Solved

VPN client can't open link inside of Cisco router

Posted on 2006-11-14
5
416 Views
Last Modified: 2013-11-29
My company occasionally rents conference room space.  A customer recently tried to open a VPN connection back to his home office, but was unable to do so.  His tech support says they don't do any blocking, as they don't know where their sales people will be coming in from.
I don't have any remote access coming into my network, so don't have anything configured for it.  I am not, as far as I know, blocking traffic going out, so am perplexed as to why the customer's connection isn't working.

I'm running Cisco IOS 12.1 on a 2514.  The version information is show below.  Can this router support an outgoing VPN connection?  If needed, I can post the configuration info, but want to know if the router can handle doing random outgoing VPN connections before digging into it.


------------------------------------------------------------------
My_Router>show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-I-L), Version 12.1(19), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 19:48 by kellythw
Image text-base: 0x03041ECC, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c)XB2, PLATFORM SPECIFIC RELEASE SOFTWARE (fc1)
BOOTLDR: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c)XB2, PLATFORM SPECIFIC RELEASE SOFTWARE (fc1)

My_Router uptime is 4 weeks, 4 days, 8 hours, 36 minutes
System returned to ROM by power-on
System image file is "flash:/c2500-i-l.121-19.bin"

cisco 2500 (68030) processor (revision L) with 14336K/2048K bytes of memory.
Processor board ID 23075610, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102
0
Comment
Question by:anordquist
  • 3
5 Comments
 
LVL 12

Expert Comment

by:Freya28
Comment Utility
cannot support vpn with this IOS version.  you would need IP plus or something like advanced security k9 IOS.  is all you have is a router behind your internet connection?  do you have a firewall or anything
0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 250 total points
Comment Utility
I believe what they're asking is whether this router/IOS version will cause problems with outgoing VPN connections...

anordquist, your problem may not be outbound traffic being blocked, but may simply be the replies that might be blocked.  What type of VPN is this?  If IPSec, you may need to talk to the admin of the remote VPN server to see if they're using some uncommon ports, etc in their config.  Ensure the following aren't blocked:
  PPTP VPN:
- TCP port 1723 outbound (& don't block replies)
- GRE protocol in/out

  IPSec VPN:
- UDP port 500 in/out
- UDP port 4500 in/out if the VPN server is a Cisco IPSec VPN server;  other ports or protocols may need to be specified, depending on the config on the remote VPN server.
- ESP protocol in/out
- AH protocol in/out (maybe)

Wow, this is an ancient router & ancient IOS!  Looks like it's running the most basic IP feature set.  I strongly suggest upgrading to a newer router with the "firewall feature set" (aka "advanced security" image), otherwise you'll need to punch too many holes through your 2514 router, since it's only capable of using plain old ACLs.

cheers
0
 

Author Comment

by:anordquist
Comment Utility
In response to Freya28, I don't want to support a VPN, I just want to tolerate the occasional existance of one.  Do I need additional IOS modules to do so or can what I've got be configured to allow a client inside my network to initiate a VPN session to their own network?

Here's my config:

My_Router#sho config
Using 2519 out of 32762 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname My_Router
!
enable secret 5 $1$lP4w$pi58hOvJAoHuPUC99atk50
!
!
!
!
!
ip subnet-zero
no ip source-route
no ip domain-lookup
!
no ip bootp server
!
!
!
interface Ethernet0
 description Private segment
 ip address 172.16.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 no cdp enable
!
interface Ethernet1
 description Public segment
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.0.1 255.255.255.0
 ip access-group 101 in
 ip helper-address 172.16.1.255
 no ip redirects
 no ip unreachables
 ip nat inside
 no cdp enable
!
interface Serial0
 description Internet connection
 bandwidth 1536
 ip address 63.28.117.82 255.255.255.252
 ip access-group 2002 in
 no ip redirects
 no ip unreachables
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 no fair-queue
 no cdp enable
!
interface Serial1
 description Point-to-Point
 bandwidth 1536
 ip address 10.0.0.1 255.255.255.252
 no ip redirects
 no ip unreachables
 ip nat inside
 encapsulation ppp
 no cdp enable
!
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static 172.16.1.9 221.65.181.89
ip classless
ip route 0.0.0.0 0.0.0.0 63.28.117.81
ip route 172.16.2.0 255.255.255.0 10.0.0.2
ip route 172.16.100.0 255.255.255.0 172.16.1.8
ip route 192.168.1.0 255.255.255.0 10.0.0.2
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 101 permit icmp any any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255 established
access-list 101 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
access-list 101 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 2002 permit tcp any any established
access-list 2002 permit tcp any eq ftp-data any
access-list 2002 permit tcp any host 221.65.181.89 eq 443
access-list 2002 permit tcp 64.18.0.0 0.0.255.255 host 221.65.181.89 eq smtp
access-list 2002 permit udp any eq domain any
access-list 2002 permit icmp any any echo-reply
access-list 2002 permit icmp any any unreachable
access-list 2002 permit udp any eq ntp any
no cdp run
snmp-server engineID local 00000009020000107B81E93A
snmp-server community NA RO 2
snmp-server community readme RO
!
line con 0
line aux 0
line vty 0 4
 password 7 08735C421C0A571E012D031138
 login
!
end
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 250 total points
Comment Utility
You could use your existing router & IOS, but you'd have to decide if you want to risk blindly opening up some additional ports/protocols, since you've only got ACLs to work with.  Once again, it's important to know what type of VPN they'd be using, & if IPSec, you'll need to get some further details from the remote VPN server admin.

  If supporting PPTP, you'd do this:
access-list 101 permit gre 192.168.0.0 0.0.255.255 any
access-list 2002 permit gre any any

  If supporting IPSec, at a minimum you'd do the following (details would depend heavily on the remote VPN server):
access-list 101 permit esp 192.168.0.0 0.0.255.255 any
access-list 101 permit ah 192.168.0.0 0.0.255.255 any  <- may be optional
access-list 2002 permit esp any any
access-list 2002 permit ah any any   <- may be optional
access-list 2002 permit udp any eq 500 any
access-list 2002 permit udp any eq 4500 any

cheers
0
 
LVL 20

Expert Comment

by:calvinetter
Comment Utility
Actually, PPTP most likely won't work in this case, since you're doing PAT, your IOS is old (& not the 'T' series), etc.  IPSec should probably function, but you'll have to tweak the config with info from the remote VPN server admin.

Even without supporting outbound VPN, I strongly suggest upgrading the router & IOS, due to bug & security fixes, & if you get a router with the firewall feature set, it's much easier to support things like outbound VPN.

cheers
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now