Allowing GRE traffic through cisco 1841

asked this once, let me try it again with different tags..lol
Basically heres the scenario:  We connect to a client that has their own managed Firewall (they are a bank), for us to access their network, we were given a username/pwd and told to use Microsofts VPN client..so we do..when i am the office that's behind a 1841 router that's connected to a 2wire. We can't authenticate...we can ping the IP and when we use the VPN client it starts the handshake but fails when it gets to verifying username password.  After talking to thier firewall people they say it uses GRE over IPSEC?  so i look in my nat trans and i notice that 1723 is being natted, but still can't authenticate..right we all our workstations in 1 vlan, the other vlan is the management vlan. We have no ACLS on the WAN interface..Can anyone help? what info can i give you to assist?  I do have access to the router if you need something from the config
LVL 1
jasonmichelAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
bkepfordConnect With a Mentor Commented:
example
ip route 72.23.33.14 255.255.255.255 192.168.57.2
0
 
bkepfordCommented:
If you want to post the 1841 config it may help. Also I would think that it is most likely the Two wire. Have you checked to make sure that NAT-T is enabled on the two wire.
 
0
 
jasonmichelAuthor Commented:
!
ip domain name micro.net
ip name-server 192.168.57.11
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-383872724
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-383872724
 revocation-check none
 rsakeypair TP-self-signed-383872724
!
!
crypto pki certificate chain TP-self-signed-383872724
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383338 37323732 34301E17 0D303730 36303732 30323231
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3338 33383732
  37323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C077D9DE 1750E10E 330D6E19 58BD6E40 7C374F99 D083E2D1 940B1A39 60BDC296
  8FDB451F B50F464C 7033DEAE 50B16BBF 970176AA 2C0B48E6 F630901B 50753FBB
  F67D6F6B CC1A7D2E A069FEE5 9CCF591E 51BEBD0F 49CD1755 1D0650C3 0C253122
  1BA9682D E126DB7F 0FA450F8 E663178B 7E5CA7D9 24B364FD D29937EF 2CC20C81
  02030100 01A37030 6E300F06 03551D13 0101FF04 05300301 01FF301B 0603551D
  11041430 1282104D 575F5741 4E2E6D69 63726F2E 6E657430 1F060355 1D230418
  30168014 805764C2 B35DE9CE D0DE2A24 09726D2A E825EC7A 301D0603 551D0E04
  16041480 5764C2B3 5DE9CED0 DE2A2409 726D2AE8 25EC7A30 0D06092A 864886F7
  0D010104 05000381 81004257 03B1DBBB A070E6E8 3FD82BFA C6EAD631 8EBDA7CA
  A3CC9E7E 15564173 4975C308 E1CFF8B2 F04BB6B3 F265F5DB A05C2A1B 40EA12FE
  175198B7 10DF49CA E335C642 8D76A93C F8A97779 EF8BF16E BE2D61CD 5F2F1D2D
  79079226 332953BD D543039B 4129DD8D CFBB3A52 EAD7156D 0D7986A0 9A1E61AB
  077DC98E D9E3AB05 D2A9
  quit

!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
policy-map WEBVPN_Policy
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key MW_RECTunnel address 216.207.224.5 no-xauth
crypto isakmp key MW_FDTunnel address 216.207.224.2 no-xauth
crypto isakmp key MW_WATERTunnel address 216.207.224.3 no-xauth
crypto isakmp key MW_COBVPNTunnel address 70.62.43.150 no-xauth
crypto isakmp key MW_POLTunnel address 216.207.224.4 no-xauth
crypto isakmp key MW_TJKTunnel address 74.204.74.32 no-xauth
crypto isakmp keepalive 15
!
crypto isakmp client configuration group MWVPN
 key Deploy57
 dns 192.168.57.11
 pool VPN_POOL
 acl 105
 netmask 255.255.255.0
!
crypto isakmp client configuration group GROUP_VPN
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
 set transform-set 3DES
 reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
 description Tunnel to COB
 set peer 70.62.43.150
 set transform-set 3DES
 match address MW2COB
crypto map VPN 20 ipsec-isakmp
 set peer 216.207.224.4
 set transform-set 3DES
 match address MW2POL
crypto map VPN 30 ipsec-isakmp
 description Tunnel to COB Water
 set peer 216.207.224.3
 set transform-set 3DES
 match address MW2WAT
crypto map VPN 50 ipsec-isakmp
 description Tunnel to TJK
 set peer 74.204.74.32
 set transform-set 3DES
 match address MW2TJK
crypto map VPN 65535 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.252
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description MW_WAN/VPN
 ip address dhcp
 ip accounting output-packets
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map VPN
!
interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip address 192.168.100.1 255.255.255.0
 no ip route-cache
 no cdp enable
!
interface FastEthernet0/1
 description MW_LAN
 ip address 192.168.57.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip policy route-map VPN
 duplex auto
 speed auto
!
ip local pool VPN_POOL 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 192.168.57.0 255.255.255.0 192.168.57.2
ip route 192.168.60.0 255.255.255.0 192.168.57.2
ip route 192.168.80.0 255.255.255.0 192.168.57.2
ip route 192.168.254.0 255.255.255.0 192.168.57.2
!
!
ip http server
ip http port 8080
ip http access-class 50
ip http authentication local
no ip http secure-server
ip nat inside source route-map NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.57.90 21 75.13.63.69 21 extendable
ip nat inside source static udp 192.168.57.90 21 75.13.63.69 21 extendable
ip nat inside source static tcp 192.167.57.11 25 75.13.63.69 25 extendable
ip nat inside source static tcp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static udp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static tcp 192.168.57.11 80 75.13.63.69 80 extendable
ip nat inside source static tcp 192.167.57.11 110 75.13.63.69 110 extendable
ip nat inside source static tcp 192.168.57.11 5633 75.13.63.69 5633 extendable
ip nat inside source static udp 192.168.57.11 5634 75.13.63.69 5634 extendable
ip nat inside source static tcp 192.168.57.50 5888 75.13.63.69 5888 extendable
ip nat inside source static udp 192.168.57.50 5889 75.13.63.69 5889 extendable
ip nat inside source static tcp 192.168.57.50 57892 75.13.63.69 57892 extendable
!
ip access-list extended MW2COB
 remark MW VPN to COB
 permit ip 192.168.57.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended MW2POL
 permit ip 192.168.57.0 0.0.0.255 10.1.9.0 0.0.0.255
 remark MW VPN to Pollution Control
ip access-list extended MW2TJK
 permit ip 192.168.57.0 0.0.0.255 10.11.11.0 0.0.0.255
 remark MW VPN to TJK
ip access-list extended MW2WAT
 permit ip 192.168.57.0 0.0.0.255 10.1.11.0 0.0.0.255
 remark MW VPN to Water Plant
ip access-list extended inet-traffic
 deny   ip 192.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 192.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
 deny   ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip 192.168.57.0 0.0.0.255 any
!
access-list 198 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community public RW
snmp-server chassis-id CiscoRouter
no cdp run
!
route-map VPN permit 10
 match ip address 198
 set ip next-hop 1.1.1.2
!
route-map NAT permit 10
 match ip address inet-traffic
!
!
!

control-plane
!
!
banner login ^C
*****************************************************************
* Unauthorized access will be prosecuted to the fullest extent  *
* of the law.  To avoid criminal charges, disconnect NOW        *
*****************************************************************
^C
banner motd ^CLogin Successful^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet

!
scheduler allocate 20000 1000
end
 

and the 2wire has the router setup in its DMZPlus mode
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
jasonmichelAuthor Commented:
another thing to note, we also have a symantec vpn100 hanging off this 2 wire, and when we use that the gateway we can get in
0
 
bkepfordCommented:
The IP scheme on the other side match anything on your network? If your client already has a route to that network it will cause problems.
0
 
jasonmichelAuthor Commented:
hmm interesting...well the symantec gateway works and its 192.168.57.2, the LAN interface of the 2 wire is 192.168.1.254 and the remote network LAN is 192.168.1.0/24
0
 
bkepfordCommented:
That is the easiest one to change as their is nothing in your router config that identifies it. So just change it on the two wire to something different and the dhcp should pick it up with a reset of the interface.
The only thing that concerns me is that the PC doesn't know about it. But the PC does get NATed to it. /sigh
 
0
 
jasonmichelAuthor Commented:
what do you think is happening? what should i try first?
0
 
bkepfordCommented:
What is the IP address of the PC and do a ROUTE PRINT on the pc from a command prompt.
0
 
jasonmichelAuthor Commented:
of the PC i am using the VPN client on?

===========================================================================
Interface List
 24 ...00 21 86 8a b7 d3 ...... Bluetooth Device (Personal Area Network) #2
 10 ...00 16 ea e0 31 1e ...... Intel(R) WiFi Link 5100 AGN
  8 ...00 1e ec ac 15 0c ...... Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigab
t Ethernet NIC (NDIS 6.0)
  1 ........................... Software Loopback Interface 1
 16 ...00 00 00 00 00 00 00 e0  isatap.{0C1BEA18-0FAA-414F-929E-256C0E11A30F}
  9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 25 ...00 00 00 00 00 00 00 e0  isatap.{50569D3D-739C-4FD3-9A4B-53489E0F8EC3}
 26 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.57.2   192.168.57.233    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.57.0    255.255.255.0         On-link    192.168.57.233    266
   192.168.57.233  255.255.255.255         On-link    192.168.57.233    266
   192.168.57.255  255.255.255.255         On-link    192.168.57.233    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.57.233    267
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.57.233    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      192.168.1.1  Default
          0.0.0.0          0.0.0.0     192.168.57.2  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  8    266 fe80::/64                On-link
  8    266 fe80::b4f4:8e28:cd3b:c61d/128
                                    On-link
  1    306 ff00::/8                 On-link
  8    266 ff00::/8                 On-link
===========================================================================


but it's on any PC that uses 192.168.57.1 for gateway..anything using .2 works fine..which is the symantec vpn appliance
0
 
bkepfordCommented:
Is this from a working PC because it says it's default gateway is 192.168.57.2
Also this could be an issue it looks like you have two gateways.
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      192.168.1.1  Default
          0.0.0.0          0.0.0.0     192.168.57.2  Default
 
Can you do a "ipconfig /all" and paste that  in
 
0
 
jasonmichelAuthor Commented:
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E
 Gigabit Ethernet NIC (NDIS 6.0)
   Physical Address. . . . . . . . . : 00-1E-EC-AC-15-0C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b4f4:8e28:cd3b:c61d%8(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.57.233(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.57.2
   DNS Servers . . . . . . . . . . . : 192.168.57.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{0C1BEA18-0FAA-414F-929E-256C0E11A
30F}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 20:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{50569D3D-739C-4FD3-9A4B-53489E0F8
EC3}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 17:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
bkepfordCommented:
Is this from a working PC because it says it's default gateway is 192.168.57.2?
Also you need to remove this from your router config it should not be there
ip route 192.168.57.0 255.255.255.0 192.168.57.2
0
 
jasonmichelAuthor Commented:
it is a working PC...i just changed the IP to .1
0
 
bkepfordCommented:
So it worked with 192.168.57.2 as it's default gateway but now that you changed it to 192.168.57.1 it does not?
0
 
jasonmichelAuthor Commented:
that's correct.  the 192.168.57.2 is a symantec vpn100 appliance... the .1 is the LAN interface on the cisco
0
 
bkepfordCommented:
I would try and remove these from your router just because they are firewall type settings just to test.
ip tcp synwait-time 10
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
 
0
 
jasonmichelAuthor Commented:
no dice on that..this is frustrating...is there an IOS issue at work?
0
 
bkepfordCommented:
You don't have a LAN to LAN tunnel to the same customer do you? You could try and update your IOS never hurts.
DId you remove the static route I mentioned earlier?
I can't see anything else on here that would cause it obviously the client is setup correctly if you can authenticate through the symantec VPN device. Is the Symantec VPN on the same LAN segment as the router for it's outside interface?
0
 
jasonmichelAuthor Commented:
no, the only way they allow us to authenticate is with a vpn client..so we don't have a tunnel there.

as far as lan segment..they are both on the 192.168.57.0 network but have different outside WAN IP's that are given to them from the 2wire
0
 
bkepfordCommented:
Just dhcp on the 2 wire side 192.168.1.x?
0
 
jasonmichelAuthor Commented:
Not sure what you are saying...the 2wire does hand out DHCP but it hands out one of 5 public IP's to the WAN interface of the symantec and cisco
0
 
bkepfordCommented:
Ok the reason I said 192.168.1.0 is because the default route on the cisco is going to 192.168.1.254.
Looking at things I don't see why it isn't working do they have a log on there side that can say what is being blocked? What I might do as a work around is to put a static route on on the 1841 that says
ip route <public IP of Customer vpn connection> 192.168.57.2
This is weird enough could be a IOS. But nothing is blocking. Could be a NAT issue but your NATing looks fine.
 
0
 
jasonmichelAuthor Commented:
himm..when i try to add the ip route i get %Inconsistent address and mask
0
 
bkepfordCommented:
it is a single host route
0
All Courses

From novice to tech pro — start learning today.