• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 707
  • Last Modified:

Opening VPN through Cisco 2620

This is probably very easy for someone to answer - I have a feeling I'm just missing something pretty basic.  I am trying to allow remote computers VPN access to a MS RAS server through a Cisco 2620.  Here is the config as it stands now:

version 12.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname nhlc-wich-2620
!
no logging buffered
enable secret 5 $1$v4c7$t9Yepmmddmjpb4MBN4hGX/
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key 3be455ef299ecee9099d9ba91ec015c9 address x.x.x.x
crypto isakmp key 3be455ef299ecee9099d9ba91ec015c9 address y.y.y.y
crypto isakmp key 3be455ef299ecee9099d9ba91ec015c9 address z.z.z.z
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set auth1 esp-des esp-md5-hmac
crypto ipsec transform-set denver esp-des esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set auth1
 match address 100
crypto map vpnmap 11 ipsec-isakmp
 set peer y.y.y.y
 set transform-set auth1
 match address 101
crypto map vpnmap 12 ipsec-isakmp
 set peer z.z.z.z
 set transform-set auth1
 match address 102
!
call rsvp-sync
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.47.4.1 255.255.252.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 ip address a.a.a.a 255.255.255.252
 ip nat outside
 encapsulation ppp
 no fair-queue
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
 crypto map vpnmap
!
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 b.b.b.b
no ip http server
!
access-list 100 permit ip 172.16.1.0 0.0.0.255 10.27.8.0 0.0.0.255
access-list 100 permit ip 10.47.4.0 0.0.3.255 10.27.8.0 0.0.0.255
access-list 101 permit ip 10.47.4.0 0.0.3.255 10.72.4.0 0.0.3.255
access-list 102 permit ip 10.47.4.0 0.0.3.255 10.52.4.0 0.0.3.255
access-list 120 deny   ip 10.47.4.0 0.0.3.255 10.52.4.0 0.0.3.255
access-list 120 deny   ip 172.17.60.0 0.0.0.63 any
access-list 120 deny   ip 10.47.4.0 0.0.3.255 10.72.4.0 0.0.3.255
access-list 120 deny   ip 10.47.4.0 0.0.3.255 10.27.8.0 0.0.0.255
access-list 120 permit ip 10.47.4.0 0.0.3.255 any
access-list 120 permit ip 10.47.8.0 0.0.3.255 any
access-list 120 permit ip 192.168.0.0 0.0.255.255 any

ip nat inside source static 10.47.4.115 a.a.a.a

access-list 130 permit tcp any any established
access-list 130 permit udp any eq domain any
access-list 130 permit tcp any any eq 1723
access-list 130 permit gre any any


route-map nonat permit 10
 match ip address 120
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password 7 14393A1C0507227A7678
 login
 transport input none
line aux 0
line vty 0
 exec-timeout 1200 0
 password 7 132B3F05020F0C7B7974
 login
line vty 1 4
 password 7 132B3F05020F0C7B7974
 login
!
no scheduler allocate
end
 
nhlc-wich-2620#
 

As you can see there are also three tunnels set up, but I'm just trying to get external access through a.a.a.a to a Microsoft VPN server inside the network.  Where have I gone wrong???

Thanks!
0
slandise
Asked:
slandise
  • 7
  • 4
  • 3
2 Solutions
 
noctotCommented:
I know this is a dumb question but I have to ask.

10.47.4.115 is your VPN server, right?
0
 
slandiseAuthor Commented:
Yes
0
 
noctotCommented:
I'm not familiar with the route-map option in NAT so I can't say if that's causing a conflict with your static NAT mapping. That static map doesn't look right though. You shouldn't be mapping all traffic from your WAN IP to an internal IP. You need to either just map the required ports or use a different global IP.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
slandiseAuthor Commented:
I was wondering about that line too.  Can I just take it out- would the other any any commands then work?  I realize that would probably leave it too wide open.  Or can I specifiy the IP address that the external VPN request would come from?  Sorry - I know Cisco fairly well, but haven't worked with this particular area that much.
0
 
lrmooreCommented:
interface Serial0/0
 ip address a.a.a.a 255.255.255.252

 > ip nat inside source static 10.47.4.115 a.a.a.a  <==
You cannot do a 1-1 satic nat mapping for the same IP address assigned to the outside interface to an internal server.
For PPTP to work, you need a 1-1 static nat, but you have to use a different IP than the interface.
Given the subnet mask on the interface, you don't have another IP to use unless the ISP can give you another small block of IP's to use and just route those IP's to your serial interface. Then you can do what you want.
Due to the requirements of GRE and PPTP, there is no way around it.
0
 
slandiseAuthor Commented:
Ok, that is making sense.  I can try using the router at the other end of one of their tunnels, which I believe has extra IP addresses to use.  Do I just assign one of those IPs as a secondary IP address on the external interface and then do my static 1-1 mapping?  And then are the correct commands:

access-list 103 permit GRE any host 10.47.4.115  
access-list 103 permit tcp any host 10.47.4.115 eq 1723

to permit access to the VPN server?
0
 
lrmooreCommented:
> I can try using the router at the other end of one of their tunnels, which I believe has extra IP addresses to use.
The ISP has to route that IP subnet to you. You can't just pick them up and assign them to your router. Assuming that the ISP will route a small block of IP's to you (say a /28 subnet giving you 6 IP's), all you need is the static statement:
 
    ip nat inside source static 10.47.4.115 x.x.x.x

You don't have any access-lists applied to your WAN serial interface, therefore there is no requirement to create one. If you apply acl 130 to the serial interface, it already allows GRE and pptp..
0
 
slandiseAuthor Commented:
The router at the other end has a /28 subnet.  It's current configuration is:

version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname nhlc-tulsa-2611
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password 7 105A1C1516161C0E18
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 216.177.79.5
ip name-server 66.210.130.9
ip name-server 66.210.130.10
ip dhcp excluded-address 10.52.4.1
ip dhcp smart-relay
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key a5771bce93e200c36f7cd9dfd0e5deaa address a.a.a.a
crypto isakmp key 3be455ef299ecee9099d9ba91ec015c9 address b.b.b.b
!
!
crypto ipsec transform-set auth1 esp-des esp-md5-hmac
!
crypto map nhtulsa 10 ipsec-isakmp
 set peer a.a.a.a
 set transform-set auth1
 match address 100
crypto map nhtulsa 11 ipsec-isakmp
 set peer b.b.b.b
 set transform-set auth1
 match address 101
!
!
!
!
interface Ethernet0/0
 ip address 10.52.4.1 255.255.252.0
 ip nat inside
 full-duplex
!
interface Serial0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 ip address x.x.x.170 255.255.255.248
 ip nat outside
 full-duplex
 crypto map nhtulsa
!
ip nat inside source route-map nonat interface Ethernet0/1 overload
ip nat inside source static tcp 10.47.4.200 3389 x.x.x.171 3389 extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 z.z.z.z
!
!
access-list 100 permit ip 10.52.4.0 0.0.3.255 10.27.8.0 0.0.0.255
access-list 101 permit ip 10.52.4.0 0.0.3.255 10.47.4.0 0.0.3.255
access-list 120 deny   ip 10.52.4.0 0.0.3.255 10.47.4.0 0.0.3.255
access-list 120 deny   ip 10.52.4.0 0.0.3.255 10.27.8.0 0.0.0.255
access-list 120 permit ip 10.52.4.0 0.0.3.255 any
!
route-map nonat permit 10
 match ip address 120
!
!
no mgcp timer receive-rtcp
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 120D101B010A02013E
 login
!
!


So can't I just do my static mapping to x.x.x.172, and then go through the IPSEC tunnel back to the other end to the VPN server on 10.47.4.115?

Thanks for all the help so far...
0
 
noctotCommented:
Yes, you can use x.x.x.172 for the static NAT map without assigning it as a secondary IP.

I don't think you should try to create a PPTP VPN over an IPSEC tunnel. It will be resource-intensive, slow and very hard to troubleshoot. I'd suggest getting additional IPs for the location with the VPN server.
0
 
slandiseAuthor Commented:
I can try to get more IPs - I agree, that would be better, although this VPN would only be used occasionally for remote administration of a phone system.  At either end, though, do I only need the one static mapping command, and not the ones specifically for GRE and 1783?
0
 
lrmooreCommented:
The GRE will not be passed through the VPN tunnel regardless.
The tunnel is IPSEC and by definition requires "IP"
GRE is not IP, it is an encapsulation protocol all by itself
0
 
slandiseAuthor Commented:
I found out that they are setting up a VPN server at the end I will be coming into - so I only need to get through the router at that end to make the connection.  
0
 
lrmooreCommented:
That'll work.
0
 
slandiseAuthor Commented:
Got it working over the weekend.  Many thanks to both of you!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now