*some* return traffic not going through vpn tunnel (although not all)

Discussion in 'Cisco' started by b0rez@yahoo.co.uk, Dec 20, 2005.

  1. Guest

    Very strange problem, my guess is a configuration error. Clients
    connecting to an 1841 with a VPN tunnel endpoint on its Dialer0
    interface (ADSL WIC on an ISDN line) have no trouble accessing LAN
    resources (file shares, Exchange mailboxes via a MAPI client, ping,
    etc.). However, when configuring an IMAP connection on a remote VPN
    client, outgoing email would not send. The strange thing is that the
    port 143 traffic between the client and IMAP server flows properly.

    It turns out that port 25 traffic correctly flows from the client to
    the SMTP server, but that return traffic from the server to the client
    does not flow back through the VPN tunnel. Instead it routes back out
    through the public IP address. Can anyone offer a suggestion? (And
    please feel free to comment on the config in general, i.e. unnecessary
    ACL entries, etc.)

    The VPN address pool is 10.10.10.0/24. The LAN subnet is 10.0.0.0/24.
    Host 10.0.0.209 is the SMTP server. xxx.xxx.xxx.xxx is the public IP
    address on Dialer0. The packet trace and startup-config follow:

    <snort trace>
    12/16-07:14:47.757578 10.10.10.17:3753 -> 10.0.0.209:25
    TCP TTL:128 TOS:0x0 ID:10758 IpLen:20 DgmLen:48 DF
    ******S* Seq: 0x65389798 Ack: 0x0 Win: 0x8000 TcpLen: 28
    TCP Options (4) => MSS: 1260 NOP NOP SackOK
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


    12/16-07:14:47.845437 xxx.xxx.xxx.xxx:25 -> 10.10.10.17:3753
    TCP TTL:127 TOS:0x0 ID:23397 IpLen:20 DgmLen:48 DF
    ***A**S* Seq: 0x4AE8EFC0 Ack: 0x65389799 Win: 0x44E8 TcpLen: 28
    TCP Options (4) => MSS: 1452 NOP NOP SackOK
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    </snort trace>

    version 12.3
    no service pad
    service timestamps debug datetime
    service timestamps log datetime
    service password-encryption
    sntp server yyy.yyy.yyy.yyy
    clock timezone WET +1
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret *****
    username admin privilege 15 password *****
    !
    !
    ! <nat config>
    ! <addresses>
    ip nat inside source list 110 interface dialer0 overload
    !
    ! <port forwarding> incoming session-initiating packets
    ip nat inside source static tcp 10.0.0.209 25 interface dialer0
    25 ! exchange smtp virtual server
    ip nat inside source static tcp 10.0.0.209 80 interface dialer0
    80 ! exchange owa access
    ip nat inside source static tcp 10.0.0.209 443 interface dialer0
    443 ! exchange owa access - ssl
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0
    overload ! crypto
    !
    ! <ip - miscellaneous>
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip subnet-zero
    ip local pool myvpnippool 10.10.10.1 10.10.10.255
    ip name-server zzz.zzz.zzz.10 zzz.zzz.zzz.253
    ip domain-lookup
    ip domain-name corp.*******.org
    ip tftp source-interface Dialer0
    no ip finger
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    no ip source-route
    ip cef
    ip tcp synwait-time 10
    ip ips po max-events 100
    no ip bootp server
    ip ssh time-out 60
    ip ssh authentication-retries 2
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no ftp-server write-enable
    logging trap debugging
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 110
    !
    aaa new-model
    aaa authentication login aaa-authenticated local
    aaa authorization network aaa-authorized local
    !
    ! <internet security association and key management protocol - isakmp>
    ! <policy for vpn client phase I negotiations>
    crypto isakmp policy 1
    encryption aes 256
    hash md5
    authentication pre-share
    group 2
    lifetime 14400
    crypto isakmp policy 2
    encryption 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 14400
    ! <isakmp nat keepalives every 18 seconds>
    crypto isakmp nat keepalive 18
    !
    ! <vpn client group>
    crypto isakmp client configuration group vpn-client-group
    key *****
    dns 10.0.0.208 10.0.0.209
    domain corp.*******.org
    pool myvpnippool
    acl 100
    !
    ! <phase II policy - actual data encryption>
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    ! <dynamic crypto map with associated transform>
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set myset
    reverse-route
    !
    ! <actual crypto map>
    crypto map SDM_CMAP_1 client authentication list aaa-authenticated
    crypto map SDM_CMAP_1 isakmp authorization list aaa-authorized
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    ! <access control lists>
    ! <100 - vpn ip address list - referenced by the isakmp client config>
    access-list 100 permit ip 10.0.0.0 0.0.0.255 10.10.10.0
    0.0.0.255
    !
    ! <110 - nat addresses - interface e1>
    access-list 110 deny ip 10.0.0.0 0.0.0.255 10.10.10.0
    0.0.0.255 ! no nat for vpn
    access-list 110 permit ip 10.0.0.0 0.0.0.255 any
    access-list 110 permit ip 10.10.10.0 0.0.0.255 any
    !
    ! <120 - inbound extended acl - interface Dialer0 (ingress filter)>
    ! <vpn>
    access-list 120 permit udp any any eq isakmp
    log ! port 500
    access-list 120 permit udp any any eq
    non500-isakmp log ! port 4500 nat-t
    access-list 120 permit esp any any ! protocol
    50
    access-list 120 permit ahp any any ! protocol
    51
    access-list 120 permit ip 10.10.10.0 0.0.0.255 any ! vpn
    address pool
    ! <the standard "unlikely's">
    ! <deny packets without ip addresses>
    access-list 120 deny ip host 0.0.0.0 any
    log
    ! <deny rfc 1918 addresses - private networks>
    access-list 120 deny ip 172.16.0.0 0.15.255.255 any
    log
    access-list 120 deny ip 192.168.0.0 0.0.255.255 any
    log
    ! <deny rfc 1112 addresses - multicast (engineer) network>
    access-list 120 deny ip 224.0.0.0 15.255.255.255 any
    log
    ! <broadcast (engineer) network>
    access-list 120 deny ip 255.0.0.0 0.255.255.255 any
    log
    ! <localhost - loopback address>
    access-list 120 deny ip 127.0.0.0 0.255.255.255 any
    log
    ! <ports and ip protocols permitted>
    ! <dns forwarders>
    access-list 120 permit udp host zzz.zzz.zzz.10 eq 53 any ! dns
    access-list 120 permit udp host zzz.zzz.zzz.253 eq 53 any !
    dns2
    ! <smtp>
    access-list 120 permit tcp any any eq 25
    ! <anti-spoofing - client internal addresses - rfc 1918 addresses -
    private networks>
    access-list 120 deny ip 10.0.0.0 0.255.255.255 any log
    ! <https>
    access-list 120 permit tcp any any eq 443
    ! <icmp specifics, !ping request + !ping echo>
    access-list 120 permit icmp any any 3 0 log
    !net-unreachable
    access-list 120 permit icmp any any 3 1 log
    !host-unreachable
    access-list 120 permit icmp any any 3 3 log
    !port-unreachable
    access-list 120 permit icmp any any 3 4 log
    !packet-too-big
    access-list 120 permit icmp any any 3 13 log
    !administratively-prohibited
    access-list 120 permit icmp any any 4
    !source-quench
    access-list 120 permit icmp any any 11 0 log
    !ttl-exceeded
    access-list 120 permit icmp any any
    echo-reply
    access-list 120 permit icmp any any echo
    access-list 120 deny icmp any any
    ! <sntp>
    access-list 120 permit udp host yyy.yyy.yyy.yyy eq 123 any eq
    123
    ! <telnet>
    access-list 120 deny tcp any any eq 23
    access-list 120 deny udp any any eq 23
    ! <only ack'd packets>
    access-list 120 permit tcp any any gt 1023
    established
    ! <deny all other traffic>
    access-list 120 deny ip any any
    log
    !
    ! <130 - inbound extended acl - interface FastEthernet0/0 (egress
    filter)>
    access-list 130 permit ip any
    10.10.10.0 0.0.0.255 !myvpnpool
    access-list 130 permit 50 any
    10.10.10.0 0.0.0.255 !myvpnpool
    access-list 130 permit 51 any
    10.10.10.0 0.0.0.255 !myvpnpool
    access-list 130 permit ip 10.0.0.0 0.0.0.255
    any
    !<icmp filtering>
    access-list 130 deny icmp any any parameter-problem
    log-input
    access-list 130 deny icmp any any reassembly-timeout
    log-input
    access-list 130 deny icmp any any port-unreachable
    log-input
    access-list 130 permit icmp any
    any
    !<deny all other traffic>
    access-list 130 deny ip any any
    log-input
    !
    ! <outbound cbac commands - interface Dialer0>
    ip inspect name my-out-rules cuseeme alert on timeout 3600
    ip inspect name my-out-rules ftp alert on timeout 3600
    ip inspect name my-out-rules rcmd alert on timeout 3600
    ip inspect name my-out-rules realaudio alert on timeout 3600
    ip inspect name my-out-rules smtp alert on timeout 3600
    ip inspect name my-out-rules tftp alert on timeout 30
    ip inspect name my-out-rules udp alert on timeout 15
    ip inspect name my-out-rules tcp alert on timeout 3600
    ip inspect name my-out-rules h323 alert on timeout 3600
    ip inspect name my-out-rules fragment max 100 timeout 4
    !
    ! <cbac commands - not bound to any particular interface>
    ip inspect dns-timeout 31
    ip inspect tcp finwait-time 6
    ip inspect tcp synwait-time 31
    !
    interface FastEthernet0/0
    description - secure network
    ip address 10.0.0.250 255.255.255.0
    ip nat inside
    ip tcp adjust-mss 1452
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    hold-queue 32 in
    hold-queue 100 out
    ip access-group 130 in
    no shutdown
    !
    interface FastEthernet0/1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface ATM0/0/0
    description adsl interface - bound by the dialer interface
    no ip address
    no atm ilmi-keepalive
    bundle-enable
    dsl operating-mode auto
    hold-queue 224 in
    pvc 8/35
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
    !
    interface Dialer0
    description - internet
    ip address negotiated
    ip access-group 120 in
    ip mtu 1492
    ip nat outside
    ip inspect my-out-rules out
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname ****@****.***
    ppp chap password *****
    ppp pap sent-username ****@****.*** password *****
    crypto map SDM_CMAP_1
    !
    line con 0
    login authentication aaa-authenticated
    exec-timeout 120 0
    stopbits 1
    line aux 0
    line vty 0 4
    login authentication aaa-authenticated
    exec-timeout 120 0
    length 0
    !
    ! <syslog server>
    logging 10.0.0.180
    logging sss.sss.sss.sss
    logging facility local1
    !
    scheduler max-task-time 5000
    end
    , Dec 20, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page