[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cisco 877 Cannot access port 25 through VPN

Posted on 2007-11-27
33
Medium Priority
?
1,443 Views
Last Modified: 2010-05-18
Hi there
We have a new Cisco 877 at our main office which has just replaced an old sonicwall pro100
There is a VPN which has been setup to a sonicwall TZ170 and seems to be functioning fine apart from the fact we cannot access ports through the VPN which are also forwarded from the external interface.
We only have 1 public IP so cannot terminate the VPN on another IP.
This use to work with the sonicwall, but have been unsuccessful with the Cisco.  Is this possible?
Please let me know if you need to see the config or any other details and I will post

Thank you in advance

Michael
0
Comment
Question by:Michael_Melb_Aust
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 11
  • 6
33 Comments
 
LVL 7

Expert Comment

by:naughton
ID: 20362193
Hey Michael,

does FTP work also>?
do you use a PPPOE or PPPOA connection?
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20362480
I cannot confirm the FTP at this stage as I don't have access to the remote site right now.  However it is a PPPoE connection
0
 
LVL 7

Expert Comment

by:naughton
ID: 20362537
how about Remote desktop thorugh the tunnel?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20362717
They don't use this through the tunnel
I only need to get port 25 working so a network scanner can email
0
 
LVL 7

Expert Comment

by:naughton
ID: 20362729
email/rdc and ftp seem to be problematic with VPN's using PPPOE connections on 800 series routers.  hence the question.  if either of these two don't work, then I'd look at the rotuer / PPPOE and posibly changing to PPPOA, or using ip tcp adjust-mss entries.

if the other two work, then i'd look more at port 25.

0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20364045
We had a similer problem with FTP on a cisco 1841 the other day.   However because they had multiple public IP's we were able to change the public IP which the VPN terminated at.  I was thinking it was going to be the same sort of thing...
I'll try the FTP and remote desktop when I get a chance
0
 
LVL 9

Expert Comment

by:trinak96
ID: 20364138
Hi, Post your config here (sanitised of course) and we'll take a look.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20364358
Here is our config, usernames, ip's and passwords changed.  I know... pretty much completely setup via SDM...  :)

!
! Last configuration change at 10:50:08 PCTime Fri Nov 23 2007 by 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MelbPriInt
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$O4d
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name e.com.au
ip name-server 10.0.0.1
ip name-server 210.23.129.34
ip name-server 210.23.129.35
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3833460806
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3833460806
 revocation-check none
 rsakeypair TP-self-signed-3833460806
!
!
crypto pki certificate chain TP-self-signed-3833460806
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33383333 34363038 3036301E 170D3032 30333035 30353337 
  33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38333334 
  36303830 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B1D8 ACA773D0 D2B3BEB1 CE6D3177 C828FC63 1F781D31 A4E78D92 668FF6E6 
  D54CA9A1 68B195CF 88490A9B E5CEE514 FE3356A5 261A4E30 DD8771E9 3C273EC9 
  7F3FC6F0 8DD30AA6 109AA2B2 3922D515 A590D15B 369E38CD C431E9D7 A3D95498 
  2F4DAF46 71F65764 29E9802B B03454DB CE75FCA5 CDB025EA 4E6AE848 A937E7DF 
  164F0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 174D656C 62507269 496E742E 6577636F 782E636F 6D2E6175 
  301F0603 551D2304 18301680 1401220D CE028344 AF87CC52 70D72AEF 1E935A6A 
  DE301D06 03551D0E 04160414 01220DCE 028344AF 87CC5270 D72AEF1E 935A6ADE 
  300D0609 2A864886 F70D0101 04050003 8181000C 6302F3B3 2B37D7C0 B6D2C671 
  D0378989 34402106 16BEE09C E2D5A760 F0CA4290 79BB52F2 5F4CF84A 843C156B 
  2E81172A D672D8F7 A86D5DBE 87D23FCF C54B7958 162F162F 995BC86B 0923DF7F 
  3595C347 CDBEC957 7B1F5368 A19ACB3E B73154B3 1098DBF7 40373B3C 11B4CFA9 
  176A8777 DC56CEAB 99CF0570 DFD132CA CCF658
  quit
username root privilege 15 secret 5 $1$bAIn$RG6uFszR9.7O
username supervisor privilege 15 secret 5 $1$lFIz$z3gZ8BrId
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key super address 202.47.654.737
crypto isakmp key super address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1 
 match address 105
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to7
 set peer 202.147.654.737
 set transform-set ESP-3DES-SHA 
 match address 103
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip inspect DEFAULT100 out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname e@.net.au
 ppp chap password 7 050E110
 ppp pap sent-username e@net.au password 7 050E110C
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip flow-top-talkers
 top 5
 sort-by bytes
 cache-timeout 600
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static udp 10.0.0.11 2341 interface Dialer0 2341
ip nat inside source static udp 10.0.0.11 2340 interface Dialer0 2340
ip nat inside source static udp 10.0.0.11 2339 interface Dialer0 2339
ip nat inside source static udp 10.0.0.11 2338 interface Dialer0 2338
ip nat inside source static udp 10.0.0.11 2337 interface Dialer0 2337
ip nat inside source static udp 10.0.0.11 2336 interface Dialer0 2336
ip nat inside source static udp 10.0.0.11 2335 interface Dialer0 2335
ip nat inside source static udp 10.0.0.11 2334 interface Dialer0 2334
ip nat inside source static udp 10.0.0.11 2333 interface Dialer0 2333
ip nat inside source static udp 10.0.0.11 2332 interface Dialer0 2332
ip nat inside source static udp 10.0.0.11 2331 interface Dialer0 2331
ip nat inside source static udp 10.0.0.11 2330 interface Dialer0 2330
ip nat inside source static udp 10.0.0.11 2329 interface Dialer0 2329
ip nat inside source static udp 10.0.0.11 2328 interface Dialer0 2328
ip nat inside source static tcp 10.0.0.11 5574 interface Dialer0 5574
ip nat inside source static tcp 10.0.0.11 5573 interface Dialer0 5573
ip nat inside source static tcp 10.0.0.11 5572 interface Dialer0 5572
ip nat inside source static tcp 10.0.0.11 5571 interface Dialer0 5571
ip nat inside source static tcp 10.0.0.11 5570 interface Dialer0 5570
ip nat inside source static tcp 10.0.0.11 5569 interface Dialer0 5569
ip nat inside source static tcp 10.0.0.11 5568 interface Dialer0 5568
ip nat inside source static tcp 10.0.0.11 5567 interface Dialer0 5567
ip nat inside source static tcp 10.0.0.11 5566 interface Dialer0 5566
ip nat inside source static tcp 10.0.0.11 5565 interface Dialer0 5565
ip nat inside source static tcp 10.0.0.11 5564 interface Dialer0 5564
ip nat inside source static tcp 10.0.0.11 5563 interface Dialer0 5563
ip nat inside source static tcp 10.0.0.11 5562 interface Dialer0 5562
ip nat inside source static tcp 10.0.0.11 5561 interface Dialer0 5561
ip nat inside source static tcp 10.0.0.11 5560 interface Dialer0 5560
ip nat inside source static tcp 10.0.0.11 5559 interface Dialer0 5559
ip nat inside source static tcp 10.0.0.11 5558 interface Dialer0 5558
ip nat inside source static tcp 10.0.0.11 5557 interface Dialer0 5557
ip nat inside source static udp 10.0.0.11 2327 interface Dialer0 2327
ip nat inside source static udp 10.0.0.11 2326 interface Dialer0 2326
ip nat inside source static udp 10.0.0.11 1719 interface Dialer0 1719
ip nat inside source static tcp 10.0.0.11 1720 interface Dialer0 1720
ip nat inside source static tcp 10.0.0.11 5556 interface Dialer0 5556
ip nat inside source static tcp 10.0.0.11 5555 interface Dialer0 5555
ip nat inside source static udp 10.0.0.5 4096 interface Dialer0 4096
ip nat inside source static tcp 10.0.0.5 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.5 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.1 1723 interface Dialer0 1723
ip nat inside source static tcp 10.0.0.246 2999 interface Dialer0 2999
ip nat inside source static tcp 10.0.0.240 23 interface Dialer0 23
ip nat inside source static tcp 10.0.0.5 21 interface Dialer0 21
ip nat inside source static tcp 10.0.0.5 3389 interface Dialer0 3389
ip nat inside source static tcp 10.0.0.5 110 interface Dialer0 110
ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 25
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 10.0.0.1 eq domain any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) au.pool.ntp.org
access-list 101 permit udp host 203.182.209.217 eq ntp any eq ntp
access-list 101 permit udp host 210.23.129.35 eq domain any
access-list 101 permit udp host 210.23.129.34 eq domain any
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.68.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit udp host 202.47.64.77 any eq non500-isakmp
access-list 101 permit udp host 202.47.64.77 any eq isakmp
access-list 101 permit esp host 202.47.64.77 any
access-list 101 permit ahp host 202.47.64.77 any
access-list 101 permit udp any any eq 4096
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 2999
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 permit udp any any eq 2341
access-list 101 permit udp any any eq 2340
access-list 101 permit udp any any eq 2339
access-list 101 permit udp any any eq 2338
access-list 101 permit udp any any eq 2337
access-list 101 permit udp any any eq 2336
access-list 101 permit udp any any eq 2335
access-list 101 permit udp any any eq 2334
access-list 101 permit udp any any eq 2333
access-list 101 permit udp any any eq 2332
access-list 101 permit udp any any eq 2331
access-list 101 permit udp any any eq 2330
access-list 101 permit udp any any eq 2329
access-list 101 permit udp any any eq 2328
access-list 101 permit udp any any eq 2327
access-list 101 permit udp any any eq 2326
access-list 101 permit tcp any any eq 5574
access-list 101 permit tcp any any eq 5573
access-list 101 permit tcp any any eq 5572
access-list 101 permit tcp any any eq 5571
access-list 101 permit tcp any any eq 5570
access-list 101 permit tcp any any eq 5569
access-list 101 permit tcp any any eq 5568
access-list 101 permit tcp any any eq 5567
access-list 101 permit tcp any any eq 5566
access-list 101 permit tcp any any eq 5565
access-list 101 permit tcp any any eq 5564
access-list 101 permit tcp any any eq 5563
access-list 101 permit tcp any any eq 5562
access-list 101 permit tcp any any eq 5561
access-list 101 permit tcp any any eq 5560
access-list 101 permit tcp any any eq 5559
access-list 101 permit tcp any any eq 5558
access-list 101 permit tcp any any eq 5557
access-list 101 permit tcp any any eq 5556
access-list 101 permit tcp any any eq 5555
access-list 101 permit udp any any eq 1719
access-list 101 permit tcp any any eq 1720
access-list 101 remark Allow PPTP Passthrough
access-list 101 permit gre any any
access-list 101 deny   ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.68.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.0.0.0 0.0.0.255 192.168.68.0 0.0.0.255
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
control-plane
!
banner login Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 10.0.0.1 source FastEthernet0
ntp server  source ATM0.1 prefer
end

Open in new window

0
 
LVL 9

Expert Comment

by:trinak96
ID: 20364501
OK, so your trying to access 10.0.0.5 via the vpn and via the internet using port forwarding ?
Which subnet is the remote end, 192.168.0.0/24 or 192.168.68.0/24 ?
Do you get any hits on list 101 ? Post "sh access-list 101"
How do you know port 25 is not accessible via the vpn, have you tried to telnet to that port or is the email service just not working and your assuming port 25 is not accessible?

0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20369387
The subnet I have been testing from is the 192.168.68.0 network
I have tried telnetting through the VPN to 10.0.0.5 25
I have just tested from the 192.168.0.0 network and get the same result.  Can ping, cannot telnet on port 25, 80, 110, 443, 3389
Did a test by starting the IMAP service on this server and was able to telnet through the VPN into this port.  So it is every port that is forwarded does not get through.
(FTP gave the same result, FTP test was not done during the below access list tests)
Extended IP access list 101
10 permit udp host 203.82.209.217 eq ntp any eq ntp (23079 matches)
20 permit udp host 210.23.129.35 eq domain any (28554 matches)
30 permit udp host 210.23.129.34 eq domain any (25704 matches)
40 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
50 permit udp any any eq non500-isakmp (38408 matches)
60 permit udp any any eq isakmp (198258 matches)
70 permit esp any any (1451592 matches)
80 permit ahp any any
90 permit ip 192.168.68.0 0.0.0.255 10.0.0.0 0.0.0.255
100 permit udp host 202.7.64.77 any eq non500-isakmp
110 permit udp host 202.7.64.77 any eq isakmp
120 permit esp host 202.7.64.77 any
130 permit ahp host 202.7.64.77 any
140 permit udp any any eq 4096
150 permit tcp any any eq 443 (150758 matches)
160 permit tcp any any eq www (1808 matches)
170 permit tcp any any eq 1723
180 permit tcp any any eq 2999
190 permit tcp any any eq telnet (8 matches)
200 permit tcp any any eq ftp (2313 matches)
210 permit tcp any any eq 3389 (3150 matches)
220 permit tcp any any eq pop3 (53 matches)
230 permit tcp any any eq smtp (17072 matches)
240 permit udp any any eq 2341
250 permit udp any any eq 2340
260 permit udp any any eq 2339
270 permit udp any any eq 2338
280 permit udp any any eq 2337
290 permit udp any any eq 2336
300 permit udp any any eq 2335
310 permit udp any any eq 2334
320 permit udp any any eq 2333
330 permit udp any any eq 2332
340 permit udp any any eq 2331
350 permit udp any any eq 2330
360 permit udp any any eq 2329
370 permit udp any any eq 2328
380 permit udp any any eq 2327
390 permit udp any any eq 2326
400 permit tcp any any eq 5574
410 permit tcp any any eq 5573
420 permit tcp any any eq 5572
430 permit tcp any any eq 5571
440 permit tcp any any eq 5570
450 permit tcp any any eq 5569
460 permit tcp any any eq 5568
470 permit tcp any any eq 5567
480 permit tcp any any eq 5566
490 permit tcp any any eq 5565
500 permit tcp any any eq 5564
510 permit tcp any any eq 5563
520 permit tcp any any eq 5562
530 permit tcp any any eq 5561
540 permit tcp any any eq 5560
550 permit tcp any any eq 5559
560 permit tcp any any eq 5558
570 permit tcp any any eq 5557
580 permit tcp any any eq 5556
590 permit tcp any any eq 5555
600 permit udp any any eq 1719
610 permit tcp any any eq 1720 (36 matches)
620 permit gre any any
630 deny ip 10.0.0.0 0.0.0.255 any
640 permit icmp any any echo-reply
650 permit icmp any any time-exceeded (795 matches)
660 permit icmp any any unreachable (53718 matches)
670 deny ip 10.0.0.0 0.255.255.255 any
680 deny ip 172.16.0.0 0.15.255.255 any
690 deny ip 192.168.0.0 0.0.255.255 any
700 deny ip 127.0.0.0 0.255.255.255 any
710 deny ip host 255.255.255.255 any
720 deny ip host 0.0.0.0 any
730 deny ip any any (44105 matches)
 
After telnetting tests
Extended IP access list 101
10 permit udp host 203.82.209.217 eq ntp any eq ntp (23082 matches)
20 permit udp host 210.23.129.35 eq domain any (28566 matches)
30 permit udp host 210.23.129.34 eq domain any (25713 matches)
40 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
50 permit udp any any eq non500-isakmp (38430 matches)
60 permit udp any any eq isakmp (198285 matches)
70 permit esp any any (1451592 matches)
80 permit ahp any any
90 permit ip 192.168.68.0 0.0.0.255 10.0.0.0 0.0.0.255
100 permit udp host 202.7.64.77 any eq non500-isakmp
110 permit udp host 202.7.64.77 any eq isakmp
120 permit esp host 202.7.64.77 any
130 permit ahp host 202.7.64.77 any
140 permit udp any any eq 4096
150 permit tcp any any eq 443 (150764 matches)
160 permit tcp any any eq www (1809 matches)
170 permit tcp any any eq 1723
180 permit tcp any any eq 2999
190 permit tcp any any eq telnet (8 matches)
200 permit tcp any any eq ftp (2313 matches)
210 permit tcp any any eq 3389 (3150 matches)
220 permit tcp any any eq pop3 (53 matches)
230 permit tcp any any eq smtp (17080 matches)
240 permit udp any any eq 2341
250 permit udp any any eq 2340
260 permit udp any any eq 2339
270 permit udp any any eq 2338
280 permit udp any any eq 2337
290 permit udp any any eq 2336
300 permit udp any any eq 2335
310 permit udp any any eq 2334
320 permit udp any any eq 2333
330 permit udp any any eq 2332
340 permit udp any any eq 2331
350 permit udp any any eq 2330
360 permit udp any any eq 2329
370 permit udp any any eq 2328
380 permit udp any any eq 2327
390 permit udp any any eq 2326
400 permit tcp any any eq 5574
410 permit tcp any any eq 5573
420 permit tcp any any eq 5572
430 permit tcp any any eq 5571
440 permit tcp any any eq 5570
450 permit tcp any any eq 5569
460 permit tcp any any eq 5568
470 permit tcp any any eq 5567
480 permit tcp any any eq 5566
490 permit tcp any any eq 5565
500 permit tcp any any eq 5564
510 permit tcp any any eq 5563
520 permit tcp any any eq 5562
530 permit tcp any any eq 5561
540 permit tcp any any eq 5560
550 permit tcp any any eq 5559
560 permit tcp any any eq 5558
570 permit tcp any any eq 5557
580 permit tcp any any eq 5556
590 permit tcp any any eq 5555
600 permit udp any any eq 1719
610 permit tcp any any eq 1720 (36 matches)
620 permit gre any any
630 deny ip 10.0.0.0 0.0.0.255 any
640 permit icmp any any echo-reply
650 permit icmp any any time-exceeded (795 matches)
660 permit icmp any any unreachable (53757 matches)
670 deny ip 10.0.0.0 0.255.255.255 any
680 deny ip 172.16.0.0 0.15.255.255 any
690 deny ip 192.168.0.0 0.0.255.255 any
700 deny ip 127.0.0.0 0.255.255.255 any
710 deny ip host 255.255.255.255 any
720 deny ip host 0.0.0.0 any
730 deny ip any any (44114 matches)

Open in new window

0
 
LVL 9

Expert Comment

by:trinak96
ID: 20372482
As a test can you remove the port forwarding for 10.0.0.5 and attempt to connect via the vpn.
Can you also confirm that port 25 is currently reachable via the internet as it stands.
Just to prove it is the port forwarding. The access-list shows the hits for those ports OK which is something.
One other thing to mention is that you have a negotiated address on dialer0, so your target ip address for the server will be subject to change.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20378025
I removed the port forward for 25 and could then access via the VPN  (Did not touch ACL's)
Rule removed: ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 25

Port 25 is definatly useable from public interface.  There is a mail server which is operating with no problems and can telnet in remotely no problem

Dailer0 is dialing a pppoe connection with a static IP.  It will always get the same IP.
0
 
LVL 9

Expert Comment

by:trinak96
ID: 20380783
This is what you need to do : http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Basically using route-map to deny nat translation between vpn sites but allow nat when coming from internet. The section of specific interest to solving the problem is in section entitled "What about the static NAT though, why can I not get to that address over the IPsec tunnel?" and read on from there.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20387076
That looks like it is what I was after.
I have managed to lock myself out of the unit while trying to apply it however.  Will test when I get a chance to go onsite!
(Unless you feel like giving me the actual lines that need to be added  :P)
0
 
LVL 9

Expert Comment

by:trinak96
ID: 20387893
It's a big change so wouldn't recommend doing it off-site. Unfortunately I dont have the time to detail the actual changes required. The only thing to remember is in the permit access list is to change from <ip subnet - subnet> to tcp <ip> port etc....

Hope you are sucessful, just post back with any queries.....good luck.
0
 
LVL 9

Expert Comment

by:trinak96
ID: 20437097
How did you get on, any problems ?
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20440564
Have not managed to get onsite yet.   Will be going onsite tomorrow so will test then!   Thank you for your help so far.
0
 
LVL 7

Expert Comment

by:naughton
ID: 20455080
don't think that will work.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

not supported on 800 series routers.

I have the same problem. the static NAT takes precedence over the traffic and sends the vpn traffic back out the outside interface where the traffci should actually be sent back down the VPN tunnel.

its the answer, just not support on 800 series routers.


0
 
LVL 7

Expert Comment

by:naughton
ID: 20455082
to confirm - my problem was/is with RDC not port 25, however I belive its the same problem.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20455401
So does that mean the only option is to either upgrade router or get a second public IP?
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20455402
Forgot to update.. went through above document onsite and could not get it working... so the fact it isn't supported on 800 series makes sense...   Kind of annoying....
0
 
LVL 7

Expert Comment

by:naughton
ID: 20461119
Hey Michael,

I don't think mulitple IP's owuld wok - because the NAT statement relates to an interface no an IP......

the wierd thing is that it would probably work using a VPN client versus a lan-to-lan ip sec tunnel.

I'm tryign to recall if a GRE or non IPSec tunnel would overcome the NAT problem.




0
 
LVL 7

Expert Comment

by:naughton
ID: 20461432
Michael,

what is it that you are actually trying to do?
+
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20461665
The first thing the client noticed was smtp not working through the VPN.  This would be fine from a client computer as we could create a new smtp connector in exchange on a different port and set the clients to use a different port.  However they have a photocopier which sends scanned documents via smtp, we cannot change which port the photocopier uses.  Idealy these scanned documents would go through the VPN to the mail server and this is how it worked prior to implementing the cisco.
0
 
LVL 7

Expert Comment

by:naughton
ID: 20462130
Hey Michael,

jsut testinjg an option from CISCO TAC.

will let you knwo how i go.

Nathan
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20462150
Fantastic.  Thanks Nathan
0
 
LVL 7

Expert Comment

by:naughton
ID: 20482645
ok.

change the ip nat static  to use the actual IP address of Interface Dialer0 instead of the name and then apply the route map SDM_RMAP_1

ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 25

becomes

ip nat inside source static tcp 10.0.0.5 25 XXX.XXX.XXX.XXX 25 route-map SDM_RMAP_1

etc for any service you want to eb able to access via the VPN.
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20596685
I still haven't madeit onsite to test yet...  Will test when I get onsite...
0
 
LVL 7

Accepted Solution

by:
naughton earned 2000 total points
ID: 20596711
you should be able to to do it remotely vs onsite without too large an impact to the business.  

in the case you are concerned, set a reload in global config
reload at <time>
reload in <time in mins>

and don't save your changes until you are happy they work.  the reload at that point will clear out anythign you have not saved to statup-confg.
0
 
LVL 7

Expert Comment

by:naughton
ID: 20687635
Hey Michael,

how'd you go with this?
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20688116
I haven't as of yet...  sorry...  once I get a chance I'll do it...  It's not a high priority at the moment!
0
 
LVL 6

Author Closing Comment

by:Michael_Melb_Aust
ID: 31411302
Thank you Naughton for your help, both fortunatly and unfortunatly the issue is non existant because due to growth in the company they have installed another link dedicated to the VPN's so this bypasses this issue.   Thank you so much for helping and even the tip of reload at/in is more than worthy of the points!
0
 
LVL 6

Author Comment

by:Michael_Melb_Aust
ID: 20882118
I had sometime and used all of your suggestions (reload etc  :)   Worked well, didn't get myself into the situation of locking myself out... but was good to know it was there

I changed the command to: ip nat inside source static tcp 10.0.0.5 25 XXX.XXX.XXX.XXX 25 route-map SDM_RMAP_1

It worked like a charm!   Thanks heaps again!!
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question