Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco 1841 - need to get VPN working, 2nd 1841 needs to pass ssh traffic and rdp traffic to specific internal servers.

Posted on 2006-05-29
24
Medium Priority
?
390 Views
Last Modified: 2008-01-09
I have a two part question....I have two Cisco 1841 routers for two seperate networks.  On the first network I would like to be able to VPN into the 1841 and internal lan from my laptop remotely.  This network as only two servers, no domain, radius, etc.  Everything must be done on the 1841.  I would like to use the Cisco VPN Client for access.  I have never setup a Cisco VPN so this is new for me.

My second 1841 will have the same network behind it but instead of VPN it can just pass SSH and other ports needed to the specific internal servers.  I am starting with a pretty basic configuration on the 1841's, there are no other firewalls in front or behind these routers, I upgraded the IOS to the 12.4(7) AdvSecurity version.  Once I get everything working I would like to lockdown the FW and IPS where possible.  Here is what I have for the current 1841 configs,


Current configuration : 3287 bytes
!
version 12.4
no parser cache
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1841router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
!
!
!
!
ip ips notify SDEE
ip domain name 1841
ip name-server external ip
ip name-server external ip
!
!
crypto pki trustpoint TP-self-signed-xxxxxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxxxx
 revocation-check none
 rsakeypair TP-self-signed-xxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxx
 certificate self-signed 01

username new2cisco privilege 15 password 7 11111111111111111111111
!
!
!
!
!
interface FastEthernet0/0
 description inside
 ip address 10.0.x.x 255.255.255.0
 ip access-group 101 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface FastEthernet0/1
 description outside
 ip address 1.2.3.4 255.255.255.240
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 1.2.3.5
!
no ip http server
ip http authentication local
ip http secure-server
ip http max-connections 1
ip http client source-interface FastEthernet0/0
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 10.0.x.x 0.0.0.255
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
no cdp run
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

This is urgent as I am leaving town for a while and now need secure remote access to these boxes.  Thanks.
0
Comment
Question by:pjn308
  • 14
  • 10
24 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 16786104
For configuring ssh behind router. All you need to do is to enable static nat to your internal server and an acl for port TCP/22.

Use NAT to map your internal server IP to External(Public IP).
Put an ACL to allow access to port TCP/22 for that internal server.


For VPN access, refer this document

http://www.cisco.com/en/US/products/ps5853/products_configuration_guide_chapter09186a00804582da.html


0
 
LVL 13

Expert Comment

by:prashsax
ID: 16786115
oh yes, for RDP one more ACL to allow TCP/3389 port so your server. Provided its the same server as your ssh.

If not you again need one more NAT.

If you one IP, then u can use port forwarding.

Refer this link:
http://www.portforward.com/english/routers/port_forwarding/Cisco/Cisco678/default.htm
0
 

Author Comment

by:pjn308
ID: 16786413
Thanks for the reply, The VPN will not be router to router...  I will mostly be connecting from wireless access points, cellular networks, etc.  Hardly ever behind a real network, mostly SOHO and coffee shop types of places.

As far as the nats and ACL's, that is what I have been trying without success.  I know what I need I just cant seem to get the correct entries in there.  

Ps. Each of the 1841's will have only 1 public address on its outside interface.  Thanks.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 13

Expert Comment

by:prashsax
ID: 16789891
Ok, what you need to do is to forward ports from your public IP to private IP since you have only one public address.

This is how you do this.

Assuming the private ip is 192.168.1.2 and Ethernet1 is outside port, add the following command line.

ip nat inside source static tcp 192.168.1.2 port # interface Ethernet 1 port #

so you write for ssh.

ip nat inside source static tcp ssh_server_ip port 22 interface outside_interface port 22

Now, this will forward any request coming on port 22 of your router to your internal ssh_server port 22.

Similarly you can forward port 3389 for RDP.

0
 

Author Comment

by:pjn308
ID: 16791871
I will try this as soon as I can get back into the router (I chose not to allow remote ssh into the router at this point).  As far as setting up the VPN, what would be the easiest route to get VPN working?  thanks.
0
 

Author Comment

by:pjn308
ID: 16794592
I added the line exactly as listed above and still no connection...Do I need to create another ACL?
0
 

Author Comment

by:pjn308
ID: 16828360
I added the nat statement and still coud not get it to work, is there anybody who can point out my error in the confg???  thanks
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16828396
Yes, you need to create an ACL which allow connection from any to your local IP 192.168.1.2 on port 22 and 3389.
0
 

Author Comment

by:pjn308
ID: 16844694
I cannot get this to work, here are the pertinent part of the configs

interface FastEthernet0/0
 description inside
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface FastEthernet0/1
 description outside
 ip address 24.1.2.3 255.255.255.240
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
ip nat inside source list 1 interface FastEthernet0/1 overload
! this is for the nat translation to an internal server for ssh over port 8022
ip nat inside source static tcp 10.0.1.105 8022 interface FastEthernet0/1 8022
! this is for the nat translation to an internal server for ssh over port 22
ip nat inside source static tcp 10.0.1.100 22 interface FastEthernet0/1 22
!
access-list 1 permit 10.0.10.0 0.0.0.255
! this ACL is for outbound internet access, outbound on inside and inbound on external
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply


I tried creating /adding acl's to no avail.  I just cant figure out what I am missing and I know its so simple.  The above config portion does not have the ACL for teh SSH server in it at this time, but I tried many times with differnet variations to get it to work.  Can you write out the actual ACL and NAT statements as they would be enetered and how you would apply them to which interface to see if I am missing something or incorrectly?  
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16845245
access-list 101 permit tcp any 10.0.1.100 eq 22


This should enable the access on port 22.
0
 

Author Comment

by:pjn308
ID: 16845806
I have tried that exact ACL along with the nat translations that are in place without luck, do you think it has something to do with the ip access-group 101 in on the external interface and ip access-group 101 out on the inside interface?  I have other routers that I have not had too much trouble with, this one is just causing my head to hurt, I know there is something I am overlooking.  Thanks a lot for your help.
0
 

Author Comment

by:pjn308
ID: 16848241
It has to be something with how the ACL's are applied.  I have verified that the SSH Servers are full operational and there is no reason I can see why I cannot get SSH through this router.  Please see the most current config that I think SHOULD be working.  

version 12.4
no parser cache
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
!
!        
!
!
ip ips notify SDEE
ip domain name router
ip name-server 24.1.0.3
ip name-server 24.1.0.4
!
!
crypto pki trustpoint TP-self-signed-1500000000
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-150000000
 revocation-check none
 rsakeypair TP-self-signed-1500000000
!
!
crypto pki certificate chain TP-self-signed-1500000000
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    quit
username test privilege 15 password 7 2345667377845766575737645
!
!
!
!
!
interface FastEthernet0/0
 description inside
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface FastEthernet0/1
 description outside
 ip address 24.1.2.3 255.255.255.240
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface Serial0/0/0
 no ip address
 shutdown
!        
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 24.1.2.1
!
no ip http server
ip http authentication local
ip http secure-server
ip http max-connections 1
ip http client source-interface FastEthernet0/0
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.0.1.105 22 interface FastEthernet0/1 22
!
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 10.0.1.105 eq 22
no cdp run
!
!        
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end
0
 

Author Comment

by:pjn308
ID: 16848250
Also, I CAN SSH from the router into the server so I know that portion is working.
0
 

Author Comment

by:pjn308
ID: 16848548
I have tried every variation of ACL's and NAT translations, can you please look at my config, I am convinced there is something I am missing in the config or I am putting the ACL in wrong.  I have gone over this time and time again.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16850405
First of all remove this line:

>ip access-group 101 out

from your internal interface.

You have applied acl with same number to both interfaces.

0
 

Author Comment

by:pjn308
ID: 16851054
That has been removed, I still cannot access internal servers.  Thanks.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16851094
Just confirming.....

You are trying to ssh on your external interface IP and want to connect to Internal SSH running on a server 10.0.1.105.

So from outside your network, ie. from some other internet connection your are trying

telnet External_IP 22          and could could not connect.

Now, I could not see any reason why this should not work.

Could please try and remove ACL and then connect.
This will make sure that problem is with ACL and not port forwarding.

0
 

Author Comment

by:pjn308
ID: 16851745
That is correct, I have tried connecting by using putty 20 the external IP on port 22 as well as telnet external 22.  Nothing seems to work.  If I removed the ACL's, wont everything be blocked by default?  ACL 101 was needed for internal boxes to get to the internet.  Thanks.
0
 
LVL 13

Accepted Solution

by:
prashsax earned 2000 total points
ID: 16851936
Ok, Now I know what is happening.

You have applied ACL on outside interface for incoming traffic.

Now on outside interface ACL is applied first and then NAT happens.

So, you have made acl for traffic coming from any to 10.x.x.x.x eq 22.

But in reality the original packet will have target IP as 24.x.x.x. eq 22.

That is why it is not able to come inside the router and NAT/Port forwarding did not works.

Change that ACL to:
access-list 101 permit tcp any any eq 22

This will sure do the trick.


0
 

Author Comment

by:pjn308
ID: 16852020
LOL, I was looking through the configs with one of the network guys I work with and he suggested changing the 10. address to the external 24. address.  So at this point I am guesssing this is what the issue is.  I will try making this change late today.  Thanks a lot for your patience.
0
 

Author Comment

by:pjn308
ID: 16858427
Ok, I do have it working ok now.....

Now for the VPN portion for the other 1841 router.  What do you recommend, webvpn, esayvpn, etc.?  I am wanting to use a laptop to vpn into a portion of the network, mostly windows machines.  There will be no other devices or firewalls on this network.  Thanks.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16859498
WebVPN is more robust in terms of use and connection availabilty.

As WebVPN works on SSL, you can connect to it using proxy as well.(Comes handy when staying in hotels.)

EasyVPN on other hand cannot connect from behind the proxies.

You require direct or natted internet connection to connect easyvpn.

Other then this, easyvpn has no other drawback. It provides good speed and rock solid security.

So, its up to you to decide.
0
 

Author Comment

by:pjn308
ID: 16860651
Thanks a lot for you assistance on this!  I will look at WebVPN for my solution.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16860905
ThankQ.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question