Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco VPN router to access LAN behind IPCop firewall

Posted on 2010-08-31
11
Medium Priority
?
956 Views
Last Modified: 2012-05-10
We have a VPN setup to four remote locations and a corporate office. The office network is a 10.x.x.x network. The four remote locations are subnets 10.6.x.x, 10.7.x.x, 10.8.x.x, and 10.9.x.x. They are connected via Cisco routers, an 1841 Series at the corporate office and 861 Series at the remote location. In the past we had an ISA firewall that was removed when we took out a SBS 2003 server. As of now, we have an IPCop in its place. The remote networks are able to ping the server behind the IPCop firewall, at 10.0.0.2. They are unable to access any network resources. When we ran a traceroute to the server, it seemed to get stopped at the outside interface of the IPCop. After allowing ICMP traffic through the IPCop, we were able to get to the server with our ping requests.
While being able to ping the servers and other network resources is nice, we need to be able to access these resources. Not sure what protocols or rules to add at this point. Any suggestions?

Diagram
0
Comment
Question by:ruralsolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33572286
You need to allow SMB/CIFS (135, 137,138,139, 445)
0
 

Author Comment

by:ruralsolutions
ID: 33572378
We tried to allow those with:

iptables -I CUSTOMFORWARD -p tcp --sport X -i eth1 -o eth0 --dport X -j ACCEPT

and by adding them to the external access list.

We had also done:

iptables -I CUSTOMFORWARD -i eth1 -o eth0 -p icmp -j ACCEPT

and that got pinging to work.  We did the same with the GRE protocol.

Still no cigar.
0
 

Author Comment

by:ruralsolutions
ID: 33572390
By the way, eth1 is the RED interface and eth0 the GREEN interface.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 22

Accepted Solution

by:
Matt V earned 2000 total points
ID: 33572397
Try the following:

iptables -I CUSTOMFORWARD -p udp --dport 137:138 -j ACCEPT
 iptables -I CUSTOMFORWARD -p tcp --dport 139 -j ACCEPT
 iptables -I CUSTOMFORWARD -p tcp --dport 445 -j ACCEPT

Add your interface options as well if you want.
0
 

Author Comment

by:ruralsolutions
ID: 33572487
That works GREAT!!! There is one problem though... It seems that the remote locations are not picking up DNS from the server, so they are not able to find the servers by name. I can get to them via IP, so I can go into the host files of all the remote PC's and add them to the list. I am hoping you know a better workaround though. Right now the remote clinics use the server as DNS1, the IPCop as DNS2 (as it was my understanding that the IPCop would pass DNS along) and the local ISP provider's DNS Servers for DNS 3&4.

Any suggestions?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 33572504
Secondary etc DNS are just for failover.. so the IPCop will only get asked if the server does not answer.  I would add the different networks to the server.  Even if you make different dns zones like subnet1.domain.local.

So you could have host1.subnet1.domain.local, host3.subnet4.domain.local etc.

Still better than remembering IPs :)
0
 
LVL 22

Expert Comment

by:Matt V
ID: 33572512
Another thought, if these are all windows networks you can setup a WINS server at each subnet location, and have them all tie back to the main server.  This will resolve netbios names to IPs.
0
 

Author Comment

by:ruralsolutions
ID: 33572559
Hmm... Now we are getting to a little beyond by knowledge. I have a reverse lookup zone per subnet. Not exactly sure if that is what you meant or not...
0
 
LVL 22

Expert Comment

by:Matt V
ID: 33572574
No, just the forward lookup.  

You could write a batch script to copy the hosts file to the PCs at logon, then you would only have to maintain one copy :)
0
 

Author Comment

by:ruralsolutions
ID: 33572661
Thanks, but we figured out how to get the DNS to register. We had to add these lines:

 iptables -I CUSTOMFORWARD -p udp --dport 53 -j ACCEPT
iptables -I CUSTOMFORWARD -p tcp --dport 53 -j ACCEPT

And DNS started working. Now we can get to all the machines we need to by name.

Thanks for your help!!!!
0
 
LVL 22

Expert Comment

by:Matt V
ID: 33572664
Haha.. so obvious.. good stuff!
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question