«

Hello,

I regulary implement Cisco routers for our customers. About a year ago the
demand for being able to VPN rose, and after some TAC calls I succeeded in
configuring this on a Cisco router. At that time it were mostly 1700 series
routers (running IOS 12.2.15Tx) with the Cisco 4.0x VPN Client. That
configuration has been implemented at numerous sites since then, and works
perfect.
But since we started implementing routers with IOS 12.3.8Tx and the Cisco
VPN Client 4.6.00.0049 I'm seeing differences in how the routers act in
processing the VPN traffic. In my original config I needed 5 access-lists
for the following purposes: one for defining which traffic has to be
encrypted, one for use in a route-map which in turn is used for a NAT
overload, one for use in a route-map which prevents VPN traffic to be
NATted, one outbound on the public interface and one inbound on the public
interface. Besides allowing the standard (encrypted) VPN traffic in- and
outbound (UPD 500, UDP 4500 and ESP), I also needed to allow the (decrypted)
VPN traffic in- and outbound. As far as I understood from documentation from
Cisco this was because VPN traffic was passed twice through the in- and
outbound access-lists (and CBAC), f.e. inbound first in its encrypted state,
and second in its decrypted state. At one customer's site I used this to
create two client configuration groups, which used different subnets on the
client side, so I could use the in- and outbound access-lists on the public
interface to determine which parts on the private LAN they could access
(f.e. group ADMIN entire LAN, group USERS only a Terminal Server).

But since I started implementing routers running IOS 12.3.8Tx (12.3.8T5
Advanced IP Service to be precise), I don't see the decrypted VPN traffic
going through the in- and outbound access-lists on the public interface
anymore. Is this a bug in the 12.3.8Tx releases? Or is it on purpose (by
design), and if so, is it possible to configure that like before the
decrypted traffic passes a second time through the in- and outbound
access-lists on the public interface? And if not, which other method can be
used then to configure different client configurations groups for having
different access to the private LAN (other than restricting which traffic
has to be encrypted using the access-list refferred to in the client
configuration group)?

Below the configuration I'm talking about (stripped of some imho not
relevant commands). In this config I don't see any matches on the fifth line
in ACL_DIA10_IN and on the sixth line in ACL_DIA10_OUT.

Another odd thing is I had to add the fifth line in ACL_DIA10_OUT, ONLY for
VPN clients NOT behind a Cisco router on their side (f.e. a Thomson 510i
ADSL modem in router mode doing an overload). Why is that? (I realise this
may have something to do with the inbound CBAC command's, but then again,
why is this extra line needed for clients NOT behind a Cisco router?)

Hope you can help me out on this one,

Ronald de Leeuw


version 12.3
aaa new-model
!
aaa authentication login default group radius local
aaa authentication ppp default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
ip inspect name FW_DIA10_OUT tcp
ip inspect name FW_DIA10_OUT udp
ip inspect name FW_DIA10_OUT icmp
ip inspect name FW_DIA10_OUT http java-list 11
ip inspect name FW_DIA10_OUT ftp
ip inspect name FW_DIA10_IN tcp
ip inspect name FW_DIA10_IN icmp
ip inspect name FW_DIA10_IN ftp
ip ips sdf location flash:attack-drop.sdf
ip ips po max-events 100
ip ips protected 192.168.1.0 to 192.168.1.255
ip ips signature 2000 0 disable
ip ips signature 2004 0 disable
ip ips signature 2001 0 disable
ip ips signature 2005 0 disable
ip ips name IPS_DIA10_IN
ip ips name IPS_DIA10_OUT
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group <removed>
key <removed>
dns 192.168.1.11 192.168.1.12
wins 192.168.1.11 192.168.1.12
pool ILP_CVPN_CLIENT
acl ACL_CVPN_CLIENT
!
!
crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac
!
crypto dynamic-map CDM_CVPN_CLIENT 10
set transform-set AES256SHA
!
!
crypto map CMP_CVPN client authentication list default
crypto map CMP_CVPN isakmp authorization list default
crypto map CMP_CVPN client configuration address respond
crypto map CMP_CVPN 10 ipsec-isakmp dynamic CDM_CVPN_CLIENT
!
interface Loopback10
description Bypass NAT for IPsec
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface ATM0
dsl operating-mode auto
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 10
!
!
interface FastEthernet0
ip address 192.168.1.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
ip policy route-map RMP_FastEthernet0_NO_NAT
!
interface Dialer10
ip address negotiated
ip access-group ACL_DIA10_IN in
ip access-group ACL_DIA10_OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect FW_DIA10_IN in
ip inspect FW_DIA10_OUT out
ip ips IPS_DIA10_IN in
ip ips IPS_DIA10_OUT out
ip virtual-reassembly
encapsulation ppp
ip route-cache policy
ip route-cache flow
dialer pool 10
dialer idle-timeout 0
dialer persistent
dialer-group 10
ppp authentication pap callin
ppp pap sent-username <removed> password <removed>
crypto map CMP_CVPN
!
ip local pool ILP_CVPN_CLIENT 192.168.254.100 192.168.254.200
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer10 permanent
ip route 192.168.254.0 255.255.255.0 Dialer10
!
ip nat inside source route-map RMP_DIA10_OVERLOAD interface Dialer10
overload
!
ip access-list extended ACL_CVPN_CLIENT
permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
ip access-list extended ACL_DIA10_IN
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255 <- decrypted
VPN traffic
remark Standard WWW services
permit tcp any any eq 22
permit tcp any any eq ident
remark Anti-spoofing
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
remark ICMP
permit icmp any any echo-reply
deny icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_DIA10_OUT
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any <- odd ????
permit esp any any
permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255 <- decrypted
VPN traffic
remark Standard WWW services
permit tcp any any eq www
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 443
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq nntp
permit tcp any any eq 22
permit tcp any any eq telnet
permit udp any any eq ntp
permit icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_DIA10_OVERLOAD
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_FastEthernet0_NO_NAT
permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
!
access-list 11
remark ----------------------------------------------------------
access-list 11 remark IP inspect OUT java-list
access-list 11
remark ----------------------------------------------------------
access-list 11 permit any
access-list 110
remark ---------------------------------------------------------
access-list 110 remark Dialer-list 10, Dialer10
access-list 110
remark ---------------------------------------------------------
access-list 110 permit ip any any
dialer-list 10 protocol ip list 110
!
route-map RMP_DIA10_OVERLOAD permit 10
match ip address ACL_DIA10_OVERLOAD
match interface Dialer10
!
route-map RMP_FastEthernet0_NO_NAT permit 10
match ip address ACL_FastEthernet0_NO_NAT
set ip next-hop 1.1.1.2
!
radius-server host 192.168.1.12 auth-port 1645 acct-port 1646 key <removed>
!

This is by design starting with 12.3.8T, and thank God. The
double-check of ACL's was quite annoying to most of us since we had to
specify RFC1918 addresses in our outside ACL. If you want to further
limit traffic after decryption of the VPN, by an ACL, it's now handled
differently.

http://www.cisco.com/en/US/products/...08022c2a5.html


-Robert





On Thu, 25 Nov 2004 13:07:36 +0100, "Ronald de Leeuw"
<> wrote:

>Hello,
>
> I regulary implement Cisco routers for our customers. About a year ago the
>demand for being able to VPN rose, and after some TAC calls I succeeded in
>configuring this on a Cisco router. At that time it were mostly 1700 series
>routers (running IOS 12.2.15Tx) with the Cisco 4.0x VPN Client. That
>configuration has been implemented at numerous sites since then, and works
>perfect.
> But since we started implementing routers with IOS 12.3.8Tx and the Cisco
>VPN Client 4.6.00.0049 I'm seeing differences in how the routers act in
>processing the VPN traffic. In my original config I needed 5 access-lists
>for the following purposes: one for defining which traffic has to be
>encrypted, one for use in a route-map which in turn is used for a NAT
>overload, one for use in a route-map which prevents VPN traffic to be
>NATted, one outbound on the public interface and one inbound on the public
>interface. Besides allowing the standard (encrypted) VPN traffic in- and
>outbound (UPD 500, UDP 4500 and ESP), I also needed to allow the (decrypted)
>VPN traffic in- and outbound. As far as I understood from documentation from
>Cisco this was because VPN traffic was passed twice through the in- and
>outbound access-lists (and CBAC), f.e. inbound first in its encrypted state,
>and second in its decrypted state. At one customer's site I used this to
>create two client configuration groups, which used different subnets on the
>client side, so I could use the in- and outbound access-lists on the public
>interface to determine which parts on the private LAN they could access
>(f.e. group ADMIN entire LAN, group USERS only a Terminal Server).
>
>But since I started implementing routers running IOS 12.3.8Tx (12.3.8T5
>Advanced IP Service to be precise), I don't see the decrypted VPN traffic
>going through the in- and outbound access-lists on the public interface
>anymore. Is this a bug in the 12.3.8Tx releases? Or is it on purpose (by
>design), and if so, is it possible to configure that like before the
>decrypted traffic passes a second time through the in- and outbound
>access-lists on the public interface? And if not, which other method can be
>used then to configure different client configurations groups for having
>different access to the private LAN (other than restricting which traffic
>has to be encrypted using the access-list refferred to in the client
>configuration group)?
>
>Below the configuration I'm talking about (stripped of some imho not
>relevant commands). In this config I don't see any matches on the fifth line
>in ACL_DIA10_IN and on the sixth line in ACL_DIA10_OUT.
>
>Another odd thing is I had to add the fifth line in ACL_DIA10_OUT, ONLY for
>VPN clients NOT behind a Cisco router on their side (f.e. a Thomson 510i
>ADSL modem in router mode doing an overload). Why is that? (I realise this
>may have something to do with the inbound CBAC command's, but then again,
>why is this extra line needed for clients NOT behind a Cisco router?)
>
>Hope you can help me out on this one,
>
>Ronald de Leeuw
>
>
>version 12.3
>aaa new-model
>!
>aaa authentication login default group radius local
>aaa authentication ppp default local
>aaa authorization network default local
>aaa session-id common
>ip subnet-zero
>no ip source-route
>ip cef
>!
>ip inspect name FW_DIA10_OUT tcp
>ip inspect name FW_DIA10_OUT udp
>ip inspect name FW_DIA10_OUT icmp
>ip inspect name FW_DIA10_OUT http java-list 11
>ip inspect name FW_DIA10_OUT ftp
>ip inspect name FW_DIA10_IN tcp
>ip inspect name FW_DIA10_IN icmp
>ip inspect name FW_DIA10_IN ftp
>ip ips sdf location flash:attack-drop.sdf
>ip ips po max-events 100
>ip ips protected 192.168.1.0 to 192.168.1.255
>ip ips signature 2000 0 disable
>ip ips signature 2004 0 disable
>ip ips signature 2001 0 disable
>ip ips signature 2005 0 disable
>ip ips name IPS_DIA10_IN
>ip ips name IPS_DIA10_OUT
>!
>crypto isakmp policy 10
> encr aes 256
> authentication pre-share
> group 2
>crypto isakmp nat keepalive 15
>!
>crypto isakmp client configuration group <removed>
> key <removed>
> dns 192.168.1.11 192.168.1.12
> wins 192.168.1.11 192.168.1.12
> pool ILP_CVPN_CLIENT
> acl ACL_CVPN_CLIENT
>!
>!
>crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac
>!
>crypto dynamic-map CDM_CVPN_CLIENT 10
> set transform-set AES256SHA
>!
>!
>crypto map CMP_CVPN client authentication list default
>crypto map CMP_CVPN isakmp authorization list default
>crypto map CMP_CVPN client configuration address respond
>crypto map CMP_CVPN 10 ipsec-isakmp dynamic CDM_CVPN_CLIENT
>!
>interface Loopback10
> description Bypass NAT for IPsec
> ip address 1.1.1.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
>!
>interface ATM0
> dsl operating-mode auto
> pvc 8/48
> encapsulation aal5mux ppp dialer
> dialer pool-member 10
> !
>!
>interface FastEthernet0
> ip address 192.168.1.20 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> ip route-cache same-interface
> ip route-cache policy
> ip route-cache flow
> ip policy route-map RMP_FastEthernet0_NO_NAT
>!
>interface Dialer10
> ip address negotiated
> ip access-group ACL_DIA10_IN in
> ip access-group ACL_DIA10_OUT out
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip inspect FW_DIA10_IN in
> ip inspect FW_DIA10_OUT out
> ip ips IPS_DIA10_IN in
> ip ips IPS_DIA10_OUT out
> ip virtual-reassembly
> encapsulation ppp
> ip route-cache policy
> ip route-cache flow
> dialer pool 10
> dialer idle-timeout 0
> dialer persistent
> dialer-group 10
> ppp authentication pap callin
> ppp pap sent-username <removed> password <removed>
> crypto map CMP_CVPN
>!
>ip local pool ILP_CVPN_CLIENT 192.168.254.100 192.168.254.200
>ip classless
>ip route 0.0.0.0 0.0.0.0 Dialer10 permanent
>ip route 192.168.254.0 255.255.255.0 Dialer10
>!
>ip nat inside source route-map RMP_DIA10_OVERLOAD interface Dialer10
>overload
>!
>ip access-list extended ACL_CVPN_CLIENT
> permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
>ip access-list extended ACL_DIA10_IN
> remark VPN
> permit udp any any eq isakmp
> permit udp any any eq non500-isakmp
> permit esp any any
> permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255 <- decrypted
>VPN traffic
> remark Standard WWW services
> permit tcp any any eq 22
> permit tcp any any eq ident
> remark Anti-spoofing
> deny ip host 0.0.0.0 any
> deny ip host 255.255.255.255 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip 224.0.0.0 15.255.255.255 any
> remark ICMP
> permit icmp any any echo-reply
> deny icmp any any
> deny tcp any range 0 65535 any range 0 65535
> deny udp any range 0 65535 any range 0 65535
> deny ip any any
>ip access-list extended ACL_DIA10_OUT
> remark VPN
> permit udp any any eq isakmp
> permit udp any any eq non500-isakmp
> permit udp any eq non500-isakmp any <- odd ????
> permit esp any any
> permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255 <- decrypted
>VPN traffic
> remark Standard WWW services
> permit tcp any any eq www
> permit tcp any any eq domain
> permit udp any any eq domain
> permit tcp any any eq smtp
> permit tcp any any eq pop3
> permit tcp any any eq 443
> permit tcp any any eq ftp
> permit tcp any any eq ftp-data
> permit tcp any any eq nntp
> permit tcp any any eq 22
> permit tcp any any eq telnet
> permit udp any any eq ntp
> permit icmp any any
> deny tcp any range 0 65535 any range 0 65535
> deny udp any range 0 65535 any range 0 65535
> deny ip any any
>ip access-list extended ACL_DIA10_OVERLOAD
> deny ip any 10.0.0.0 0.255.255.255
> deny ip any 172.16.0.0 0.15.255.255
> deny ip any 192.168.0.0 0.0.255.255
> permit ip 192.168.1.0 0.0.0.255 any
>ip access-list extended ACL_FastEthernet0_NO_NAT
> permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
>!
>access-list 11
>remark ----------------------------------------------------------
>access-list 11 remark IP inspect OUT java-list
>access-list 11
>remark ----------------------------------------------------------
>access-list 11 permit any
>access-list 110
>remark ---------------------------------------------------------
>access-list 110 remark Dialer-list 10, Dialer10
>access-list 110
>remark ---------------------------------------------------------
>access-list 110 permit ip any any
>dialer-list 10 protocol ip list 110
>!
>route-map RMP_DIA10_OVERLOAD permit 10
> match ip address ACL_DIA10_OVERLOAD
> match interface Dialer10
>!
>route-map RMP_FastEthernet0_NO_NAT permit 10
> match ip address ACL_FastEthernet0_NO_NAT
> set ip next-hop 1.1.1.2
>!
>radius-server host 192.168.1.12 auth-port 1645 acct-port 1646 key <removed>
>!
>
>
>
>