[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cisco 2610 - SonicWALL, Cisco & PPTP VPN Config Question

Posted on 2006-07-04
10
Medium Priority
?
863 Views
Last Modified: 2008-01-09
Greetings,
I have a Cisco 2610 Router that I need configuration help with. I've been able to allow the PPTP VPN from the outside to the inside successfully. But, now I have the need to allow for clients behind the router to utilize the SonicWALL and Cisco VPN client (IPSec/UDP?) to connect to an outside network. There hasn't been much success in this area. The router config is shown below. Please advise.
Thanks!
---------

Current configuration : 2241 bytes
!
version 12.3
service config
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname 2610
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$L435$jWR47ZuLkP907PQd6EmIL1
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface ATM0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 full-duplex
!
interface Dialer1
 mtu 1492
 ip address 71.xxx.xxx.xxx 255.255.255.0
 ip access-group 102 in
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxx@xxxx.net
 ppp chap password 7 0702225F4B5B495547
 ppp pap sent-username xxxx@xxx.net password 7 0702225F4B5B49554
7
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.244 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.244 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.244 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.215 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
access-list 12 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723
!
!
line con 0
 password 7 082C4F5D0C4B554742
 speed 115200
line aux 0
line vty 0 4
 access-class 12 in
 password 7 151F081F01787B7478
 login
!
!
!
End

0
Comment
Question by:fluffyfrog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17038653
try adding permit udp 4500 to acl 102
When a Cisco vpn client on the inside of a nat device (your router) talks to the remote side, they both recognize that nat-traversal and default to udp port 4500 instead of ESP.
0
 

Author Comment

by:fluffyfrog
ID: 17039352
Thanks for the reply lrmoore,
I've added the udp port 4500 to ACL 102 as you suggested shown below.

access-list 12 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit tcp any host xxx.xxx.xxx eq 1723
***access-list 102 permit udp any any eq non500-isakmp***
(I did this by copying and pasting from a text document and didn't re-apply the ACL after doing so. Please let me know if you are supposed to reaply the ACL in some way)

I'm still geting, "the peer is not responding" from the Cisco VPN clients and, "authenticating..." from the SonicWALL clients. If I attempt a connection using these clients on a WAN card outside of my network I get prompted for log in credentials, so I'm thinking that I still don't have my router configured correctly. Do you have any other suggestions?
Thanks again.

jeff
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17039371
>Please let me know if you are supposed to reaply the ACL in some way)

Always !

interface Dialer1
 no ip access-group 102 in
 ip access-group 102 in

You can try removing the acl altogether and see if that works, then we can refine the acl

interface Dialer1
 no ip access-group 102 in

Add:
   access-list 102 deny ip any any log
   logg buff 4096

Now with "show log" you can see anything that is being denied and can adjust the acl properly.
Proper sequence with acls:
 1 - remove acl from interface
 2 - delete acl completely
 3 - re-enter acl from top down in the proper order
 4 - re-apply acl to the interface


0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 79

Expert Comment

by:lrmoore
ID: 17039375
BTW - welcome to EE! I hope we can meet your expectations....

0
 

Author Comment

by:fluffyfrog
ID: 17040194
Hello lrmoore,
Thanks for the welcome. I appologize that this is being dragged on and on. I have read manuals and also did my CCNA, but that was quite some time ago and now my primary focus is Microsoft Exchange Servers, so I a little rusty on Cisco routers. So, thanks again for the help so far.
I've cleansed my ACL's a little/removed and re-added 102, removed list 12 because it didn't seem to be assigned to anything and there seemed to be duplicates for ACL 102 and port 1723. I'm still not sure of the perfect order, but I did enable logging as you suggested and port 4500 for the Cisco and SonicWALL VPN are being blocked.

The cleansed ACL list...

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit udp any any eq non500-isakmp
access-list 102 deny   ip any any log

sho log...

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes,
 0 overruns, xml disabled)
    Console logging: level debugging, 110 messages logged, xml disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled
    Buffer logging: level debugging, 57 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 115 message lines logged

Log Buffer (4096 bytes):

*Mar  1 00:52:21.761: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.234.107
-> 71.129.123.112 (8/0), 1 packet
*Mar  1 00:52:55.921: %SEC-6-IPACCESSLOGP: list 102 denied udp 61.189.223.107(16
77) -> 71.129.123.113(1434), 1 packet
*Mar  1 00:53:03.442: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(450
0) -> 71.129.123.118(35770), 1 packet                                                             (SONICWALL VPN)
*Mar  1 00:53:05.165: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 4 packets
*Mar  1 00:54:03.047: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.130.16.43 ->
 71.129.123.112 (8/0), 1 packet
*Mar  1 00:54:05.211: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 7 packets
*Mar  1 00:54:57.773: %SEC-6-IPACCESSLOGP: list 102 denied udp 171.64.235.24(450
0) -> 71.129.123.118(35770), 1 packet                                                              (CISCO VPN)
*Mar  1 00:55:05.253: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 1 packet
*Mar  1 00:55:10.518: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/network-confg) failed
*Mar  1 00:55:48.532: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/cisconet.cfg) failed
*Mar  1 00:56:05.300: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(450
0) -> 71.129.123.118(35754), 3 packets
*Mar  1 00:56:26.767: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/mosc2610-confg) failed
 --More--




0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 17041904
>access-list 102 permit udp any any eq non500-isakmp
Source any, destination 4500

>%SEC-6-IPACCESSLOGP: list 102 denied udp 171.64.235.24(4500) -> 71.129.123.118(35770)
Source 4500, destination any

So change the acl entry:
  access-list 102 permit udp any eq 4500 any

0
 

Author Comment

by:fluffyfrog
ID: 17050788
Okay, a new port being denied maybe?

I've added the change that you've suggested from above...

access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.129.123.118 eq smtp
access-list 102 permit tcp any host 71.129.123.118 eq www
access-list 102 permit tcp any host 71.129.123.118 eq 443
access-list 102 permit tcp any host 71.129.123.118 eq 1723 log-input
access-list 102 permit tcp any host 71.129.123.118 eq 1731
access-list 102 permit gre any host 71.129.123.118
access-list 102 permit esp any any
****access-list 102 permit udp any eq non500-isakmp any****
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 deny   ip any any log

Now the log shows...

*Mar  1 07:09:21.309: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.173.27 -
> 71.129.123.118 (8/0), 1 packet
*Mar  1 07:09:21.309: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.173.27 -
> 71.129.123.119 (8/0), 1 packet
*Mar  1 07:09:23.421: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 70.238.86.241 -
> 71.129.123.118 (3/4), 1 packet
*Mar  1 07:09:41.759: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(10), 1 packet
*Mar  1 07:09:59.792: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(11), 1 packet
*Mar  1 07:10:17.822: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(12), 1 packet **** This seems to be a new block since they ACL change.


0
 

Author Comment

by:fluffyfrog
ID: 17050837
Hmmmm, the SonicWALL VPN is working now. I'll test the Cisco VPN soon and let you know the outcome. I think that we're there or veeery close.
Thanks!!!!
0
 

Author Comment

by:fluffyfrog
ID: 17055972
Thank you very much lrmoore. Both VPN's are functional now.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17057444
Glad to hear it!
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question