Solved

Cisco 877 Cannot access port 25 through VPN

Posted on 2007-11-27
33
1,432 Views
Last Modified: 2010-05-18
Hi there
We have a new Cisco 877 at our main office which has just replaced an old sonicwall pro100
There is a VPN which has been setup to a sonicwall TZ170 and seems to be functioning fine apart from the fact we cannot access ports through the VPN which are also forwarded from the external interface.
We only have 1 public IP so cannot terminate the VPN on another IP.
This use to work with the sonicwall, but have been unsuccessful with the Cisco.  Is this possible?
Please let me know if you need to see the config or any other details and I will post

Thank you in advance

Michael
0
Comment
Question by:Michael_Melb_Aust
  • 16
  • 11
  • 6
33 Comments
 
LVL 7

Expert Comment

by:naughton
ID: 20362193
Hey Michael,

does FTP work also>?
do you use a PPPOE or PPPOA connection?
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20362480
I cannot confirm the FTP at this stage as I don't have access to the remote site right now.  However it is a PPPoE connection
0
 
LVL 7

Expert Comment

by:naughton
ID: 20362537
how about Remote desktop thorugh the tunnel?
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20362717
They don't use this through the tunnel
I only need to get port 25 working so a network scanner can email
0
 
LVL 7

Expert Comment

by:naughton
ID: 20362729
email/rdc and ftp seem to be problematic with VPN's using PPPOE connections on 800 series routers.  hence the question.  if either of these two don't work, then I'd look at the rotuer / PPPOE and posibly changing to PPPOA, or using ip tcp adjust-mss entries.

if the other two work, then i'd look more at port 25.

0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20364045
We had a similer problem with FTP on a cisco 1841 the other day.   However because they had multiple public IP's we were able to change the public IP which the VPN terminated at.  I was thinking it was going to be the same sort of thing...
I'll try the FTP and remote desktop when I get a chance
0
 
LVL 9

Expert Comment

by:trinak96
ID: 20364138
Hi, Post your config here (sanitised of course) and we'll take a look.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20364358
Here is our config, usernames, ip's and passwords changed.  I know... pretty much completely setup via SDM...  :)

!

! Last configuration change at 10:50:08 PCTime Fri Nov 23 2007 by 

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname MelbPriInt

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 $1$O4d

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local 

!

aaa session-id common

!

resource policy

!

clock timezone PCTime 10

clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00

ip subnet-zero

no ip source-route

ip cef

!

!

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip tcp synwait-time 10

no ip bootp server

ip domain name e.com.au

ip name-server 10.0.0.1

ip name-server 210.23.129.34

ip name-server 210.23.129.35

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-3833460806

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3833460806

 revocation-check none

 rsakeypair TP-self-signed-3833460806

!

!

crypto pki certificate chain TP-self-signed-3833460806

 certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 33383333 34363038 3036301E 170D3032 30333035 30353337 

  33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38333334 

  36303830 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100B1D8 ACA773D0 D2B3BEB1 CE6D3177 C828FC63 1F781D31 A4E78D92 668FF6E6 

  D54CA9A1 68B195CF 88490A9B E5CEE514 FE3356A5 261A4E30 DD8771E9 3C273EC9 

  7F3FC6F0 8DD30AA6 109AA2B2 3922D515 A590D15B 369E38CD C431E9D7 A3D95498 

  2F4DAF46 71F65764 29E9802B B03454DB CE75FCA5 CDB025EA 4E6AE848 A937E7DF 

  164F0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 

  551D1104 1B301982 174D656C 62507269 496E742E 6577636F 782E636F 6D2E6175 

  301F0603 551D2304 18301680 1401220D CE028344 AF87CC52 70D72AEF 1E935A6A 

  DE301D06 03551D0E 04160414 01220DCE 028344AF 87CC5270 D72AEF1E 935A6ADE 

  300D0609 2A864886 F70D0101 04050003 8181000C 6302F3B3 2B37D7C0 B6D2C671 

  D0378989 34402106 16BEE09C E2D5A760 F0CA4290 79BB52F2 5F4CF84A 843C156B 

  2E81172A D672D8F7 A86D5DBE 87D23FCF C54B7958 162F162F 995BC86B 0923DF7F 

  3595C347 CDBEC957 7B1F5368 A19ACB3E B73154B3 1098DBF7 40373B3C 11B4CFA9 

  176A8777 DC56CEAB 99CF0570 DFD132CA CCF658

  quit

username root privilege 15 secret 5 $1$bAIn$RG6uFszR9.7O

username supervisor privilege 15 secret 5 $1$lFIz$z3gZ8BrId

!

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key super address 202.47.654.737

crypto isakmp key super address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 

!

crypto dynamic-map SDM_DYNMAP_1 1

 set transform-set ESP-3DES-SHA1 

 match address 105

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 description Tunnel to7

 set peer 202.147.654.737

 set transform-set ESP-3DES-SHA 

 match address 103

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 

!

!

!

interface Null0

 no ip unreachables

!

interface ATM0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip route-cache flow

 no atm ilmi-keepalive

 dsl operating-mode auto 

!

interface ATM0.1 point-to-point

 description $ES_WAN$$FW_OUTSIDE$

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 pvc 8/35 

  pppoe-client dial-pool-number 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 10.0.0.254 255.255.255.0

 ip access-group 100 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1412

!

interface Dialer0

 description $FW_OUTSIDE$

 ip address negotiated

 ip access-group 101 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip mtu 1452

 ip inspect DEFAULT100 out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname e@.net.au

 ppp chap password 7 050E110

 ppp pap sent-username e@net.au password 7 050E110C

 crypto map SDM_CMAP_1

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip flow-top-talkers

 top 5

 sort-by bytes

 cache-timeout 600

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static udp 10.0.0.11 2341 interface Dialer0 2341

ip nat inside source static udp 10.0.0.11 2340 interface Dialer0 2340

ip nat inside source static udp 10.0.0.11 2339 interface Dialer0 2339

ip nat inside source static udp 10.0.0.11 2338 interface Dialer0 2338

ip nat inside source static udp 10.0.0.11 2337 interface Dialer0 2337

ip nat inside source static udp 10.0.0.11 2336 interface Dialer0 2336

ip nat inside source static udp 10.0.0.11 2335 interface Dialer0 2335

ip nat inside source static udp 10.0.0.11 2334 interface Dialer0 2334

ip nat inside source static udp 10.0.0.11 2333 interface Dialer0 2333

ip nat inside source static udp 10.0.0.11 2332 interface Dialer0 2332

ip nat inside source static udp 10.0.0.11 2331 interface Dialer0 2331

ip nat inside source static udp 10.0.0.11 2330 interface Dialer0 2330

ip nat inside source static udp 10.0.0.11 2329 interface Dialer0 2329

ip nat inside source static udp 10.0.0.11 2328 interface Dialer0 2328

ip nat inside source static tcp 10.0.0.11 5574 interface Dialer0 5574

ip nat inside source static tcp 10.0.0.11 5573 interface Dialer0 5573

ip nat inside source static tcp 10.0.0.11 5572 interface Dialer0 5572

ip nat inside source static tcp 10.0.0.11 5571 interface Dialer0 5571

ip nat inside source static tcp 10.0.0.11 5570 interface Dialer0 5570

ip nat inside source static tcp 10.0.0.11 5569 interface Dialer0 5569

ip nat inside source static tcp 10.0.0.11 5568 interface Dialer0 5568

ip nat inside source static tcp 10.0.0.11 5567 interface Dialer0 5567

ip nat inside source static tcp 10.0.0.11 5566 interface Dialer0 5566

ip nat inside source static tcp 10.0.0.11 5565 interface Dialer0 5565

ip nat inside source static tcp 10.0.0.11 5564 interface Dialer0 5564

ip nat inside source static tcp 10.0.0.11 5563 interface Dialer0 5563

ip nat inside source static tcp 10.0.0.11 5562 interface Dialer0 5562

ip nat inside source static tcp 10.0.0.11 5561 interface Dialer0 5561

ip nat inside source static tcp 10.0.0.11 5560 interface Dialer0 5560

ip nat inside source static tcp 10.0.0.11 5559 interface Dialer0 5559

ip nat inside source static tcp 10.0.0.11 5558 interface Dialer0 5558

ip nat inside source static tcp 10.0.0.11 5557 interface Dialer0 5557

ip nat inside source static udp 10.0.0.11 2327 interface Dialer0 2327

ip nat inside source static udp 10.0.0.11 2326 interface Dialer0 2326

ip nat inside source static udp 10.0.0.11 1719 interface Dialer0 1719

ip nat inside source static tcp 10.0.0.11 1720 interface Dialer0 1720

ip nat inside source static tcp 10.0.0.11 5556 interface Dialer0 5556

ip nat inside source static tcp 10.0.0.11 5555 interface Dialer0 5555

ip nat inside source static udp 10.0.0.5 4096 interface Dialer0 4096

ip nat inside source static tcp 10.0.0.5 443 interface Dialer0 443

ip nat inside source static tcp 10.0.0.5 80 interface Dialer0 80

ip nat inside source static tcp 10.0.0.1 1723 interface Dialer0 1723

ip nat inside source static tcp 10.0.0.246 2999 interface Dialer0 2999

ip nat inside source static tcp 10.0.0.240 23 interface Dialer0 23

ip nat inside source static tcp 10.0.0.5 21 interface Dialer0 21

ip nat inside source static tcp 10.0.0.5 3389 interface Dialer0 3389

ip nat inside source static tcp 10.0.0.5 110 interface Dialer0 110

ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 25

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 2 remark HTTP Access-class list

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 10.0.0.0 0.0.0.255

access-list 2 deny   any

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 permit udp host 10.0.0.1 eq domain any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark Auto generated by SDM for NTP (123) au.pool.ntp.org

access-list 101 permit udp host 203.182.209.217 eq ntp any eq ntp

access-list 101 permit udp host 210.23.129.35 eq domain any

access-list 101 permit udp host 210.23.129.34 eq domain any

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.68.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit udp host 202.47.64.77 any eq non500-isakmp

access-list 101 permit udp host 202.47.64.77 any eq isakmp

access-list 101 permit esp host 202.47.64.77 any

access-list 101 permit ahp host 202.47.64.77 any

access-list 101 permit udp any any eq 4096

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 1723

access-list 101 permit tcp any any eq 2999

access-list 101 permit tcp any any eq telnet

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq 3389

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq smtp

access-list 101 permit udp any any eq 2341

access-list 101 permit udp any any eq 2340

access-list 101 permit udp any any eq 2339

access-list 101 permit udp any any eq 2338

access-list 101 permit udp any any eq 2337

access-list 101 permit udp any any eq 2336

access-list 101 permit udp any any eq 2335

access-list 101 permit udp any any eq 2334

access-list 101 permit udp any any eq 2333

access-list 101 permit udp any any eq 2332

access-list 101 permit udp any any eq 2331

access-list 101 permit udp any any eq 2330

access-list 101 permit udp any any eq 2329

access-list 101 permit udp any any eq 2328

access-list 101 permit udp any any eq 2327

access-list 101 permit udp any any eq 2326

access-list 101 permit tcp any any eq 5574

access-list 101 permit tcp any any eq 5573

access-list 101 permit tcp any any eq 5572

access-list 101 permit tcp any any eq 5571

access-list 101 permit tcp any any eq 5570

access-list 101 permit tcp any any eq 5569

access-list 101 permit tcp any any eq 5568

access-list 101 permit tcp any any eq 5567

access-list 101 permit tcp any any eq 5566

access-list 101 permit tcp any any eq 5565

access-list 101 permit tcp any any eq 5564

access-list 101 permit tcp any any eq 5563

access-list 101 permit tcp any any eq 5562

access-list 101 permit tcp any any eq 5561

access-list 101 permit tcp any any eq 5560

access-list 101 permit tcp any any eq 5559

access-list 101 permit tcp any any eq 5558

access-list 101 permit tcp any any eq 5557

access-list 101 permit tcp any any eq 5556

access-list 101 permit tcp any any eq 5555

access-list 101 permit udp any any eq 1719

access-list 101 permit tcp any any eq 1720

access-list 101 remark Allow PPTP Passthrough

access-list 101 permit gre any any

access-list 101 deny   ip 10.0.0.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any

access-list 102 remark VTY Access-class list

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 102 deny   ip any any

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.68.0 0.0.0.255

access-list 104 remark SDM_ACL Category=2

access-list 104 remark IPSec Rule

access-list 104 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 deny   ip 10.0.0.0 0.0.0.255 192.168.68.0 0.0.0.255

access-list 104 permit ip 10.0.0.0 0.0.0.255 any

access-list 105 remark SDM_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

route-map SDM_RMAP_1 permit 1

 match ip address 104

!

!

control-plane

!

banner login Authorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!

!

line con 0

 login authentication local_authen

 no modem enable

 transport output telnet

line aux 0

 login authentication local_authen

 transport output telnet

line vty 0 4

 access-class 102 in

 authorization exec local_author

 login authentication local_authen

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp server 10.0.0.1 source FastEthernet0

ntp server  source ATM0.1 prefer

end

Open in new window

0
 
LVL 9

Expert Comment

by:trinak96
ID: 20364501
OK, so your trying to access 10.0.0.5 via the vpn and via the internet using port forwarding ?
Which subnet is the remote end, 192.168.0.0/24 or 192.168.68.0/24 ?
Do you get any hits on list 101 ? Post "sh access-list 101"
How do you know port 25 is not accessible via the vpn, have you tried to telnet to that port or is the email service just not working and your assuming port 25 is not accessible?

0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20369387
The subnet I have been testing from is the 192.168.68.0 network
I have tried telnetting through the VPN to 10.0.0.5 25
I have just tested from the 192.168.0.0 network and get the same result.  Can ping, cannot telnet on port 25, 80, 110, 443, 3389
Did a test by starting the IMAP service on this server and was able to telnet through the VPN into this port.  So it is every port that is forwarded does not get through.
(FTP gave the same result, FTP test was not done during the below access list tests)
Extended IP access list 101

10 permit udp host 203.82.209.217 eq ntp any eq ntp (23079 matches)

20 permit udp host 210.23.129.35 eq domain any (28554 matches)

30 permit udp host 210.23.129.34 eq domain any (25704 matches)

40 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

50 permit udp any any eq non500-isakmp (38408 matches)

60 permit udp any any eq isakmp (198258 matches)

70 permit esp any any (1451592 matches)

80 permit ahp any any

90 permit ip 192.168.68.0 0.0.0.255 10.0.0.0 0.0.0.255

100 permit udp host 202.7.64.77 any eq non500-isakmp

110 permit udp host 202.7.64.77 any eq isakmp

120 permit esp host 202.7.64.77 any

130 permit ahp host 202.7.64.77 any

140 permit udp any any eq 4096

150 permit tcp any any eq 443 (150758 matches)

160 permit tcp any any eq www (1808 matches)

170 permit tcp any any eq 1723

180 permit tcp any any eq 2999

190 permit tcp any any eq telnet (8 matches)

200 permit tcp any any eq ftp (2313 matches)

210 permit tcp any any eq 3389 (3150 matches)

220 permit tcp any any eq pop3 (53 matches)

230 permit tcp any any eq smtp (17072 matches)

240 permit udp any any eq 2341

250 permit udp any any eq 2340

260 permit udp any any eq 2339

270 permit udp any any eq 2338

280 permit udp any any eq 2337

290 permit udp any any eq 2336

300 permit udp any any eq 2335

310 permit udp any any eq 2334

320 permit udp any any eq 2333

330 permit udp any any eq 2332

340 permit udp any any eq 2331

350 permit udp any any eq 2330

360 permit udp any any eq 2329

370 permit udp any any eq 2328

380 permit udp any any eq 2327

390 permit udp any any eq 2326

400 permit tcp any any eq 5574

410 permit tcp any any eq 5573

420 permit tcp any any eq 5572

430 permit tcp any any eq 5571

440 permit tcp any any eq 5570

450 permit tcp any any eq 5569

460 permit tcp any any eq 5568

470 permit tcp any any eq 5567

480 permit tcp any any eq 5566

490 permit tcp any any eq 5565

500 permit tcp any any eq 5564

510 permit tcp any any eq 5563

520 permit tcp any any eq 5562

530 permit tcp any any eq 5561

540 permit tcp any any eq 5560

550 permit tcp any any eq 5559

560 permit tcp any any eq 5558

570 permit tcp any any eq 5557

580 permit tcp any any eq 5556

590 permit tcp any any eq 5555

600 permit udp any any eq 1719

610 permit tcp any any eq 1720 (36 matches)

620 permit gre any any

630 deny ip 10.0.0.0 0.0.0.255 any

640 permit icmp any any echo-reply

650 permit icmp any any time-exceeded (795 matches)

660 permit icmp any any unreachable (53718 matches)

670 deny ip 10.0.0.0 0.255.255.255 any

680 deny ip 172.16.0.0 0.15.255.255 any

690 deny ip 192.168.0.0 0.0.255.255 any

700 deny ip 127.0.0.0 0.255.255.255 any

710 deny ip host 255.255.255.255 any

720 deny ip host 0.0.0.0 any

730 deny ip any any (44105 matches)
 

After telnetting tests

Extended IP access list 101

10 permit udp host 203.82.209.217 eq ntp any eq ntp (23082 matches)

20 permit udp host 210.23.129.35 eq domain any (28566 matches)

30 permit udp host 210.23.129.34 eq domain any (25713 matches)

40 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

50 permit udp any any eq non500-isakmp (38430 matches)

60 permit udp any any eq isakmp (198285 matches)

70 permit esp any any (1451592 matches)

80 permit ahp any any

90 permit ip 192.168.68.0 0.0.0.255 10.0.0.0 0.0.0.255

100 permit udp host 202.7.64.77 any eq non500-isakmp

110 permit udp host 202.7.64.77 any eq isakmp

120 permit esp host 202.7.64.77 any

130 permit ahp host 202.7.64.77 any

140 permit udp any any eq 4096

150 permit tcp any any eq 443 (150764 matches)

160 permit tcp any any eq www (1809 matches)

170 permit tcp any any eq 1723

180 permit tcp any any eq 2999

190 permit tcp any any eq telnet (8 matches)

200 permit tcp any any eq ftp (2313 matches)

210 permit tcp any any eq 3389 (3150 matches)

220 permit tcp any any eq pop3 (53 matches)

230 permit tcp any any eq smtp (17080 matches)

240 permit udp any any eq 2341

250 permit udp any any eq 2340

260 permit udp any any eq 2339

270 permit udp any any eq 2338

280 permit udp any any eq 2337

290 permit udp any any eq 2336

300 permit udp any any eq 2335

310 permit udp any any eq 2334

320 permit udp any any eq 2333

330 permit udp any any eq 2332

340 permit udp any any eq 2331

350 permit udp any any eq 2330

360 permit udp any any eq 2329

370 permit udp any any eq 2328

380 permit udp any any eq 2327

390 permit udp any any eq 2326

400 permit tcp any any eq 5574

410 permit tcp any any eq 5573

420 permit tcp any any eq 5572

430 permit tcp any any eq 5571

440 permit tcp any any eq 5570

450 permit tcp any any eq 5569

460 permit tcp any any eq 5568

470 permit tcp any any eq 5567

480 permit tcp any any eq 5566

490 permit tcp any any eq 5565

500 permit tcp any any eq 5564

510 permit tcp any any eq 5563

520 permit tcp any any eq 5562

530 permit tcp any any eq 5561

540 permit tcp any any eq 5560

550 permit tcp any any eq 5559

560 permit tcp any any eq 5558

570 permit tcp any any eq 5557

580 permit tcp any any eq 5556

590 permit tcp any any eq 5555

600 permit udp any any eq 1719

610 permit tcp any any eq 1720 (36 matches)

620 permit gre any any

630 deny ip 10.0.0.0 0.0.0.255 any

640 permit icmp any any echo-reply

650 permit icmp any any time-exceeded (795 matches)

660 permit icmp any any unreachable (53757 matches)

670 deny ip 10.0.0.0 0.255.255.255 any

680 deny ip 172.16.0.0 0.15.255.255 any

690 deny ip 192.168.0.0 0.0.255.255 any

700 deny ip 127.0.0.0 0.255.255.255 any

710 deny ip host 255.255.255.255 any

720 deny ip host 0.0.0.0 any

730 deny ip any any (44114 matches)

Open in new window

0
 
LVL 9

Expert Comment

by:trinak96
ID: 20372482
As a test can you remove the port forwarding for 10.0.0.5 and attempt to connect via the vpn.
Can you also confirm that port 25 is currently reachable via the internet as it stands.
Just to prove it is the port forwarding. The access-list shows the hits for those ports OK which is something.
One other thing to mention is that you have a negotiated address on dialer0, so your target ip address for the server will be subject to change.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20378025
I removed the port forward for 25 and could then access via the VPN  (Did not touch ACL's)
Rule removed: ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 25

Port 25 is definatly useable from public interface.  There is a mail server which is operating with no problems and can telnet in remotely no problem

Dailer0 is dialing a pppoe connection with a static IP.  It will always get the same IP.
0
 
LVL 9

Expert Comment

by:trinak96
ID: 20380783
This is what you need to do : http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Basically using route-map to deny nat translation between vpn sites but allow nat when coming from internet. The section of specific interest to solving the problem is in section entitled "What about the static NAT though, why can I not get to that address over the IPsec tunnel?" and read on from there.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20387076
That looks like it is what I was after.
I have managed to lock myself out of the unit while trying to apply it however.  Will test when I get a chance to go onsite!
(Unless you feel like giving me the actual lines that need to be added  :P)
0
 
LVL 9

Expert Comment

by:trinak96
ID: 20387893
It's a big change so wouldn't recommend doing it off-site. Unfortunately I dont have the time to detail the actual changes required. The only thing to remember is in the permit access list is to change from <ip subnet - subnet> to tcp <ip> port etc....

Hope you are sucessful, just post back with any queries.....good luck.
0
 
LVL 9

Expert Comment

by:trinak96
ID: 20437097
How did you get on, any problems ?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20440564
Have not managed to get onsite yet.   Will be going onsite tomorrow so will test then!   Thank you for your help so far.
0
 
LVL 7

Expert Comment

by:naughton
ID: 20455080
don't think that will work.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

not supported on 800 series routers.

I have the same problem. the static NAT takes precedence over the traffic and sends the vpn traffic back out the outside interface where the traffci should actually be sent back down the VPN tunnel.

its the answer, just not support on 800 series routers.


0
 
LVL 7

Expert Comment

by:naughton
ID: 20455082
to confirm - my problem was/is with RDC not port 25, however I belive its the same problem.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20455401
So does that mean the only option is to either upgrade router or get a second public IP?
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20455402
Forgot to update.. went through above document onsite and could not get it working... so the fact it isn't supported on 800 series makes sense...   Kind of annoying....
0
 
LVL 7

Expert Comment

by:naughton
ID: 20461119
Hey Michael,

I don't think mulitple IP's owuld wok - because the NAT statement relates to an interface no an IP......

the wierd thing is that it would probably work using a VPN client versus a lan-to-lan ip sec tunnel.

I'm tryign to recall if a GRE or non IPSec tunnel would overcome the NAT problem.




0
 
LVL 7

Expert Comment

by:naughton
ID: 20461432
Michael,

what is it that you are actually trying to do?
+
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20461665
The first thing the client noticed was smtp not working through the VPN.  This would be fine from a client computer as we could create a new smtp connector in exchange on a different port and set the clients to use a different port.  However they have a photocopier which sends scanned documents via smtp, we cannot change which port the photocopier uses.  Idealy these scanned documents would go through the VPN to the mail server and this is how it worked prior to implementing the cisco.
0
 
LVL 7

Expert Comment

by:naughton
ID: 20462130
Hey Michael,

jsut testinjg an option from CISCO TAC.

will let you knwo how i go.

Nathan
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20462150
Fantastic.  Thanks Nathan
0
 
LVL 7

Expert Comment

by:naughton
ID: 20482645
ok.

change the ip nat static  to use the actual IP address of Interface Dialer0 instead of the name and then apply the route map SDM_RMAP_1

ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 25

becomes

ip nat inside source static tcp 10.0.0.5 25 XXX.XXX.XXX.XXX 25 route-map SDM_RMAP_1

etc for any service you want to eb able to access via the VPN.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20596685
I still haven't madeit onsite to test yet...  Will test when I get onsite...
0
 
LVL 7

Accepted Solution

by:
naughton earned 500 total points
ID: 20596711
you should be able to to do it remotely vs onsite without too large an impact to the business.  

in the case you are concerned, set a reload in global config
reload at <time>
reload in <time in mins>

and don't save your changes until you are happy they work.  the reload at that point will clear out anythign you have not saved to statup-confg.
0
 
LVL 7

Expert Comment

by:naughton
ID: 20687635
Hey Michael,

how'd you go with this?
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20688116
I haven't as of yet...  sorry...  once I get a chance I'll do it...  It's not a high priority at the moment!
0
 
LVL 6

Author Closing Comment

by:Michael_Melb_Aust
ID: 31411302
Thank you Naughton for your help, both fortunatly and unfortunatly the issue is non existant because due to growth in the company they have installed another link dedicated to the VPN's so this bypasses this issue.   Thank you so much for helping and even the tip of reload at/in is more than worthy of the points!
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20882118
I had sometime and used all of your suggestions (reload etc  :)   Worked well, didn't get myself into the situation of locking myself out... but was good to know it was there

I changed the command to: ip nat inside source static tcp 10.0.0.5 25 XXX.XXX.XXX.XXX 25 route-map SDM_RMAP_1

It worked like a charm!   Thanks heaps again!!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now