dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
42
Geekball
join:2004-01-19
UK

Geekball to stoz

Member

to stoz

Re: [Config] Setup Cisco 877 to work with Bt Infinity

Hi Stoz,

Glad to hear you got it working, can you post up your sanitize config (without passwords) and we can see why your PPTP isn't working. You should just need to forward port 1723 with something like: ip nat inside source static tcp 192.168.50.2 1723 interface Dialer1 1723 where 192.168.50.2 is the internal IP of your PPTP server.

What errors do you get when you try and connect to the VPN? You're not trying to connect to the VPN from the LAN are you? Cisco doesn't support NAT loopback so you can't connect to the external IP from the LAN.

Cheers,

Paul
stoz
join:2012-03-13

1 edit

stoz

Member

Hi Paul, no don't worry, I'm not trying to VPN from inside the LAN.

Basically my quick way of testing it is to RDP to our remote, external web server, and then from there try to telnet to our fixed IP on 1723, just to test if the port is open. It won't even connect on that port, however it does on all the other ports I've opened - 25, 80, 443 etc. Doing a port scan however (using nmap or grc.com shields up) tells me that the port is open!

When I do the port scan all the ports I've explicitly allowed are open - the standard ports really - but also some realserver and rstp ports, not sure what they are?

Attached is sanitised config including NAT config and firewall rules. To setup the firewall I ran the wizard through the SDM, told it not to interfere with NAT rules, and set it to lowest settings. I can work on hardening it as I go.

 
Current configuration : 9791 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
 
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
logging console critical
!
no aaa new-model
!
 
!
  quit
dot11 syslog
ip source-route
!
!
ip cef
no ip domain lookup
 
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
 
! 
archive
 log config
  hidekeys
!
class-map type inspect match-all sdm-nat-http-1
 match access-group 104
 match protocol http
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 101
 match protocol smtp
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 103
 match protocol pptp
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-nat-ms-sql-1
 match access-group 105
 match protocol ms-sql
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-all sdm-nat-https-1
 match access-group 102
 match protocol https
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-smtp-1
  inspect 
 class type inspect sdm-nat-https-1
  inspect 
 class type inspect sdm-nat-pptp-1
  inspect 
 class type inspect sdm-nat-http-1
  inspect 
 class type inspect sdm-nat-ms-sql-1
  inspect 
 class class-default
  drop
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect 
 class type inspect sdm-protocol-http
  inspect 
 class type inspect SDM-Voice-permit
  inspect 
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 101
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.193.125.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
interface Vlan101
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname 
 ppp chap password 0 
 ppp ipcp route default
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.193.125.1 25 interface Dialer1 25
ip nat inside source static tcp 10.193.125.1 443 interface Dialer1 443
ip nat inside source static tcp 10.193.125.1 1723 interface Dialer1 1723
ip nat inside source static tcp 10.193.125.1 80 interface Dialer1 80
ip nat inside source static tcp 10.193.125.2 1433 interface Dialer1 1334
!
ip access-list extended NAT
 permit ip 10.193.125.0 0.0.0.255 any
!
logging trap debugging
logging 10.193.125.250
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.193.125.0 0.0.0.255
access-list 1 permit any
access-list 23 permit 10.193.125.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 10.193.125.1
access-list 101 permit gre any any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 10.193.125.1
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 10.193.125.1
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 10.193.125.1
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 10.193.125.2
no cdp run
!
control-plane
!
 
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 60 0
 login local
 transport input telnet
!
scheduler max-task-time 5000
end
 

Cheers.
Geekball
join:2004-01-19
UK

Geekball

Member

Hi Stoz,

That's cool, just wanted to check :) Only thing I can see at first glance is that you have GRE in access-list 101 which is used by your sdm-nat-smtp-1 rule. I would have expected it be in access-list 103 for the sdm-nat-pptp-1 rule. But I wouldn't expect that to stop a tcp connection to 1723 unless there's something in the PPTP inspect that blocks telnet connections (i.e. it's blocking the connection 'cos it knows it's not a PPTP client).

Can you try with a real PPTP client? As nmap/ShieldsUp see it as open, it might just work :)

The realserver/rtsp ports are likely included in the match protocol realmedia and match protocol rtsp as they're probably UDP and as such need to be allowed through but will get inspected to ensure they're valid.

Cheers,

Paul
stoz
join:2012-03-13

1 edit

stoz

Member

Yeah no worries, I know from experience it's vital to start with the basics

I've tried to VPN in from our webserver as well as attempting the telnet, no luck either. I'll keep looking into it, fortunately it's not immediately urgent.

In fact it has just been overtaken in priority though by the fact that downloads simply do not work! I've done ping -l -f to work out that our max packet size is 1436, so I've tried setting 'ip mtu 1436' accordingly, as well as varying 'ip tcp adjust-mss' values. This is pretty crucial, and I'm trying to fix it before anyone notices, but obviously we need downloads working ASAP!

EDIT: the reason I'm not having any luck is probably because our web server doesn't have 1723 open, for inbound, and doesn't let anything out through that port either (this always confused me because I thought that source port was pretty much always random; destination port would be the port of the service, which is what normally happens in client/server scenario. It must be the way it's configged because we can only do SQL in AND out on a non-standard port on that box, so I'm confident this is how it works, based on previous experience).
Geekball
join:2004-01-19
UK

Geekball

Member

said by stoz:

In fact it has just been overtaken in priority though by the fact that downloads simply do not work! I've done ping -l -f to work out that our max packet size is 1436, so I've tried setting 'ip mtu 1436' accordingly, as well as varying 'ip tcp adjust-mss' values. This is pretty crucial, and I'm trying to fix it before anyone notices, but obviously we need downloads working ASAP!

What sort of downloads are you having issues with? Standard HTTP ones or FTP? Is anything reported in the logs? Your MTU should be 1492 on the Dialer interface for PPPoE. I don't see the ip tcp adjust-mss 1452 on the dialer1 interface in your config.

On mine I can successfully ping up to 1464 bytes with an MTU 1492 and MSS of 1452. This fits in perfectly with the values at »/tweaks/MTU/.
said by stoz:

EDIT: the reason I'm not having any luck is probably because our web server doesn't have 1723 open, for inbound, and doesn't let anything out through that port either (this always confused me because I thought that source port was pretty much always random; destination port would be the port of the service, which is what normally happens in client/server scenario. It must be the way it's configged because we can only do SQL in AND out on a non-standard port on that box, so I'm confident this is how it works, based on previous experience).

That would explain why nmap and shields up were seeing the port as open. So testing the VPN from somewhere else would probably work.

Cheers,

Paul
stoz
join:2012-03-13

1 edit

stoz

Member

I think I may be getting slightly confused with the MTU values. I've set them subsequently to posting the config, which is why they aren't showing up. I found a few posts on Google where people had done similar to me, and stated that you had to match the MTU to the packet size you settle on doing ping -l -f. It doesn't seem to have made any difference.

For clarity should I just set MTU 1492 on Dialer 1 and MSS 1452 on Dialer 1 too? Do I need to set the MSS on any of the VLAN interfaces?

Oh I tested the VPN from home last night it works fine. I realise now that testing it from the web server doesn't work (1723 isn't opened) and nmap and shields up were correctly reporting that the port is open.

Edit: additionally I find that if I disable the Cisco FW downloads work fine. We can surf the net with the FW up, but no downloads or speed test Not sure what in the FW might be blocking it, but imagine maybe it isn't necessarily specific to using PPPoE like this scenario...
Geekball
join:2004-01-19
UK

Geekball

Member

You should just need to set them on Dialer1 as that's where the limitation is. Other traffic can use a higher MTU and anything going over the Dialer1 interface should automatically get it's MSS lowered to the correct value in the SYN packet.

Given that your downloads work with the firewall off, it's pointing to a problem with the firewall inspection. My guess is you need to add match protocol http to the sdm-cls-insp-traffic class-map.. Make sure you add it before the match protocol tcp

Cheers,

Paul
stoz
join:2012-03-13

stoz

Member

Ok great I'll give that a go. Many thanks again Paul.
stoz

stoz to Geekball

Member

to Geekball
Right well I got somewhere by moving the match http rule above the sdm-class-inspect-traffic rule in the SDM - speedtest got a bit further, but slower than normal, before eventually erroring out. Back to the drawing board I guess.
Geekball
join:2004-01-19
UK

Geekball

Member

Just out of curiosity, what speedtest are you using? I've just started using »www.measurementlab.net/run-ndt which seems to be quite good, can give you some useful info. What errors are you getting? Does anything pop up in the console logs on the router?

You're doing a lot with that router so it could be that it's CPU is maxed. As I said, ours will top out at ~30Mbps downstream just doing NAT - no ZBF at the moment. If it's gotta inspect all the packets coming in as well, I'd expect that to add more load. Try a sh proc cpu history and see what the cpu loads are like. Though, saying that, I'd expect it to just get slower rather than cause a connection to drop if the cpu load was causing the problem..

Cheers
stoz
join:2012-03-13

stoz

Member

I normally just use speedtest.net (37.99 down / 9.00 up)
I had a go with the site you linked and got 37 down / 9 up. I can post the details too but they dont seem amiss.

If you're just using NAT on the router what're you using for the ZBF? Another Cisco or proxy server? NAT on our router is working fine, although non-used ports are closed rather than stealthed. The speed is absolutely fine too, it's only when we enable basic FW that we run into problems.