• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 867
  • Last Modified:

Cisco 2610 - SonicWALL, Cisco & PPTP VPN Config Question

Greetings,
I have a Cisco 2610 Router that I need configuration help with. I've been able to allow the PPTP VPN from the outside to the inside successfully. But, now I have the need to allow for clients behind the router to utilize the SonicWALL and Cisco VPN client (IPSec/UDP?) to connect to an outside network. There hasn't been much success in this area. The router config is shown below. Please advise.
Thanks!
---------

Current configuration : 2241 bytes
!
version 12.3
service config
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname 2610
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$L435$jWR47ZuLkP907PQd6EmIL1
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface ATM0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 full-duplex
!
interface Dialer1
 mtu 1492
 ip address 71.xxx.xxx.xxx 255.255.255.0
 ip access-group 102 in
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxx@xxxx.net
 ppp chap password 7 0702225F4B5B495547
 ppp pap sent-username xxxx@xxx.net password 7 0702225F4B5B49554
7
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.244 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.244 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.244 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.215 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
access-list 12 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723
!
!
line con 0
 password 7 082C4F5D0C4B554742
 speed 115200
line aux 0
line vty 0 4
 access-class 12 in
 password 7 151F081F01787B7478
 login
!
!
!
End

0
fluffyfrog
Asked:
fluffyfrog
  • 5
  • 5
1 Solution
 
lrmooreCommented:
try adding permit udp 4500 to acl 102
When a Cisco vpn client on the inside of a nat device (your router) talks to the remote side, they both recognize that nat-traversal and default to udp port 4500 instead of ESP.
0
 
fluffyfrogAuthor Commented:
Thanks for the reply lrmoore,
I've added the udp port 4500 to ACL 102 as you suggested shown below.

access-list 12 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit tcp any host xxx.xxx.xxx eq 1723
***access-list 102 permit udp any any eq non500-isakmp***
(I did this by copying and pasting from a text document and didn't re-apply the ACL after doing so. Please let me know if you are supposed to reaply the ACL in some way)

I'm still geting, "the peer is not responding" from the Cisco VPN clients and, "authenticating..." from the SonicWALL clients. If I attempt a connection using these clients on a WAN card outside of my network I get prompted for log in credentials, so I'm thinking that I still don't have my router configured correctly. Do you have any other suggestions?
Thanks again.

jeff
0
 
lrmooreCommented:
>Please let me know if you are supposed to reaply the ACL in some way)

Always !

interface Dialer1
 no ip access-group 102 in
 ip access-group 102 in

You can try removing the acl altogether and see if that works, then we can refine the acl

interface Dialer1
 no ip access-group 102 in

Add:
   access-list 102 deny ip any any log
   logg buff 4096

Now with "show log" you can see anything that is being denied and can adjust the acl properly.
Proper sequence with acls:
 1 - remove acl from interface
 2 - delete acl completely
 3 - re-enter acl from top down in the proper order
 4 - re-apply acl to the interface


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
BTW - welcome to EE! I hope we can meet your expectations....

0
 
fluffyfrogAuthor Commented:
Hello lrmoore,
Thanks for the welcome. I appologize that this is being dragged on and on. I have read manuals and also did my CCNA, but that was quite some time ago and now my primary focus is Microsoft Exchange Servers, so I a little rusty on Cisco routers. So, thanks again for the help so far.
I've cleansed my ACL's a little/removed and re-added 102, removed list 12 because it didn't seem to be assigned to anything and there seemed to be duplicates for ACL 102 and port 1723. I'm still not sure of the perfect order, but I did enable logging as you suggested and port 4500 for the Cisco and SonicWALL VPN are being blocked.

The cleansed ACL list...

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq smtp
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq www
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 443
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1723 log-input
access-list 102 permit tcp any host 71.xxx.xxx.xxx eq 1731
access-list 102 permit gre any host 71.xxx.xxx.xxx
access-list 102 permit esp any any
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 permit udp any any eq non500-isakmp
access-list 102 deny   ip any any log

sho log...

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes,
 0 overruns, xml disabled)
    Console logging: level debugging, 110 messages logged, xml disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled
    Buffer logging: level debugging, 57 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 115 message lines logged

Log Buffer (4096 bytes):

*Mar  1 00:52:21.761: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.234.107
-> 71.129.123.112 (8/0), 1 packet
*Mar  1 00:52:55.921: %SEC-6-IPACCESSLOGP: list 102 denied udp 61.189.223.107(16
77) -> 71.129.123.113(1434), 1 packet
*Mar  1 00:53:03.442: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(450
0) -> 71.129.123.118(35770), 1 packet                                                             (SONICWALL VPN)
*Mar  1 00:53:05.165: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 4 packets
*Mar  1 00:54:03.047: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.130.16.43 ->
 71.129.123.112 (8/0), 1 packet
*Mar  1 00:54:05.211: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 7 packets
*Mar  1 00:54:57.773: %SEC-6-IPACCESSLOGP: list 102 denied udp 171.64.235.24(450
0) -> 71.129.123.118(35770), 1 packet                                                              (CISCO VPN)
*Mar  1 00:55:05.253: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or
missed 1 packet
*Mar  1 00:55:10.518: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/network-confg) failed
*Mar  1 00:55:48.532: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/cisconet.cfg) failed
*Mar  1 00:56:05.300: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(450
0) -> 71.129.123.118(35754), 3 packets
*Mar  1 00:56:26.767: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (t
ftp://255.255.255.255/mosc2610-confg) failed
 --More--




0
 
lrmooreCommented:
>access-list 102 permit udp any any eq non500-isakmp
Source any, destination 4500

>%SEC-6-IPACCESSLOGP: list 102 denied udp 171.64.235.24(4500) -> 71.129.123.118(35770)
Source 4500, destination any

So change the acl entry:
  access-list 102 permit udp any eq 4500 any

0
 
fluffyfrogAuthor Commented:
Okay, a new port being denied maybe?

I've added the change that you've suggested from above...

access-list 102 permit tcp any any established
access-list 102 permit udp any eq domain any
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any host 71.129.123.118 eq smtp
access-list 102 permit tcp any host 71.129.123.118 eq www
access-list 102 permit tcp any host 71.129.123.118 eq 443
access-list 102 permit tcp any host 71.129.123.118 eq 1723 log-input
access-list 102 permit tcp any host 71.129.123.118 eq 1731
access-list 102 permit gre any host 71.129.123.118
access-list 102 permit esp any any
****access-list 102 permit udp any eq non500-isakmp any****
access-list 102 permit udp any eq isakmp any eq isakmp
access-list 102 deny   ip any any log

Now the log shows...

*Mar  1 07:09:21.309: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.173.27 -
> 71.129.123.118 (8/0), 1 packet
*Mar  1 07:09:21.309: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 71.129.173.27 -
> 71.129.123.119 (8/0), 1 packet
*Mar  1 07:09:23.421: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 70.238.86.241 -
> 71.129.123.118 (3/4), 1 packet
*Mar  1 07:09:41.759: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(10), 1 packet
*Mar  1 07:09:59.792: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(11), 1 packet
*Mar  1 07:10:17.822: %SEC-6-IPACCESSLOGP: list 102 denied udp 70.238.86.241(500
) -> 71.129.123.118(12), 1 packet **** This seems to be a new block since they ACL change.


0
 
fluffyfrogAuthor Commented:
Hmmmm, the SonicWALL VPN is working now. I'll test the Cisco VPN soon and let you know the outcome. I think that we're there or veeery close.
Thanks!!!!
0
 
fluffyfrogAuthor Commented:
Thank you very much lrmoore. Both VPN's are functional now.
0
 
lrmooreCommented:
Glad to hear it!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now