Remote access fun with Cisco 837 and locally auth'd Cisco VPN client

Discussion in 'Cisco' started by Christian Hewitt, Apr 24, 2005.

  1. Hi Folks,

    Through a fair amount of googling, usenet trawling and blind hacking
    i've managed to get a Cisco 837 connected to the net. I'm now able to
    browse the net 100% and the router has several port forwards setup to
    expose a webserver along with RDP and Windows VPN services from a
    Win2k3 server. Now.. while all of those work, just having windows VPN
    and RDP ports exposed to the world at large isn't that secure. I'd
    prefer to use the 837's VPN capabilities to access internal LAN
    resources securely from anywhere on the net when i'm in the office or
    away travelling.

    My ISP (Nildram in the UK) allocates the router a static IP address by
    DHCP. The LAN IP range is with the router on The Win2k3 server that I need to access is
    and a LAN connected laptop has a static dhcp allocation (from the
    Win2k3 server) of I'm testing remote access with the
    Cisco v4.6.00 (0045) VPN client for Macintosh by dialing the internet
    on another laptop that's not connected to the internal LAN.

    With my current running configuration I can connect from anywhere on
    the web and authenticate as a local user with the 837. Once auth'd the
    VPN client is allocated an IP from the vpn pool. From the VPN connected
    laptop I can ping any address on the LAN and any other machine on the
    LAN can ping the IP the VPN client has been allocated. However I cannot
    access resources via all protocols on all machines. This part appears
    inconcsistent and is what has me thoroughly baffled. e.g. from the VPN
    client I can mount SMB shares on but cannot see the
    webserver :)80) on the same IP. From the LAN laptop I can see the
    webserver on the VPN client (192.168.17.x:80). However the VPN client
    can't see the webserver on the LAN laptop (

    This is my first ever contact with Cisco gear and my first experience
    with a real router. I have a suspicion that the answer is somehow
    related to nat forwarding and the access-lists, but this being my first
    encounter with them, my brain's glazed over. Can anyone spot the

    sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH4

    Config (security edited) is cut/pasted below:

    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname xxxx
    logging queue-limit 100
    no logging buffered
    enable secret 5 xxxx
    username xxxx password 7 xxxx
    username xxxx password 7 xxxx
    username xxxx password 7 xxxx
    aaa new-model
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    aaa session-id common
    ip subnet-zero
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group xxxx
    key 0 xxxx
    pool vpnpool
    acl 106
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    interface Ethernet0
    ip address
    ip access-group 102 in
    ip nat inside
    no ip mroute-cache
    crypto map clientmap
    hold-queue 100 out
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    dsl operating-mode auto
    interface Dialer1
    ip address negotiated
    ip access-group 101 in
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password 7 xxxx
    ppp pap sent-username password 7 xxxx
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map clientmap
    hold-queue 224 in
    ip local pool vpnpool
    ip nat inside source list 105 interface Dialer1 overload
    ip nat inside source static tcp 3389 interface Dialer1 3389
    ip nat inside source static tcp 80 interface Dialer1 80
    ip nat inside source static tcp 1723 interface Dialer1 1723
    ip classless
    ip route Dialer1
    no ip http server
    no ip http secure-server
    access-list 1 remark The local LAN
    access-list 1 permit
    access-list 2 remark Where management can be done from
    access-list 2 permit
    access-list 2 permit
    access-list 101 remark Traffic allowed to enter router from Internet
    access-list 101 permit ip any any
    access-list 101 permit ip
    access-list 101 permit ip
    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq 3389
    access-list 101 permit tcp any any eq 1723
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit tcp any any eq 10000
    access-list 101 permit gre any any
    access-list 101 deny ip any any
    access-list 102 remark Traffic allowed to enter router from Ethernet
    access-list 102 permit ip any any
    access-list 105 remark Traffic to NAT
    access-list 105 deny ip
    access-list 105 deny ip
    access-list 105 permit ip any
    access-list 105 permit ip any
    access-list 106 remark User to Site VPN clients
    access-list 106 permit ip any
    access-list 106 permit ip any
    dialer-list 1 protocol ip permit
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    access-class 2 in
    exec-timeout 120 0
    length 0
    scheduler max-task-time 5000

    Obviously if there's any other screwups i've made (things that are in
    that should be out and vice versa) i'd be more than happy to have them
    pointed out!

    -- Christian
    Christian Hewitt, Apr 24, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.