Solved

Cisco 2610 - SonicWALL, Cisco & PPTP VPN Config Question

Posted on 2006-07-04
10
827 Views
Last Modified: 2008-01-09
Greetings,
I have a Cisco 2610 Router that I need configuration help with. I've been able to allow the PPTP VPN from the outside to the inside successfully. But, now I have the need to allow for clients behind the router to utilize the SonicWALL and Cisco VPN client (IPSec/UDP?) to connect to an outside network. There hasn't been much success in this area. The router config is shown below. Please advise.
Thanks!
---------

Current configuration : 2241 bytes
!
version 12.3
service config
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname 2610
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$L435$jWR47ZuLkP907PQd6EmIL1
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface ATM0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 full-duplex
!
interface Dialer1
 mtu 1492
 ip address 71.xxx.xxx.xxx 255.255.255.0
 ip access-group 102 in
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxx@xxxx.net
 ppp chap password 7 0702225F4B5B495547
 ppp pap sent-username xxxx@xxx.net password 7 0702225F4B5B49554
7
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.244 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.244 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.244 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.215 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
access-list 12 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723
!
!
line con 0
 password 7 082C4F5D0C4B554742
 speed 115200
line aux 0
line vty 0 4
 access-class 12 in
 password 7 151F081F01787B7478
 login
!
!
!
End

0
Comment
Question by:fluffyfrog
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17038653
try adding permit udp 4500 to acl 102
When a Cisco vpn client on the inside of a nat device (your router) talks to the remote side, they both recognize that nat-traversal and default to udp port 4500 instead of ESP.
0
 

Author Comment

by:fluffyfrog
ID: 17039352
Thanks for the reply lrmoore,
I've added the udp port 4500 to ACL 102 as you suggested shown below.

access-list 12 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit tcp any host xxx.xxx.xxx eq 1723
***access-list 102 permit udp any any eq non500-isakmp***
(I did this by copying and pasting from a text document and didn't re-apply the ACL after doing so. Please let me know if you are supposed to reaply the ACL in some way)

I'm still geting, "the peer is not responding" from the Cisco VPN clients and, "authenticating..." from the SonicWALL clients. If I attempt a connection using these clients on a WAN card outside of my network I get prompted for log in credentials, so I'm thinking that I still don't have my router configured correctly. Do you have any other suggestions?
Thanks again.

jeff
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17039371
>Please let me know if you are supposed to reaply the ACL in some way)

Always !

interface Dialer1
 no ip access-group 102 in
 ip access-group 102 in

You can try removing the acl altogether and see if that works, then we can refine the acl

interface Dialer1
 no ip access-group 102 in

Add:
   access-list 102 deny ip any any log
   logg buff 4096

Now with "show log" you can see anything that is being denied and can adjust the acl properly.
Proper sequence with acls:
 1 - remove acl from interface
 2 - delete acl completely
 3 - re-enter acl from top down in the proper order
 4 - re-apply acl to the interface


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17039375
BTW - welcome to EE! I hope we can meet your expectations....

0
 

Author Comment

by:fluffyfrog
ID: 17040194
Hello lrmoore,
Thanks for the welcome. I appologize that this is being dragged on and on. I have read manuals and also did my CCNA, but that was quite some time ago and now my primary focus is Microsoft Exchange Servers, so I a little rusty on Cisco routers. So, thanks again for the help so far.
I've cleansed my ACL's a little/removed and re-added 102, removed list 12 because it didn't seem to be assigned to anything and there seemed to be duplicates for ACL 102 and port 1723. I'm still not sure of the perfect order, but I did enable logging as you suggested and port 4500 for the Cisco and SonicWALL VPN are being blocked.

The cleansed ACL list...

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit udp any any eq non500-isakmp
access-list 102 deny   ip any any log

sho log...

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes,
 0 overruns, xml disabled)
    Console logging: level debugging, 110 messages logged, xml disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled
    Buffer logging: level debugging, 57 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 115 message lines logged

Log Buffer (4096 bytes):

*Mar  1 00:52:21.761: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.234.107
-> 71.129.123.112 (8/0), 1 packet
*Mar  1 00:52:55.921: %SEC-6-IPACCESSLOGP: list 102 denied udp 61.189.223.107(16
77) -> 71.129.123.113(1434), 1 packet
*Mar  1 00:53:03.442: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(450
0) -> 71.129.123.118(35770), 1 packet                                                             (SONICWALL VPN)
*Mar  1 00:53:05.165: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 4 packets
*Mar  1 00:54:03.047: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.130.16.43 ->
 71.129.123.112 (8/0), 1 packet
*Mar  1 00:54:05.211: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 7 packets
*Mar  1 00:54:57.773: %SEC-6-IPACCESSLOGP: list 102 denied udp 171.64.235.24(450
0) -> 71.129.123.118(35770), 1 packet                                                              (CISCO VPN)
*Mar  1 00:55:05.253: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 1 packet
*Mar  1 00:55:10.518: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/network-confg) failed
*Mar  1 00:55:48.532: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/cisconet.cfg) failed
*Mar  1 00:56:05.300: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(450
0) -> 71.129.123.118(35754), 3 packets
*Mar  1 00:56:26.767: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/mosc2610-confg) failed
 --More--




0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17041904
>access-list 102 permit udp any any eq non500-isakmp
Source any, destination 4500

>%SEC-6-IPACCESSLOGP: list 102 denied udp 171.64.235.24(4500) -> 71.129.123.118(35770)
Source 4500, destination any

So change the acl entry:
  access-list 102 permit udp any eq 4500 any

0
 

Author Comment

by:fluffyfrog
ID: 17050788
Okay, a new port being denied maybe?

I've added the change that you've suggested from above...

access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.129.123.118 eq smtp
access-list 102 permit tcp any host 71.129.123.118 eq www
access-list 102 permit tcp any host 71.129.123.118 eq 443
access-list 102 permit tcp any host 71.129.123.118 eq 1723 log-input
access-list 102 permit tcp any host 71.129.123.118 eq 1731
access-list 102 permit gre any host 71.129.123.118
access-list 102 permit esp any any
****access-list 102 permit udp any eq non500-isakmp any****
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 deny   ip any any log

Now the log shows...

*Mar  1 07:09:21.309: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.173.27 -
> 71.129.123.118 (8/0), 1 packet
*Mar  1 07:09:21.309: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.173.27 -
> 71.129.123.119 (8/0), 1 packet
*Mar  1 07:09:23.421: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 70.238.86.241 -
> 71.129.123.118 (3/4), 1 packet
*Mar  1 07:09:41.759: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(10), 1 packet
*Mar  1 07:09:59.792: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(11), 1 packet
*Mar  1 07:10:17.822: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(12), 1 packet **** This seems to be a new block since they ACL change.


0
 

Author Comment

by:fluffyfrog
ID: 17050837
Hmmmm, the SonicWALL VPN is working now. I'll test the Cisco VPN soon and let you know the outcome. I think that we're there or veeery close.
Thanks!!!!
0
 

Author Comment

by:fluffyfrog
ID: 17055972
Thank you very much lrmoore. Both VPN's are functional now.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17057444
Glad to hear it!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now