Getting a VPN to work through a Cisco firewall

Discussion in 'Cisco' started by Rick Kunkel, Jan 12, 2006.

  1. Rick Kunkel

    Rick Kunkel Guest

    Hello all,

    I've been configuring Cisco devices in a relatively simple fashions
    for years now. However, we've got a customer who bought a Cisco 1841
    with the Firewall Feature set, and there are some new commands and
    features I'm not used to. Primary I do backbone or distribution layer
    configs, not ones on the end so the VPN stuff is new to me as well...

    Anyhow, this problem here lies in the firewall blocking VPN traffic.
    Right now, as a lab, I've got the WAN port of the router set up with a
    xxx.xxx.xxx.158 255.255.255.252 IP address, and the LAN as a
    xxx.xxx.xxx.161 255.255.255.224 IP address.

    When someone from the outside makes a VPN connection to the router's
    WAN IP address, it grabs an address from the pool, and work fine as
    long as the firewall is not in place.

    Once the firewall is there, the traffic can't make it back in, despite
    the fact that the inspect CBAC is suppose to open holes in the
    firewall. I get log entires like:

    -- Nameserver not able to get it's traffic back:
    Jan 11 19:37:45.927: %SEC-6-IPACCESSLOGP: list 101 denied udp
    xxx.xxx.xxx.10(53) -> xxx.xxx.xxx.182(3758), 1 packet

    -- Hitting Yahoo by IP in browser. Traffic not making it back:
    Jan 11 19:37:55.875: %SEC-6-IPACCESSLOGP: list 101 denied tcp
    66.94.230.34(80) -> xxx.xxx.xxx.182(3759), 1 packet

    Note that the "xxx.xxx.xxx.182" IP is the IP that was handed to the
    VPN
    client, but that is ACTUALLY out on the Internet.

    I have the feeling that I'm missing something dumb, but I just don't
    know. I usually feel pretty adept at these things.

    For your inspection, here are the relevant portions of the config.
    Also worth noting is that I've let the Cisco SDM write the access list
    parts of this. I've also tried it by hand, with no success.

    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive

    interface FastEthernet0/0
    description $ETH-WAN$$FW_OUTSIDE$
    ip address xxx.xxx.xxx.158 255.255.255.252
    ip access-group 101 in
    ip inspect DEFAULT100 out
    crypto map SDM_CMAP_1

    interface FastEthernet0/1
    description $ETH-LAN$$FW_INSIDE$
    ip address xxx.xxx.xxx.161 255.255.255.224
    ip access-group 100 in

    ip local pool SDM_POOL_1 xxx.xxx.xxx.176 xxx.xxx.xxx.183

    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip xxx.xxx.xxx.156 0.0.0.3 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit udp host 207.244.144.10 eq domain host
    xxx.xxx.xxx.158
    access-list 101 permit udp host 207.244.153.11 eq domain host
    xxx.xxx.xxx.158
    access-list 101 permit ip xxx.xxx.xxx.176 0.0.0.7 any
    access-list 101 remark Auto generated by SDM for NTP (123)
    72.36.170.170
    access-list 101 permit udp host 72.36.170.170 eq ntp host
    xxx.xxx.xxx.158 eq ntp
    access-list 101 permit ahp any host xxx.xxx.xxx.158
    access-list 101 permit esp any host xxx.xxx.xxx.158
    access-list 101 permit udp any host xxx.xxx.xxx.158 eq isakmp
    access-list 101 permit udp any host xxx.xxx.xxx.158 eq non500-isakmp
    access-list 101 deny ip xxx.xxx.xxx.160 0.0.0.31 any
    access-list 101 permit icmp any host xxx.xxx.xxx.158 echo-reply
    access-list 101 permit icmp any host xxx.xxx.xxx.158 time-exceeded
    access-list 101 permit icmp any host xxx.xxx.xxx.158 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log

    I thank anyone for any input they've got.

    Thanks much!

    Rick Kunkel
    Rick Kunkel, Jan 12, 2006
    #1
    1. Advertising

  2. Rick Kunkel

    Guest

    Hello Rick,

    at first glance I would say that you need to allow UDP port 53 and TCP
    port 80 for the IP addresses specified in your local pool SDM_POOL_1 in
    your access list 101. Can you try and add this to access list 101:

    access-list 101 permit udp x.x.x.176 0.0.0.7 any eq 53
    access-list 101 permit tcp x.x.x.176 0.0.0.7 any eq www

    and check if that makes a difference ?

    Regards,


    www.solutionfinders.nl
    We┬┤ve got answers !
    , Jan 12, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sean McGrath
    Replies:
    0
    Views:
    1,939
    Sean McGrath
    Dec 29, 2003
  2. BenLMiron
    Replies:
    1
    Views:
    3,535
  3. Replies:
    1
    Views:
    4,210
    Walter Roberson
    Sep 7, 2005
  4. K.J. 44
    Replies:
    2
    Views:
    6,196
    K.J. 44
    Sep 14, 2006
  5. Geoff
    Replies:
    7
    Views:
    688
    Andrew Lambert
    Jul 4, 2007
Loading...

Share This Page