was creating these ACLs. How come when I ping a private address a reply comes back from my public address?
Never seen that before.
Never seen that before.
You may be natting icmp through the tunnel? I'd have to see more of your config to figure that out..
I don't see any access-list that looks like part of a route-map applied to NAT.
I don't see any access-list that looks like part of a route-map applied to NAT.
ASKER
let me show you:
version 12.3
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname RMrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 8024 debugging
enable secret 5 $1$WHbG$NTXKub1AJUZEEIC3hx FLv.
enable password 7 104C1B1853131D05010126202D
!
clock timezone eastern -5
clock summer-time EDT recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip tcp path-mtu-discovery
ip domain name RMrouter.com
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool MainScope
network 192.168.1.0 255.255.255.0
dns-server 216.12.23.244
default-router 192.168.1.1
!
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name firewall_in tcp
ip inspect name firewall_in udp
ip inspect name firewall_in ftp
ip inspect name firewall_in smtp
ip inspect name firewall_in tftp
ip inspect name firewall_in http
ip inspect name firewall_out tcp
ip inspect name firewall_out udp
ip inspect name firewall_out ftp
ip inspect name firewall_out smtp
ip inspect name firewall_out tftp
ip inspect name firewall_out http
ip audit po max-events 100
no ftp-server write-enable
!
!
username rmelki password 7 00060107525F04080224404500
username rtadmin password 7 045802150C2E1D1C5A
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key wildhorses500
pool ippool
acl 103
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
description External Static DSL Interface
ip address 66.207.x.x 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
description Inside Static Interface to my LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.207.x.x
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 101 deny udp any any eq tftp log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny tcp any any eq 135 log
access-list 101 deny tcp any any eq 137 log
access-list 101 deny tcp any any eq 138 log
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny tcp any any eq 1433 log
access-list 101 deny tcp any any eq 1434 log
access-list 101 deny udp any any eq 1433 log
access-list 101 deny udp any any eq 1434 log
access-list 101 deny tcp any any eq 2745 log
access-list 101 deny tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq isakmp
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq non500-isakmp
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp host 24.249.x.x host 66.207.x.x eq 22
access-list 101 permit udp host 204.34.198.41 host 66.207.x.x eq ntp
access-list 101 permit udp host 192.5.41.209 host 66.207.x.x eq ntp
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 net-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 host-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 port-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 packet-too-big
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 administratively-prohibite d
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 source-quench
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 ttl-exceeded
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 deny ip host 66.207.x.x any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 15.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 103 permit ip 192.168.0.0 0.0.255.255 14.1.1.0 0.0.0.255
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 permit tcp host 24.249.x.x any eq 22
access-list 110 permit tcp host 24.249.x.x any eq telnet
no cdp run
!
banner login ^C
LEGAL NOTICE: This device is currently being monitored for unauthorized access.
All unauthorized access to this device will be researched and remedied
through legal means. If you are not authorized to access this device
please disconnect immediately to prevent further action.
^C
!
line con 0
exec-timeout 5 0
password 7 121B1716440F030A272E28233A
line aux 0
access-class 2 in
exec-timeout 0 10
no exec
line vty 0 4
access-class 110 in
exec-timeout 5 0
password 7 011114050D0F09012C49420210
transport input telnet ssh
!
ntp clock-period 17168921
ntp server 204.34.198.41 prefer
ntp server 192.5.41.209
end
version 12.3
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname RMrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 8024 debugging
enable secret 5 $1$WHbG$NTXKub1AJUZEEIC3hx
enable password 7 104C1B1853131D05010126202D
!
clock timezone eastern -5
clock summer-time EDT recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip tcp path-mtu-discovery
ip domain name RMrouter.com
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool MainScope
network 192.168.1.0 255.255.255.0
dns-server 216.12.23.244
default-router 192.168.1.1
!
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name firewall_in tcp
ip inspect name firewall_in udp
ip inspect name firewall_in ftp
ip inspect name firewall_in smtp
ip inspect name firewall_in tftp
ip inspect name firewall_in http
ip inspect name firewall_out tcp
ip inspect name firewall_out udp
ip inspect name firewall_out ftp
ip inspect name firewall_out smtp
ip inspect name firewall_out tftp
ip inspect name firewall_out http
ip audit po max-events 100
no ftp-server write-enable
!
!
username rmelki password 7 00060107525F04080224404500
username rtadmin password 7 045802150C2E1D1C5A
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key wildhorses500
pool ippool
acl 103
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
description External Static DSL Interface
ip address 66.207.x.x 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
description Inside Static Interface to my LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.207.x.x
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 101 deny udp any any eq tftp log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny tcp any any eq 135 log
access-list 101 deny tcp any any eq 137 log
access-list 101 deny tcp any any eq 138 log
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny tcp any any eq 1433 log
access-list 101 deny tcp any any eq 1434 log
access-list 101 deny udp any any eq 1433 log
access-list 101 deny udp any any eq 1434 log
access-list 101 deny tcp any any eq 2745 log
access-list 101 deny tcp any any eq 15118 log
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq isakmp
access-list 101 permit udp host 24.249.x.x host 66.207.x.x eq non500-isakmp
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp host 24.249.x.x host 66.207.x.x eq 22
access-list 101 permit udp host 204.34.198.41 host 66.207.x.x eq ntp
access-list 101 permit udp host 192.5.41.209 host 66.207.x.x eq ntp
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 net-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 host-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 port-unreachable
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 packet-too-big
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 administratively-prohibite
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 source-quench
access-list 101 permit icmp any 66.207.x.x 0.0.0.255 ttl-exceeded
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 deny ip host 66.207.x.x any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 15.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 103 permit ip 192.168.0.0 0.0.255.255 14.1.1.0 0.0.0.255
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 permit tcp host 24.249.x.x any eq 22
access-list 110 permit tcp host 24.249.x.x any eq telnet
no cdp run
!
banner login ^C
LEGAL NOTICE: This device is currently being monitored for unauthorized access.
All unauthorized access to this device will be researched and remedied
through legal means. If you are not authorized to access this device
please disconnect immediately to prevent further action.
^C
!
line con 0
exec-timeout 5 0
password 7 121B1716440F030A272E28233A
line aux 0
access-class 2 in
exec-timeout 0 10
no exec
line vty 0 4
access-class 110 in
exec-timeout 5 0
password 7 011114050D0F09012C49420210
transport input telnet ssh
!
ntp clock-period 17168921
ntp server 204.34.198.41 prefer
ntp server 192.5.41.209
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks lrmoore. That did work. Have a good one.
Ditto!
access-list 101 permit ip 14.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255