Cisco 1841 - need to get VPN working, 2nd 1841 needs to pass ssh traffic and rdp traffic to specific internal servers.

I have a two part question....I have two Cisco 1841 routers for two seperate networks.  On the first network I would like to be able to VPN into the 1841 and internal lan from my laptop remotely.  This network as only two servers, no domain, radius, etc.  Everything must be done on the 1841.  I would like to use the Cisco VPN Client for access.  I have never setup a Cisco VPN so this is new for me.

My second 1841 will have the same network behind it but instead of VPN it can just pass SSH and other ports needed to the specific internal servers.  I am starting with a pretty basic configuration on the 1841's, there are no other firewalls in front or behind these routers, I upgraded the IOS to the 12.4(7) AdvSecurity version.  Once I get everything working I would like to lockdown the FW and IPS where possible.  Here is what I have for the current 1841 configs,


Current configuration : 3287 bytes
!
version 12.4
no parser cache
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1841router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
!
!
!
!
ip ips notify SDEE
ip domain name 1841
ip name-server external ip
ip name-server external ip
!
!
crypto pki trustpoint TP-self-signed-xxxxxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxxxx
 revocation-check none
 rsakeypair TP-self-signed-xxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxx
 certificate self-signed 01

username new2cisco privilege 15 password 7 11111111111111111111111
!
!
!
!
!
interface FastEthernet0/0
 description inside
 ip address 10.0.x.x 255.255.255.0
 ip access-group 101 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface FastEthernet0/1
 description outside
 ip address 1.2.3.4 255.255.255.240
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 1.2.3.5
!
no ip http server
ip http authentication local
ip http secure-server
ip http max-connections 1
ip http client source-interface FastEthernet0/0
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 10.0.x.x 0.0.0.255
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
no cdp run
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

This is urgent as I am leaving town for a while and now need secure remote access to these boxes.  Thanks.
pjn308Asked:
Who is Participating?
 
prashsaxCommented:
Ok, Now I know what is happening.

You have applied ACL on outside interface for incoming traffic.

Now on outside interface ACL is applied first and then NAT happens.

So, you have made acl for traffic coming from any to 10.x.x.x.x eq 22.

But in reality the original packet will have target IP as 24.x.x.x. eq 22.

That is why it is not able to come inside the router and NAT/Port forwarding did not works.

Change that ACL to:
access-list 101 permit tcp any any eq 22

This will sure do the trick.


0
 
prashsaxCommented:
For configuring ssh behind router. All you need to do is to enable static nat to your internal server and an acl for port TCP/22.

Use NAT to map your internal server IP to External(Public IP).
Put an ACL to allow access to port TCP/22 for that internal server.


For VPN access, refer this document

http://www.cisco.com/en/US/products/ps5853/products_configuration_guide_chapter09186a00804582da.html


0
 
prashsaxCommented:
oh yes, for RDP one more ACL to allow TCP/3389 port so your server. Provided its the same server as your ssh.

If not you again need one more NAT.

If you one IP, then u can use port forwarding.

Refer this link:
http://www.portforward.com/english/routers/port_forwarding/Cisco/Cisco678/default.htm
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
pjn308Author Commented:
Thanks for the reply, The VPN will not be router to router...  I will mostly be connecting from wireless access points, cellular networks, etc.  Hardly ever behind a real network, mostly SOHO and coffee shop types of places.

As far as the nats and ACL's, that is what I have been trying without success.  I know what I need I just cant seem to get the correct entries in there.  

Ps. Each of the 1841's will have only 1 public address on its outside interface.  Thanks.
0
 
prashsaxCommented:
Ok, what you need to do is to forward ports from your public IP to private IP since you have only one public address.

This is how you do this.

Assuming the private ip is 192.168.1.2 and Ethernet1 is outside port, add the following command line.

ip nat inside source static tcp 192.168.1.2 port # interface Ethernet 1 port #

so you write for ssh.

ip nat inside source static tcp ssh_server_ip port 22 interface outside_interface port 22

Now, this will forward any request coming on port 22 of your router to your internal ssh_server port 22.

Similarly you can forward port 3389 for RDP.

0
 
pjn308Author Commented:
I will try this as soon as I can get back into the router (I chose not to allow remote ssh into the router at this point).  As far as setting up the VPN, what would be the easiest route to get VPN working?  thanks.
0
 
pjn308Author Commented:
I added the line exactly as listed above and still no connection...Do I need to create another ACL?
0
 
pjn308Author Commented:
I added the nat statement and still coud not get it to work, is there anybody who can point out my error in the confg???  thanks
0
 
prashsaxCommented:
Yes, you need to create an ACL which allow connection from any to your local IP 192.168.1.2 on port 22 and 3389.
0
 
pjn308Author Commented:
I cannot get this to work, here are the pertinent part of the configs

interface FastEthernet0/0
 description inside
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface FastEthernet0/1
 description outside
 ip address 24.1.2.3 255.255.255.240
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
ip nat inside source list 1 interface FastEthernet0/1 overload
! this is for the nat translation to an internal server for ssh over port 8022
ip nat inside source static tcp 10.0.1.105 8022 interface FastEthernet0/1 8022
! this is for the nat translation to an internal server for ssh over port 22
ip nat inside source static tcp 10.0.1.100 22 interface FastEthernet0/1 22
!
access-list 1 permit 10.0.10.0 0.0.0.255
! this ACL is for outbound internet access, outbound on inside and inbound on external
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply


I tried creating /adding acl's to no avail.  I just cant figure out what I am missing and I know its so simple.  The above config portion does not have the ACL for teh SSH server in it at this time, but I tried many times with differnet variations to get it to work.  Can you write out the actual ACL and NAT statements as they would be enetered and how you would apply them to which interface to see if I am missing something or incorrectly?  
0
 
prashsaxCommented:
access-list 101 permit tcp any 10.0.1.100 eq 22


This should enable the access on port 22.
0
 
pjn308Author Commented:
I have tried that exact ACL along with the nat translations that are in place without luck, do you think it has something to do with the ip access-group 101 in on the external interface and ip access-group 101 out on the inside interface?  I have other routers that I have not had too much trouble with, this one is just causing my head to hurt, I know there is something I am overlooking.  Thanks a lot for your help.
0
 
pjn308Author Commented:
It has to be something with how the ACL's are applied.  I have verified that the SSH Servers are full operational and there is no reason I can see why I cannot get SSH through this router.  Please see the most current config that I think SHOULD be working.  

version 12.4
no parser cache
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
!
!        
!
!
ip ips notify SDEE
ip domain name router
ip name-server 24.1.0.3
ip name-server 24.1.0.4
!
!
crypto pki trustpoint TP-self-signed-1500000000
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-150000000
 revocation-check none
 rsakeypair TP-self-signed-1500000000
!
!
crypto pki certificate chain TP-self-signed-1500000000
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    quit
username test privilege 15 password 7 2345667377845766575737645
!
!
!
!
!
interface FastEthernet0/0
 description inside
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface FastEthernet0/1
 description outside
 ip address 24.1.2.3 255.255.255.240
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
 no cdp enable
!
interface Serial0/0/0
 no ip address
 shutdown
!        
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 24.1.2.1
!
no ip http server
ip http authentication local
ip http secure-server
ip http max-connections 1
ip http client source-interface FastEthernet0/0
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.0.1.105 22 interface FastEthernet0/1 22
!
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 10.0.1.105 eq 22
no cdp run
!
!        
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end
0
 
pjn308Author Commented:
Also, I CAN SSH from the router into the server so I know that portion is working.
0
 
pjn308Author Commented:
I have tried every variation of ACL's and NAT translations, can you please look at my config, I am convinced there is something I am missing in the config or I am putting the ACL in wrong.  I have gone over this time and time again.
0
 
prashsaxCommented:
First of all remove this line:

>ip access-group 101 out

from your internal interface.

You have applied acl with same number to both interfaces.

0
 
pjn308Author Commented:
That has been removed, I still cannot access internal servers.  Thanks.
0
 
prashsaxCommented:
Just confirming.....

You are trying to ssh on your external interface IP and want to connect to Internal SSH running on a server 10.0.1.105.

So from outside your network, ie. from some other internet connection your are trying

telnet External_IP 22          and could could not connect.

Now, I could not see any reason why this should not work.

Could please try and remove ACL and then connect.
This will make sure that problem is with ACL and not port forwarding.

0
 
pjn308Author Commented:
That is correct, I have tried connecting by using putty 20 the external IP on port 22 as well as telnet external 22.  Nothing seems to work.  If I removed the ACL's, wont everything be blocked by default?  ACL 101 was needed for internal boxes to get to the internet.  Thanks.
0
 
pjn308Author Commented:
LOL, I was looking through the configs with one of the network guys I work with and he suggested changing the 10. address to the external 24. address.  So at this point I am guesssing this is what the issue is.  I will try making this change late today.  Thanks a lot for your patience.
0
 
pjn308Author Commented:
Ok, I do have it working ok now.....

Now for the VPN portion for the other 1841 router.  What do you recommend, webvpn, esayvpn, etc.?  I am wanting to use a laptop to vpn into a portion of the network, mostly windows machines.  There will be no other devices or firewalls on this network.  Thanks.
0
 
prashsaxCommented:
WebVPN is more robust in terms of use and connection availabilty.

As WebVPN works on SSL, you can connect to it using proxy as well.(Comes handy when staying in hotels.)

EasyVPN on other hand cannot connect from behind the proxies.

You require direct or natted internet connection to connect easyvpn.

Other then this, easyvpn has no other drawback. It provides good speed and rock solid security.

So, its up to you to decide.
0
 
pjn308Author Commented:
Thanks a lot for you assistance on this!  I will look at WebVPN for my solution.
0
 
prashsaxCommented:
ThankQ.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.