Cisco Router 1841 VPN Problem
Hello. I've configured dozens of Cisco VPNs on Routers and Firewalls and never have I had this problem. I've searched the web for an answer but this makes no sense to me. I have a Cisco 1841 router acting as my network's gateway, so it performs NAT and Cisco CBAC IOS Firewalling. It also provides Remote Access VPN for end users. It is an IPSEC VPN using the Cisco VPN Software Client as the remote end. The VPN connects correctly. I can ping all objects on the network through the VPN. I can RDP to any Windows server through the VPN. I can even access any file share through the VPN by using \\servername. Name resolution works too. What I cannot do is access web related services through the VPN. I cannot telnet to port 25 on the mail server. I cannot access OWA on the Exchange server. I cannot access a web page that provides access to our hand punch system over HTTP.
If I forward the SSL port through the firewall to the Exchange server and disconnect the VPN, I can access OWA. I can access all these services while on the local network so I know they are working. The services are being offered across several different servers so I know it is not a single server's configuration causing the issue.
So the question...Why would all network services work through the VPN except for HTTP, HTTPS, and SMTP?
PS. I configured a Cisco 1811 with similar config on a different network and it acts the same way. All services pass through VPN except for HTTP(s) and SMTP. Below is the code on my router.
If I forward the SSL port through the firewall to the Exchange server and disconnect the VPN, I can access OWA. I can access all these services while on the local network so I know they are working. The services are being offered across several different servers so I know it is not a single server's configuration causing the issue.
So the question...Why would all network services work through the VPN except for HTTP, HTTPS, and SMTP?
PS. I configured a Cisco 1811 with similar config on a different network and it acts the same way. All services pass through VPN except for HTTP(s) and SMTP. Below is the code on my router.
Building configuration...
Current configuration : 8244 bytes
!
! Last configuration change at 02:56:05 UTC Tue Apr 28 2009 by ccsi
! NVRAM config last updated at 02:56:06 UTC Tue Apr 28 2009 by ccsi
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DOWNTOWN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Vh.y$Z5syBR8B8F6XQW0KCIGRb/
!
aaa new-model
!
!
aaa authentication login DLEAH local
aaa authorization network DLEAH local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name firewall tcp timeout 600
ip inspect name firewall udp timeout 60
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.10.1 192.168.10.20
!
ip dhcp pool Wireless
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 4.2.2.1
lease 0 4
!
!
ip domain name ourdomain.com
!
!
!
crypto pki trustpoint TP-self-signed-3364699118
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3364699118
revocation-check none
rsakeypair TP-self-signed-3364699118
!
!
crypto pki certificate chain TP-self-signed-3364699118
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333634 36393931 3138301E 170D3036 30363330 32313335
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33363436
39393131 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E4C6 D7D2BDD6 551F714A 33A75F36 818ED5B7 61B0AD43 43010C40 D2E209FE
D92D670A 8F26726C 5016D672 6D2B06FA 39038BA5 0980D266 C59E4A4F 6B80EF8A
8C4F0D80 ADF04FA1 51DA0222 206C9D9A 0AB683BC 68DFCCEB 28F7995C 7790765D
08C01A65 6AC10A64 7B0E3FE8 36CC9C18 6391159A B1534724 21CD440E E2CED3A2
1B9B0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 16444F57 4E544F57 4E2E646F 76656C65 7769732E 6F726730
1F060355 1D230418 30168014 CB9B909F 136F91EE 4B4B8D98 5F01C088 371081A5
301D0603 551D0E04 160414CB 9B909F13 6F91EE4B 4B8D985F 01C08837 1081A530
0D06092A 864886F7 0D010104 05000381 81005EAB 1FCA3D0D BD3FE648 419E7458
D20E542C 574DA00F 214D83C0 9B7A7D48 1B41FA8E 7E8608F7 614EDEF1 6BDBC64F
2F55317A 89FC6A8C AFA8839A 431B8C63 634AC937 6ADA5B2D D4991233 2759BF30
D7D09EEC BAEB7F79 A2BF341C EE5A26BE 81FF155D 46D73156 444AA459 67198E63
276DB6D7 E426CFA2 326F65C8 BB0069F6 CD09
quit
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1800
!
crypto isakmp client configuration group DoveDT
key VPN_GROUP_KEY
dns 10.10.10.8 10.10.10.6
domain dovelewis.org
pool VPNPOOL
acl SplitTunnel
save-password
netmask 255.255.255.0
!
crypto isakmp client configuration group TeleDigit
key VPN_GROUP_KEY
pool TeleDigit
acl SplitTunnel
save-password
netmask 255.255.255.0
!
crypto isakmp client configuration group Dtemple
key VPN_GROUP_KEY
pool Dtemple
acl SplitTunnel
save-password
netmask 255.255.255.0
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set DLEAH esp-aes esp-sha-hmac
!
crypto dynamic-map AccessVPN 100
set transform-set DLEAH
!
crypto dynamic-map Dtemple 300
set transform-set DLEAH
!
crypto dynamic-map TeleDigit 200
set transform-set DLEAH
!
!
crypto map VPN client authentication list DLEAH
crypto map VPN isakmp authorization list DLEAH
crypto map VPN client configuration address respond
crypto map VPN 100 ipsec-isakmp dynamic AccessVPN
crypto map VPN 200 ipsec-isakmp dynamic TeleDigit
crypto map VPN 300 ipsec-isakmp dynamic Dtemple
!
!
!
interface FastEthernet0/0
description Downtown Internet Connection
ip address External_IP 255.255.255.252
ip access-group InternalServices in
ip inspect firewall out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/1
description Downtown Internal Network
ip address 10.10.10.1 255.255.255.0
ip access-group DenyTeleDigit out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.2
description Public Wireless Internet Port
encapsulation dot1Q 2
ip address 192.168.10.1 255.255.255.0
ip access-group WirelessCutoff in
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface Serial0/0/0
description Direct T1 Link to Eastside Hospital
ip address 10.10.15.1 255.255.255.252
ip nat inside
ip virtual-reassembly
service-module t1 timeslots 1-24
!
ip local pool VPNPOOL 10.10.254.1 10.10.254.50
ip local pool TeleDigit 10.10.250.1 10.10.250.2
ip local pool Dtemple 10.10.249.1 10.10.249.2
ip classless
ip forward-protocol udp bootpc
ip route 0.0.0.0 0.0.0.0 Gateway_IP
ip route 10.10.20.0 255.255.255.0 Serial0/0/0
ip route 10.10.20.0 255.255.255.0 10.10.15.2
!
ip http server
ip http access-class 10
ip http secure-server
ip http secure-client-auth
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list nat interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.10.9 25 interface FastEthernet0/0 25
ip nat inside source static tcp 10.10.10.9 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.10.10.9 443 interface FastEthernet0/0 443
ip nat inside source static udp 10.10.10.6 123 interface FastEthernet0/0 123
ip nat inside source static tcp 10.10.10.6 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 10.10.10.8 83 External_IP 83 extendable
ip nat inside source static tcp 10.10.10.8 389 External_IP 389 extendable
ip nat inside source static tcp 10.10.10.5 3101 External_IP 3101 extendable
ip nat inside source static tcp 10.10.10.147 3390 External_IP 3390 extendable
ip nat inside source static tcp 10.10.10.8 5100 External_IP 5100 extendable
!
ip access-list extended DenyTeleDigit
permit ip 10.10.250.0 0.0.0.255 host 10.10.10.251
deny ip 10.10.250.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip any any
ip access-list extended Dtemple
permit ip host 10.10.10.254 10.10.249.0 0.0.0.255
ip access-list extended InterestingTraffic
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
ip access-list extended InternalServices
permit tcp any any eq 22
permit icmp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit gre any any
permit tcp any host External_IP eq www
permit tcp any host External_IP eq 3389
permit tcp any host External_IP eq 443
permit tcp any host External_IP eq 104
permit tcp any host External_IP eq 3390
permit udp any host External_IP eq ntp
permit tcp any host External_IP eq 83
permit tcp any host External_IP eq 5100
permit tcp any any eq 3101
permit tcp any any eq smtp
ip access-list extended SplitTunnel
permit ip 10.10.10.0 0.0.0.255 10.10.254.0 0.0.0.255
ip access-list extended TeleDigit
permit ip host 10.10.10.251 10.10.250.0 0.0.0.255
ip access-list extended WirelessCutoff
deny ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip any any
ip access-list extended denyDHCP
deny udp any any eq bootpc
deny udp any any eq bootps
permit ip any any
ip access-list extended nat
deny ip host 10.10.10.254 10.10.249.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.10.250.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.10.254.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
permit ip 10.10.20.0 0.0.0.255 any
!
access-list 1 permit any
access-list 10 permit 10.10.10.0 0.0.0.255
snmp-server community Public RO
snmp-server community Private RW
snmp-server community Secret RO
!
!
control-plane
!
!
line con 0
password 7 151F0A1F102F392F7B2A
line aux 0
line vty 0 4
privilege level 15
password 7 141A1318180138207731
transport input ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
ntp master
end
Basically, you cannot connect to any of the services that you have a static-nat map for? Have you tried using a route-map for the nat instead of a simple access-list?
Something like this:
ip nat inside source route-map MYROUTEMAP interface FastEthernet0/0 overload
\\-- deny each host that you have static'd, going to the VPN pool
access-list 129 deny ip host 10.10.10.9 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.6 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.5 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.8 10.10.254.0 0.0.0.255
<etc>
access-list 129 deny ip 10.10.10.0 0.0.0.255 10.10.254.0 0.0.0.255
access-list 129 permit ip 10.10.10.0 0.0.0.255 any
route-map MYROUTEMAP permit 10
match ip address 129
Something like this:
ip nat inside source route-map MYROUTEMAP interface FastEthernet0/0 overload
\\-- deny each host that you have static'd, going to the VPN pool
access-list 129 deny ip host 10.10.10.9 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.6 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.5 10.10.254.0 0.0.0.255
access-list 129 deny ip host 10.10.10.8 10.10.254.0 0.0.0.255
<etc>
access-list 129 deny ip 10.10.10.0 0.0.0.255 10.10.254.0 0.0.0.255
access-list 129 permit ip 10.10.10.0 0.0.0.255 any
route-map MYROUTEMAP permit 10
match ip address 129
ASKER
An interesting idea. I'll give it a shot this morning and let you know how it turned out.
ASKER
You're right about not being able to connect to the statically mapped ports. I had made that observation late yesterday morning. If I remove one of the static maps, I can then connect over the VPN to that service. The route-map didn't work though.
So how do you get around that static nat mappings without removing them? I need them in place to be able to receive mail and BES traffic. Is there an alternative way to map services to a server?
So how do you get around that static nat mappings without removing them? I need them in place to be able to receive mail and BES traffic. Is there an alternative way to map services to a server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER