Cisco VPN Client 4.6.00.0049 to Cisco router 12.3.8T5, ACL's ?

Discussion in 'Cisco' started by Ronald de Leeuw, Nov 25, 2004.

  1. Hello,

    I regulary implement Cisco routers for our customers. About a year ago the
    demand for being able to VPN rose, and after some TAC calls I succeeded in
    configuring this on a Cisco router. At that time it were mostly 1700 series
    routers (running IOS 12.2.15Tx) with the Cisco 4.0x VPN Client. That
    configuration has been implemented at numerous sites since then, and works
    perfect.
    But since we started implementing routers with IOS 12.3.8Tx and the Cisco
    VPN Client 4.6.00.0049 I'm seeing differences in how the routers act in
    processing the VPN traffic. In my original config I needed 5 access-lists
    for the following purposes: one for defining which traffic has to be
    encrypted, one for use in a route-map which in turn is used for a NAT
    overload, one for use in a route-map which prevents VPN traffic to be
    NATted, one outbound on the public interface and one inbound on the public
    interface. Besides allowing the standard (encrypted) VPN traffic in- and
    outbound (UPD 500, UDP 4500 and ESP), I also needed to allow the (decrypted)
    VPN traffic in- and outbound. As far as I understood from documentation from
    Cisco this was because VPN traffic was passed twice through the in- and
    outbound access-lists (and CBAC), f.e. inbound first in its encrypted state,
    and second in its decrypted state. At one customer's site I used this to
    create two client configuration groups, which used different subnets on the
    client side, so I could use the in- and outbound access-lists on the public
    interface to determine which parts on the private LAN they could access
    (f.e. group ADMIN entire LAN, group USERS only a Terminal Server).

    But since I started implementing routers running IOS 12.3.8Tx (12.3.8T5
    Advanced IP Service to be precise), I don't see the decrypted VPN traffic
    going through the in- and outbound access-lists on the public interface
    anymore. Is this a bug in the 12.3.8Tx releases? Or is it on purpose (by
    design), and if so, is it possible to configure that like before the
    decrypted traffic passes a second time through the in- and outbound
    access-lists on the public interface? And if not, which other method can be
    used then to configure different client configurations groups for having
    different access to the private LAN (other than restricting which traffic
    has to be encrypted using the access-list refferred to in the client
    configuration group)?

    Below the configuration I'm talking about (stripped of some imho not
    relevant commands). In this config I don't see any matches on the fifth line
    in ACL_DIA10_IN and on the sixth line in ACL_DIA10_OUT.

    Another odd thing is I had to add the fifth line in ACL_DIA10_OUT, ONLY for
    VPN clients NOT behind a Cisco router on their side (f.e. a Thomson 510i
    ADSL modem in router mode doing an overload). Why is that? (I realise this
    may have something to do with the inbound CBAC command's, but then again,
    why is this extra line needed for clients NOT behind a Cisco router?)

    Hope you can help me out on this one,

    Ronald de Leeuw


    version 12.3
    aaa new-model
    !
    aaa authentication login default group radius local
    aaa authentication ppp default local
    aaa authorization network default local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip cef
    !
    ip inspect name FW_DIA10_OUT tcp
    ip inspect name FW_DIA10_OUT udp
    ip inspect name FW_DIA10_OUT icmp
    ip inspect name FW_DIA10_OUT http java-list 11
    ip inspect name FW_DIA10_OUT ftp
    ip inspect name FW_DIA10_IN tcp
    ip inspect name FW_DIA10_IN icmp
    ip inspect name FW_DIA10_IN ftp
    ip ips sdf location flash:attack-drop.sdf
    ip ips po max-events 100
    ip ips protected 192.168.1.0 to 192.168.1.255
    ip ips signature 2000 0 disable
    ip ips signature 2004 0 disable
    ip ips signature 2001 0 disable
    ip ips signature 2005 0 disable
    ip ips name IPS_DIA10_IN
    ip ips name IPS_DIA10_OUT
    !
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp nat keepalive 15
    !
    crypto isakmp client configuration group <removed>
    key <removed>
    dns 192.168.1.11 192.168.1.12
    wins 192.168.1.11 192.168.1.12
    pool ILP_CVPN_CLIENT
    acl ACL_CVPN_CLIENT
    !
    !
    crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac
    !
    crypto dynamic-map CDM_CVPN_CLIENT 10
    set transform-set AES256SHA
    !
    !
    crypto map CMP_CVPN client authentication list default
    crypto map CMP_CVPN isakmp authorization list default
    crypto map CMP_CVPN client configuration address respond
    crypto map CMP_CVPN 10 ipsec-isakmp dynamic CDM_CVPN_CLIENT
    !
    interface Loopback10
    description Bypass NAT for IPsec
    ip address 1.1.1.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    !
    interface ATM0
    dsl operating-mode auto
    pvc 8/48
    encapsulation aal5mux ppp dialer
    dialer pool-member 10
    !
    !
    interface FastEthernet0
    ip address 192.168.1.20 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache same-interface
    ip route-cache policy
    ip route-cache flow
    ip policy route-map RMP_FastEthernet0_NO_NAT
    !
    interface Dialer10
    ip address negotiated
    ip access-group ACL_DIA10_IN in
    ip access-group ACL_DIA10_OUT out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect FW_DIA10_IN in
    ip inspect FW_DIA10_OUT out
    ip ips IPS_DIA10_IN in
    ip ips IPS_DIA10_OUT out
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache policy
    ip route-cache flow
    dialer pool 10
    dialer idle-timeout 0
    dialer persistent
    dialer-group 10
    ppp authentication pap callin
    ppp pap sent-username <removed> password <removed>
    crypto map CMP_CVPN
    !
    ip local pool ILP_CVPN_CLIENT 192.168.254.100 192.168.254.200
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer10 permanent
    ip route 192.168.254.0 255.255.255.0 Dialer10
    !
    ip nat inside source route-map RMP_DIA10_OVERLOAD interface Dialer10
    overload
    !
    ip access-list extended ACL_CVPN_CLIENT
    permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
    ip access-list extended ACL_DIA10_IN
    remark VPN
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    permit esp any any
    permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255 <- decrypted
    VPN traffic
    remark Standard WWW services
    permit tcp any any eq 22
    permit tcp any any eq ident
    remark Anti-spoofing
    deny ip host 0.0.0.0 any
    deny ip host 255.255.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 224.0.0.0 15.255.255.255 any
    remark ICMP
    permit icmp any any echo-reply
    deny icmp any any
    deny tcp any range 0 65535 any range 0 65535
    deny udp any range 0 65535 any range 0 65535
    deny ip any any
    ip access-list extended ACL_DIA10_OUT
    remark VPN
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    permit udp any eq non500-isakmp any <- odd ????
    permit esp any any
    permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255 <- decrypted
    VPN traffic
    remark Standard WWW services
    permit tcp any any eq www
    permit tcp any any eq domain
    permit udp any any eq domain
    permit tcp any any eq smtp
    permit tcp any any eq pop3
    permit tcp any any eq 443
    permit tcp any any eq ftp
    permit tcp any any eq ftp-data
    permit tcp any any eq nntp
    permit tcp any any eq 22
    permit tcp any any eq telnet
    permit udp any any eq ntp
    permit icmp any any
    deny tcp any range 0 65535 any range 0 65535
    deny udp any range 0 65535 any range 0 65535
    deny ip any any
    ip access-list extended ACL_DIA10_OVERLOAD
    deny ip any 10.0.0.0 0.255.255.255
    deny ip any 172.16.0.0 0.15.255.255
    deny ip any 192.168.0.0 0.0.255.255
    permit ip 192.168.1.0 0.0.0.255 any
    ip access-list extended ACL_FastEthernet0_NO_NAT
    permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
    !
    access-list 11
    remark ----------------------------------------------------------
    access-list 11 remark IP inspect OUT java-list
    access-list 11
    remark ----------------------------------------------------------
    access-list 11 permit any
    access-list 110
    remark ---------------------------------------------------------
    access-list 110 remark Dialer-list 10, Dialer10
    access-list 110
    remark ---------------------------------------------------------
    access-list 110 permit ip any any
    dialer-list 10 protocol ip list 110
    !
    route-map RMP_DIA10_OVERLOAD permit 10
    match ip address ACL_DIA10_OVERLOAD
    match interface Dialer10
    !
    route-map RMP_FastEthernet0_NO_NAT permit 10
    match ip address ACL_FastEthernet0_NO_NAT
    set ip next-hop 1.1.1.2
    !
    radius-server host 192.168.1.12 auth-port 1645 acct-port 1646 key <removed>
    !
    Ronald de Leeuw, Nov 25, 2004
    #1
    1. Advertising

  2. Ronald de Leeuw

    Rob Guest

    This is by design starting with 12.3.8T, and thank God. The
    double-check of ACL's was quite annoying to most of us since we had to
    specify RFC1918 addresses in our outside ACL. If you want to further
    limit traffic after decryption of the VPN, by an ACL, it's now handled
    differently.

    http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008022c2a5.html


    -Robert





    On Thu, 25 Nov 2004 13:07:36 +0100, "Ronald de Leeuw"
    <> wrote:

    >Hello,
    >
    > I regulary implement Cisco routers for our customers. About a year ago the
    >demand for being able to VPN rose, and after some TAC calls I succeeded in
    >configuring this on a Cisco router. At that time it were mostly 1700 series
    >routers (running IOS 12.2.15Tx) with the Cisco 4.0x VPN Client. That
    >configuration has been implemented at numerous sites since then, and works
    >perfect.
    > But since we started implementing routers with IOS 12.3.8Tx and the Cisco
    >VPN Client 4.6.00.0049 I'm seeing differences in how the routers act in
    >processing the VPN traffic. In my original config I needed 5 access-lists
    >for the following purposes: one for defining which traffic has to be
    >encrypted, one for use in a route-map which in turn is used for a NAT
    >overload, one for use in a route-map which prevents VPN traffic to be
    >NATted, one outbound on the public interface and one inbound on the public
    >interface. Besides allowing the standard (encrypted) VPN traffic in- and
    >outbound (UPD 500, UDP 4500 and ESP), I also needed to allow the (decrypted)
    >VPN traffic in- and outbound. As far as I understood from documentation from
    >Cisco this was because VPN traffic was passed twice through the in- and
    >outbound access-lists (and CBAC), f.e. inbound first in its encrypted state,
    >and second in its decrypted state. At one customer's site I used this to
    >create two client configuration groups, which used different subnets on the
    >client side, so I could use the in- and outbound access-lists on the public
    >interface to determine which parts on the private LAN they could access
    >(f.e. group ADMIN entire LAN, group USERS only a Terminal Server).
    >
    >But since I started implementing routers running IOS 12.3.8Tx (12.3.8T5
    >Advanced IP Service to be precise), I don't see the decrypted VPN traffic
    >going through the in- and outbound access-lists on the public interface
    >anymore. Is this a bug in the 12.3.8Tx releases? Or is it on purpose (by
    >design), and if so, is it possible to configure that like before the
    >decrypted traffic passes a second time through the in- and outbound
    >access-lists on the public interface? And if not, which other method can be
    >used then to configure different client configurations groups for having
    >different access to the private LAN (other than restricting which traffic
    >has to be encrypted using the access-list refferred to in the client
    >configuration group)?
    >
    >Below the configuration I'm talking about (stripped of some imho not
    >relevant commands). In this config I don't see any matches on the fifth line
    >in ACL_DIA10_IN and on the sixth line in ACL_DIA10_OUT.
    >
    >Another odd thing is I had to add the fifth line in ACL_DIA10_OUT, ONLY for
    >VPN clients NOT behind a Cisco router on their side (f.e. a Thomson 510i
    >ADSL modem in router mode doing an overload). Why is that? (I realise this
    >may have something to do with the inbound CBAC command's, but then again,
    >why is this extra line needed for clients NOT behind a Cisco router?)
    >
    >Hope you can help me out on this one,
    >
    >Ronald de Leeuw
    >
    >
    >version 12.3
    >aaa new-model
    >!
    >aaa authentication login default group radius local
    >aaa authentication ppp default local
    >aaa authorization network default local
    >aaa session-id common
    >ip subnet-zero
    >no ip source-route
    >ip cef
    >!
    >ip inspect name FW_DIA10_OUT tcp
    >ip inspect name FW_DIA10_OUT udp
    >ip inspect name FW_DIA10_OUT icmp
    >ip inspect name FW_DIA10_OUT http java-list 11
    >ip inspect name FW_DIA10_OUT ftp
    >ip inspect name FW_DIA10_IN tcp
    >ip inspect name FW_DIA10_IN icmp
    >ip inspect name FW_DIA10_IN ftp
    >ip ips sdf location flash:attack-drop.sdf
    >ip ips po max-events 100
    >ip ips protected 192.168.1.0 to 192.168.1.255
    >ip ips signature 2000 0 disable
    >ip ips signature 2004 0 disable
    >ip ips signature 2001 0 disable
    >ip ips signature 2005 0 disable
    >ip ips name IPS_DIA10_IN
    >ip ips name IPS_DIA10_OUT
    >!
    >crypto isakmp policy 10
    > encr aes 256
    > authentication pre-share
    > group 2
    >crypto isakmp nat keepalive 15
    >!
    >crypto isakmp client configuration group <removed>
    > key <removed>
    > dns 192.168.1.11 192.168.1.12
    > wins 192.168.1.11 192.168.1.12
    > pool ILP_CVPN_CLIENT
    > acl ACL_CVPN_CLIENT
    >!
    >!
    >crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac
    >!
    >crypto dynamic-map CDM_CVPN_CLIENT 10
    > set transform-set AES256SHA
    >!
    >!
    >crypto map CMP_CVPN client authentication list default
    >crypto map CMP_CVPN isakmp authorization list default
    >crypto map CMP_CVPN client configuration address respond
    >crypto map CMP_CVPN 10 ipsec-isakmp dynamic CDM_CVPN_CLIENT
    >!
    >interface Loopback10
    > description Bypass NAT for IPsec
    > ip address 1.1.1.1 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip route-cache flow
    >!
    >interface ATM0
    > dsl operating-mode auto
    > pvc 8/48
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 10
    > !
    >!
    >interface FastEthernet0
    > ip address 192.168.1.20 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat inside
    > ip virtual-reassembly
    > ip route-cache same-interface
    > ip route-cache policy
    > ip route-cache flow
    > ip policy route-map RMP_FastEthernet0_NO_NAT
    >!
    >interface Dialer10
    > ip address negotiated
    > ip access-group ACL_DIA10_IN in
    > ip access-group ACL_DIA10_OUT out
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat outside
    > ip inspect FW_DIA10_IN in
    > ip inspect FW_DIA10_OUT out
    > ip ips IPS_DIA10_IN in
    > ip ips IPS_DIA10_OUT out
    > ip virtual-reassembly
    > encapsulation ppp
    > ip route-cache policy
    > ip route-cache flow
    > dialer pool 10
    > dialer idle-timeout 0
    > dialer persistent
    > dialer-group 10
    > ppp authentication pap callin
    > ppp pap sent-username <removed> password <removed>
    > crypto map CMP_CVPN
    >!
    >ip local pool ILP_CVPN_CLIENT 192.168.254.100 192.168.254.200
    >ip classless
    >ip route 0.0.0.0 0.0.0.0 Dialer10 permanent
    >ip route 192.168.254.0 255.255.255.0 Dialer10
    >!
    >ip nat inside source route-map RMP_DIA10_OVERLOAD interface Dialer10
    >overload
    >!
    >ip access-list extended ACL_CVPN_CLIENT
    > permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
    >ip access-list extended ACL_DIA10_IN
    > remark VPN
    > permit udp any any eq isakmp
    > permit udp any any eq non500-isakmp
    > permit esp any any
    > permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255 <- decrypted
    >VPN traffic
    > remark Standard WWW services
    > permit tcp any any eq 22
    > permit tcp any any eq ident
    > remark Anti-spoofing
    > deny ip host 0.0.0.0 any
    > deny ip host 255.255.255.255 any
    > deny ip 10.0.0.0 0.255.255.255 any
    > deny ip 127.0.0.0 0.255.255.255 any
    > deny ip 172.16.0.0 0.15.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any
    > deny ip 224.0.0.0 15.255.255.255 any
    > remark ICMP
    > permit icmp any any echo-reply
    > deny icmp any any
    > deny tcp any range 0 65535 any range 0 65535
    > deny udp any range 0 65535 any range 0 65535
    > deny ip any any
    >ip access-list extended ACL_DIA10_OUT
    > remark VPN
    > permit udp any any eq isakmp
    > permit udp any any eq non500-isakmp
    > permit udp any eq non500-isakmp any <- odd ????
    > permit esp any any
    > permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255 <- decrypted
    >VPN traffic
    > remark Standard WWW services
    > permit tcp any any eq www
    > permit tcp any any eq domain
    > permit udp any any eq domain
    > permit tcp any any eq smtp
    > permit tcp any any eq pop3
    > permit tcp any any eq 443
    > permit tcp any any eq ftp
    > permit tcp any any eq ftp-data
    > permit tcp any any eq nntp
    > permit tcp any any eq 22
    > permit tcp any any eq telnet
    > permit udp any any eq ntp
    > permit icmp any any
    > deny tcp any range 0 65535 any range 0 65535
    > deny udp any range 0 65535 any range 0 65535
    > deny ip any any
    >ip access-list extended ACL_DIA10_OVERLOAD
    > deny ip any 10.0.0.0 0.255.255.255
    > deny ip any 172.16.0.0 0.15.255.255
    > deny ip any 192.168.0.0 0.0.255.255
    > permit ip 192.168.1.0 0.0.0.255 any
    >ip access-list extended ACL_FastEthernet0_NO_NAT
    > permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
    >!
    >access-list 11
    >remark ----------------------------------------------------------
    >access-list 11 remark IP inspect OUT java-list
    >access-list 11
    >remark ----------------------------------------------------------
    >access-list 11 permit any
    >access-list 110
    >remark ---------------------------------------------------------
    >access-list 110 remark Dialer-list 10, Dialer10
    >access-list 110
    >remark ---------------------------------------------------------
    >access-list 110 permit ip any any
    >dialer-list 10 protocol ip list 110
    >!
    >route-map RMP_DIA10_OVERLOAD permit 10
    > match ip address ACL_DIA10_OVERLOAD
    > match interface Dialer10
    >!
    >route-map RMP_FastEthernet0_NO_NAT permit 10
    > match ip address ACL_FastEthernet0_NO_NAT
    > set ip next-hop 1.1.1.2
    >!
    >radius-server host 192.168.1.12 auth-port 1645 acct-port 1646 key <removed>
    >!
    >
    >
    >
    >
    Rob, Nov 25, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,263
  2. jarcar
    Replies:
    0
    Views:
    591
    jarcar
    Feb 12, 2004
  3. Nick
    Replies:
    2
    Views:
    2,394
  4. jeejish

    USA direct route @$.0049

    jeejish, Aug 25, 2005, in forum: VOIP
    Replies:
    0
    Views:
    731
    jeejish
    Aug 25, 2005
  5. Ned
    Replies:
    0
    Views:
    549
Loading...

Share This Page