?
Solved

Object/Service based ACLS

Posted on 2008-11-11
14
Medium Priority
?
218 Views
Last Modified: 2012-05-05
i asked this question earlier but don't think i worded it right..after a suggestion from another member and researching i think i am in need of object based or service based ACL to accomplish this.  We have a group of people that need to VPN out using the ATT VPN client. They have provided a document with all the IP's ports that i need.. I'm thinking due to the amount of IP and ports needed that an object group/security group could help make this easier...but i need a nudge in the right direction on how to accomplish this...this is above my pay grade..lol


the document is attached

thanks in advance.. you guys are lifesavers
attbroadbandports.pdf
0
Comment
Question by:jasonmichel
  • 7
  • 7
14 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22930672
Do you want to be restrictive with who can VPN out of your network?  If not, you can simply allow UDP 500 and UDP 4500 inbound on the WAN interface access-list (assuming you have one).  The ATT VPN client needs to be configured to use NAT-Traversal or else you will be dealing with NAT related issues.

If you want to restrict these ports to the ATT IP addresses only, you can use a network object-group and specify the ATT addresses.

Object groups in IOS is a relatively new feature so you need to be running 12.2(20)T at a minimum.  Here is a good reference with examples:

 http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22930908
no, we don't need to restrict who uses it going out...just want to make sure those ports they need coming in are open.  We have IOS 12.4.  i'm just wondering how to do this to make sure just the IP's they specified for thier GIGs have access to our network and not open UDP up for everything...but as you can see from the document that is alot of IP's to enter..lol, that link you sent me is the exact one i read that gave me the idea to attempt to use that.  Have you ever used the ATT vpn client? and if so ..what is best practices for traffic management?

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22930940
I've never used the ATT client but like I said, you will want to configure it for NAT-Traversal (UDP 4500) or you will run into issues with NAT (unless you have plenty of public IP's to burn).

Do you have the IOS Firewall running?  Can you post your configuration?  If you were to use the IOS Firewall outbound on the WAN interface, the VPN client traffic should work without touching the access-list.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jasonmichel
ID: 22930985
 Current configuration : 8681 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MW_WAN
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-21a.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging exception
logging buffered 4096 debugging
logging console errors

aaa new-model
!
!
aaa authentication login USER_VPN group radius
aaa authorization network GROUP_VPN local
!
aaa session-id common
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip domain name micro.net
ip name-server 192.168.57.11
!
!
crypto pki trustpoint TP-self-signed-383872724
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-383872724
 revocation-check none
 rsakeypair TP-self-signed-383872724



 30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383338 37323732 34301E17 0D303730 36303732 30323231
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3338 33383732
  37323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C077D9DE 1750E10E 330D6E19 58BD6E40 7C374F99 D083E2D1 940B1A39 60BDC296
  8FDB451F B50F464C 7033DEAE 50B16BBF 970176AA 2C0B48E6 F630901B 50753FBB
  F67D6F6B CC1A7D2E A069FEE5 9CCF591E 51BEBD0F 49CD1755 1D0650C3 0C253122
  1BA9682D E126DB7F 0FA450F8 E663178B 7E5CA7D9 24B364FD D29937EF 2CC20C81
  02030100 01A37030 6E300F06 03551D13 0101FF04 05300301 01FF301B 0603551D
  11041430 1282104D 575F5741 4E2E6D69 63726F2E 6E657430 1F060355 1D230418
  30168014 805764C2 B35DE9CE D0DE2A24 09726D2A E825EC7A 301D0603 551D0E04
  16041480 5764C2B3 5DE9CED0 DE2A2409 726D2AE8 25EC7A30 0D06092A 864886F7
  0D010104 05000381 81004257 03B1DBBB A070E6E8 3FD82BFA C6EAD631 8EBDA7CA
  A3CC9E7E 15564173 4975C308 E1CFF8B2 F04BB6B3 F265F5DB A05C2A1B 40EA12FE
  175198B7 10DF49CA E335C642 8D76A93C F8A97779 EF8BF16E BE2D61CD 5F2F1D2D
  79079226 332953BD D543039B 4129DD8D CFBB3A52 EAD7156D 0D7986A0 9A1E61AB
  077DC98E D9E3AB05 D2A9
  quit

!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
policy-map WEBVPN_Policy
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key MW_RECTunnel address 216.207.224.5 no-xauth
crypto isakmp key MW_FDTunnel address 216.207.224.2 no-xauth
crypto isakmp key MW_WATERTunnel address 216.207.224.3 no-xauth
crypto isakmp key MW_COBVPNTunnel address 70.62.43.150 no-xauth
crypto isakmp key MW_POLTunnel address 216.207.224.4 no-xauth
crypto isakmp key MW_TJKTunnel address 74.204.74.69 no-xauth
crypto isakmp keepalive 15
!
crypto isakmp client configuration group MWVPN
 key Deploy57
 dns 192.168.57.11
 pool VPN_POOL
 acl 105
 netmask 255.255.255.0
!
crypto isakmp client configuration group GROUP_VPN
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
 set transform-set 3DES
 reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
 description Tunnel to COB
 set peer 70.62.43.150
 set transform-set 3DES
 match address MW2COB
crypto map VPN 20 ipsec-isakmp
 set peer 216.207.224.4
 set transform-set 3DES
 match address MW2POL
crypto map VPN 30 ipsec-isakmp
 description Tunnel to COB Water
 set peer 216.207.224.3
 set transform-set 3DES
 match address MW2WAT
crypto map VPN 50 ipsec-isakmp
 description Tunnel to TJK
 set peer 74.204.74.69
 set transform-set 3DES
 match address MW2TJK
crypto map VPN 65535 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.252
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description MW_WAN/VPN
 ip address dhcp
 ip accounting output-packets
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 crypto map VPN
!
interface FastEthernet0/1
 description MW_LAN
 ip address 192.168.57.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip policy route-map VPN
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 switchport access vlan 10
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Vlan1
 no ip address
!
interface Vlan10
 no ip address
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp chap hostname microworksinc@static.sbcglobal.net
 ppp chap password 7 02310C775B565E
 ppp pap sent-username microworksinc@static.sbcglobal.net password 7 01240E280B5B57
 crypto map VPN
!
ip local pool VPN_POOL 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http port 8080
ip http access-class 50
ip http authentication local
no ip http secure-server
ip nat pool PUBLIC 75.13.63.65 75.13.63.70 netmask 255.255.255.248
ip nat inside source route-map NAT interface Dialer1 overload
ip nat inside source static 192.168.57.90 75.13.63.65
ip nat inside source static 192.168.57.14 75.13.63.68
ip nat inside source static tcp 192.168.57.11 25 75.13.63.69 25 extendable
ip nat inside source static tcp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static udp 192.168.57.11 50 75.13.63.69 50 extendable
ip nat inside source static tcp 192.168.57.11 80 75.13.63.69 80 extendable
ip nat inside source static tcp 192.168.57.11 5633 75.13.63.69 5633 extendable
ip nat inside source static udp 192.168.57.11 5634 75.13.63.69 5634 extendable
ip nat inside source static tcp 192.168.57.50 5888 75.13.63.69 5888 extendable
ip nat inside source static udp 192.168.57.50 5889 75.13.63.69 5889 extendable
ip nat inside source static tcp 192.168.57.50 57892 75.13.63.69 57892 extendable
!
ip access-list extended MW2COB
 remark MW VPN to COB
 permit ip 192.168.57.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended MW2POL
 permit ip 192.168.57.0 0.0.0.255 10.1.9.0 0.0.0.255
 remark MW VPN to Pollution Control
ip access-list extended MW2TJK
 permit ip 192.168.57.0 0.0.0.255 10.11.11.0 0.0.0.255
 remark MW VPN to TJK
ip access-list extended MW2WAT
 permit ip 192.168.57.0 0.0.0.255 10.1.11.0 0.0.0.255
 remark MW VPN to Water Plant
ip access-list extended inet-traffic
 deny   ip 192.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 192.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
 deny   ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip 192.168.57.0 0.0.0.255 any
!
access-list 198 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.57.0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community public RW
snmp-server chassis-id CiscoRouter
no cdp run
route-map VPN permit 10
 match ip address 198
 set ip next-hop 1.1.1.2
!
route-map NAT permit 10
 match ip address inet-traffic
!
!
radius-server host 192.168.57.11 auth-port 1645 acct-port 1646
radius-server key 7 030752180500701E1D
!
control-plane
!
banner login ^C
*****************************************************************
* Unauthorized access will be prosecuted to the fullest extent  *
* of the law.  To avoid criminal charges, disconnect NOW        *
*****************************************************************
^C
banner motd ^CLogin Successful^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class CONF_ACCESS in
 password 7 000A002F0B6B0C475F76
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22931035
Okay, you currently are not restricting any traffic (NAT still blocks incoming connections from the Internet however).

Is the client not working?  The router shouldn't be denying the traffic.
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22931095
the client fails on authentication..so do i have to allow ESP(50) through?  you say NAT still blocks incoming connections..does it have to allow anthing incoming per the document?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 22931115
All traffic should be initiated outbound from the client.  The ESP 50 is what NAT will break so you need to make sure the client is configured for NAT-T (NAT-Traversal), UDP Encapsulation (not sure how it is phrased in the client).  It looks like they support it as they have it on their port list (UDP 4500).
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22931141
so the configurations i need to make are on the client?  so nothing has to be done to the router?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22931169
just checked the client..really no options to configure as far as that goes..so do i need to do anything to router?
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22931295
actually ran set up again..and picked a different network connecting from option...and it worked..i'm thinking that depending on what i picked determined the encapsulation type...thanks for the help..you're always spot on
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22931316
You are allowing all ports inbound and outbound so most likely NAT is the issue.  To verify this, do you have an extra public IP available?  If so, you can NAT the PC running the client to rule out NAT issues, i.e.:

ip nat inside source static <VPN client PC IP address> <free public IP for testing>
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22931325
Disregard, was writing that when you posted the last comment :)

Thanks for the points!
0
 
LVL 1

Author Comment

by:jasonmichel
ID: 22931342
no problem. you've helped me out immensely on several probs..
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22931413
Glad to help.  That's what we do here!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question