Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1376
  • Last Modified:

Cisco Router 1841 VPN Problem

Hello.  I've configured dozens of Cisco VPNs on Routers and Firewalls and never have I had this problem.  I've searched the web for an answer but this makes no sense to me.  I have a Cisco 1841 router acting as my network's gateway, so it performs NAT and Cisco CBAC IOS Firewalling.  It also provides Remote Access VPN for end users.  It is an IPSEC VPN using the Cisco VPN Software Client as the remote end.  The VPN connects correctly.  I can ping all objects on the network through the VPN.  I can RDP to any Windows server through the VPN.  I can even access any file share through the VPN by using \\servername.  Name resolution works too.  What I cannot do is access web related services through the VPN.  I cannot telnet to port 25 on the mail server.  I cannot access OWA on the Exchange server.  I cannot access a web page that provides access to our hand punch system over HTTP.  

If I forward the SSL port through the firewall to the Exchange server and disconnect the VPN, I can access OWA.  I can access all these services while on the local network so I know they are working.  The services are being offered across several different servers so I know it is not a single server's configuration causing the issue.  

So the question...Why would all network services work through the VPN except for HTTP, HTTPS, and SMTP?

PS.  I configured a Cisco 1811 with similar config on a different network and it acts the same way.  All services pass through VPN except for HTTP(s) and SMTP.  Below is the code on my router.  
Building configuration...
 
Current configuration : 8244 bytes
!
! Last configuration change at 02:56:05 UTC Tue Apr 28 2009 by ccsi
! NVRAM config last updated at 02:56:06 UTC Tue Apr 28 2009 by ccsi
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DOWNTOWN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Vh.y$Z5syBR8B8F6XQW0KCIGRb/
!
aaa new-model
!
!
aaa authentication login DLEAH local
aaa authorization network DLEAH local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name firewall tcp timeout 600
ip inspect name firewall udp timeout 60
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.10.1 192.168.10.20
!
ip dhcp pool Wireless
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 4.2.2.1
   lease 0 4
!
!
ip domain name ourdomain.com
!
!
!
crypto pki trustpoint TP-self-signed-3364699118
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3364699118
 revocation-check none
 rsakeypair TP-self-signed-3364699118
!
!
crypto pki certificate chain TP-self-signed-3364699118
 certificate self-signed 01
  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333634 36393931 3138301E 170D3036 30363330 32313335
  30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33363436
  39393131 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E4C6 D7D2BDD6 551F714A 33A75F36 818ED5B7 61B0AD43 43010C40 D2E209FE
  D92D670A 8F26726C 5016D672 6D2B06FA 39038BA5 0980D266 C59E4A4F 6B80EF8A
  8C4F0D80 ADF04FA1 51DA0222 206C9D9A 0AB683BC 68DFCCEB 28F7995C 7790765D
  08C01A65 6AC10A64 7B0E3FE8 36CC9C18 6391159A B1534724 21CD440E E2CED3A2
  1B9B0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
  551D1104 1A301882 16444F57 4E544F57 4E2E646F 76656C65 7769732E 6F726730
  1F060355 1D230418 30168014 CB9B909F 136F91EE 4B4B8D98 5F01C088 371081A5
  301D0603 551D0E04 160414CB 9B909F13 6F91EE4B 4B8D985F 01C08837 1081A530
  0D06092A 864886F7 0D010104 05000381 81005EAB 1FCA3D0D BD3FE648 419E7458
  D20E542C 574DA00F 214D83C0 9B7A7D48 1B41FA8E 7E8608F7 614EDEF1 6BDBC64F
  2F55317A 89FC6A8C AFA8839A 431B8C63 634AC937 6ADA5B2D D4991233 2759BF30
  D7D09EEC BAEB7F79 A2BF341C EE5A26BE 81FF155D 46D73156 444AA459 67198E63
  276DB6D7 E426CFA2 326F65C8 BB0069F6 CD09
  quit
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 1800
!
crypto isakmp client configuration group DoveDT
 key VPN_GROUP_KEY
 dns 10.10.10.8 10.10.10.6
 domain dovelewis.org
 pool VPNPOOL
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
crypto isakmp client configuration group TeleDigit
 key VPN_GROUP_KEY
 pool TeleDigit
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
crypto isakmp client configuration group Dtemple
 key VPN_GROUP_KEY
 pool Dtemple
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set DLEAH esp-aes esp-sha-hmac
!
crypto dynamic-map AccessVPN 100
 set transform-set DLEAH
!
crypto dynamic-map Dtemple 300
 set transform-set DLEAH
!
crypto dynamic-map TeleDigit 200
 set transform-set DLEAH
!
!
crypto map VPN client authentication list DLEAH
crypto map VPN isakmp authorization list DLEAH
crypto map VPN client configuration address respond
crypto map VPN 100 ipsec-isakmp dynamic AccessVPN
crypto map VPN 200 ipsec-isakmp dynamic TeleDigit
crypto map VPN 300 ipsec-isakmp dynamic Dtemple
!
!
!
interface FastEthernet0/0
 description Downtown Internet Connection
 ip address External_IP 255.255.255.252
 ip access-group InternalServices in
 ip inspect firewall out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN
!
interface FastEthernet0/1
 description Downtown Internal Network
 ip address 10.10.10.1 255.255.255.0
 ip access-group DenyTeleDigit out
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1.2
 description Public Wireless Internet Port
 encapsulation dot1Q 2
 ip address 192.168.10.1 255.255.255.0
 ip access-group WirelessCutoff in
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
!
interface Serial0/0/0
 description Direct T1 Link to Eastside Hospital
 ip address 10.10.15.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 service-module t1 timeslots 1-24
!
ip local pool VPNPOOL 10.10.254.1 10.10.254.50
ip local pool TeleDigit 10.10.250.1 10.10.250.2
ip local pool Dtemple 10.10.249.1 10.10.249.2
ip classless
ip forward-protocol udp bootpc
ip route 0.0.0.0 0.0.0.0 Gateway_IP
ip route 10.10.20.0 255.255.255.0 Serial0/0/0
ip route 10.10.20.0 255.255.255.0 10.10.15.2
!
ip http server
ip http access-class 10
ip http secure-server
ip http secure-client-auth
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list nat interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.10.9 25 interface FastEthernet0/0 25
ip nat inside source static tcp 10.10.10.9 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.10.10.9 443 interface FastEthernet0/0 443
ip nat inside source static udp 10.10.10.6 123 interface FastEthernet0/0 123
ip nat inside source static tcp 10.10.10.6 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 10.10.10.8 83 External_IP 83 extendable
ip nat inside source static tcp 10.10.10.8 389 External_IP 389 extendable
ip nat inside source static tcp 10.10.10.5 3101 External_IP 3101 extendable
ip nat inside source static tcp 10.10.10.147 3390 External_IP 3390 extendable
ip nat inside source static tcp 10.10.10.8 5100 External_IP 5100 extendable
!
ip access-list extended DenyTeleDigit
 permit ip 10.10.250.0 0.0.0.255 host 10.10.10.251
 deny   ip 10.10.250.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip any any
ip access-list extended Dtemple
 permit ip host 10.10.10.254 10.10.249.0 0.0.0.255
ip access-list extended InterestingTraffic
 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
ip access-list extended InternalServices
 permit tcp any any eq 22
 permit icmp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit esp any any
 permit gre any any
 permit tcp any host External_IP eq www
 permit tcp any host External_IP eq 3389
 permit tcp any host External_IP eq 443
 permit tcp any host External_IP eq 104
 permit tcp any host External_IP eq 3390
 permit udp any host External_IP eq ntp
 permit tcp any host External_IP eq 83
 permit tcp any host External_IP eq 5100
 permit tcp any any eq 3101
 permit tcp any any eq smtp
ip access-list extended SplitTunnel
 permit ip 10.10.10.0 0.0.0.255 10.10.254.0 0.0.0.255
ip access-list extended TeleDigit
 permit ip host 10.10.10.251 10.10.250.0 0.0.0.255
ip access-list extended WirelessCutoff
 deny   ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip any any
ip access-list extended denyDHCP
 deny   udp any any eq bootpc
 deny   udp any any eq bootps
 permit ip any any
ip access-list extended nat
 deny   ip host 10.10.10.254 10.10.249.0 0.0.0.255
 deny   ip 10.10.10.0 0.0.0.255 10.10.250.0 0.0.0.255
 deny   ip 10.10.10.0 0.0.0.255 10.10.254.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 192.168.10.0 0.0.0.255 any
 permit ip 10.10.20.0 0.0.0.255 any
!
access-list 1 permit any
access-list 10 permit 10.10.10.0 0.0.0.255
snmp-server community Public RO
snmp-server community Private RW
snmp-server community Secret RO
!
!
control-plane
!
!
line con 0
 password 7 151F0A1F102F392F7B2A
line aux 0
line vty 0 4
 privilege level 15
 password 7 141A1318180138207731
 transport input ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
ntp master
end

Open in new window

0
ccsistaff
Asked:
ccsistaff
  • 4
1 Solution
 
ccsistaffAuthor Commented:
So I've stumped the forum huh?  Well, any advice is welcome.  Let me know if you think of anything.  Thanks.
0
 
lrmooreCommented:
Basically, you cannot connect to any of the services that you have a static-nat map for? Have you tried using a route-map for the nat instead of a simple access-list?

Something like this:

ip nat inside source route-map MYROUTEMAP interface FastEthernet0/0 overload

\\-- deny each host that you have static'd, going to the VPN pool
access-list 129 deny ip host 10.10.10.9 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.6 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.5 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.8 10.10.254.0 0.0.0.255  
<etc>
access-list 129 deny ip 10.10.10.0 0.0.0.255 10.10.254.0 0.0.0.255
access-list 129 permit ip 10.10.10.0 0.0.0.255 any

route-map MYROUTEMAP permit 10
 match ip address 129
0
 
ccsistaffAuthor Commented:
An interesting idea.  I'll give it a shot this morning and let you know how it turned out.
0
 
ccsistaffAuthor Commented:
You're right about not being able to connect to the statically mapped ports.  I had made that observation late yesterday morning.  If I remove one of the static maps, I can then connect over the VPN to that service.  The route-map didn't work though.  

So how do you get around that static nat mappings without removing them?  I need them in place to be able to receive mail and BES traffic.  Is there an alternative way to map services to a server?
0
 
ccsistaffAuthor Commented:
I assume the answer is going to have something to do with a loopback interface, but it's not coming to me as to how that is going to be setup.  Nonetheless, my immediate issue is resolved simply by killing the static map for the port 83 so I'm abandoning this project due to more pressing matters.  Thanks for your response.  
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now