Search similar:
|
|
uniqs 7707 |
|
|
|
2 edits |
[HELP] IPSec VPN and DVTI -- attempting a Full Tunnel config, reLike tired_runner , trying to get a full-tunnel IPSec remote access working. Based on a config supplied by RyanG1 , and reviewing the video here about DVTI, thought I had this all set up correctly. Below is the config, some relevant highlights : - Router has networks 172.16.0.0/24, 172.16.10.0/24, 172.16.20.0/24, and 172.16.30.0/24 - VPN clients get a pool 172.16.40.0/7 - DVTI interface is Virtual-Template 1, currently set to ip unnumbered on VLAN 30 / 172.16.30.1 - NAT ACL is controlled by ACL111 as follows access-list 111 deny ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.7
access-list 111 deny ip 172.16.40.0 0.0.0.7 172.16.0.0 0.0.255.255
access-list 111 permit ip 172.16.0.0 0.0.0.3 any
access-list 111 permit ip 172.16.10.0 0.0.0.255 any
access-list 111 permit ip 172.16.20.0 0.0.0.255 any
access-list 111 permit ip 172.16.30.0 0.0.0.255 any
access-list 111 permit ip 172.16.40.0 0.0.0.7 any
Where I've gotten this so far is the tunnel comes up, and I'm able to browse computers on the local LAN and ping the VLAN SVIs on the router I'm VPN'ing to. Where things break down is that internet bound traffic doesn't seem to work at all. Some output I`ve collected to help troubleshoot is as follows : - NAT translation tables show translation is happening, confirming the router's NAT'ing for the 172.16.40.x host. R1811#sh ip nat trans | i 172.16.40.1
udp xx.xx.xx.xx:49869 172.16.40.1:49869 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:49869 172.16.40.1:49869 208.67.222.222:53 208.67.222.222:53
udp xx.xx.xx.xx:50296 172.16.40.1:50296 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:50296 172.16.40.1:50296 208.67.222.222:53 208.67.222.222:53
udp xx.xx.xx.xx:57677 172.16.40.1:57677 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:57677 172.16.40.1:57677 208.67.222.222:53 208.67.222.222:53
udp xx.xx.xx.xx:58314 172.16.40.1:58314 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:58314 172.16.40.1:58314 208.67.222.222:53 208.67.222.222:53
udp xx.xx.xx.xx:63950 172.16.40.1:63950 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:63950 172.16.40.1:63950 208.67.222.222:53 208.67.222.222:53
- IP interface brief output from my router for reference R1811#sh ip int brief
Any interface listed with OK? value "NO" does not have a valid configuration
Interface IP-Address OK? Method Status Protocol
Async1 unassigned YES TFTP down down
FastEthernet0 XX.XX.XX.XX YES DHCP up up
FastEthernet1 unassigned YES TFTP administratively down down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up up
FastEthernet6 unassigned YES unset administratively down down
FastEthernet7 unassigned YES unset up up
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up down
Loopback0 unassigned YES TFTP up up
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned NO TFTP down down
Virtual-Access3 unassigned NO TFTP down down
Virtual-Access4 unassigned NO TFTP down down
Virtual-Access5 172.16.30.1 YES TFTP up up
Virtual-Access6 unassigned NO TFTP down down
Virtual-Access7 unassigned NO TFTP down down
Virtual-Template1 172.16.30.1 YES TFTP down down
Vlan1 172.16.0.1 YES NVRAM up up
Vlan10 172.16.10.1 YES NVRAM up up
Vlan20 172.16.20.1 YES NVRAM up up
Vlan30 172.16.30.1 YES NVRAM up up
The specfic things I've tried so far to troubleshoot this, but without success, is as follows : - set Virtual-template1 to ìp unumbered Fa0 (my WAN interface above) and several of the VLAN interfaces above. - set Virtual-template1 to not NAT - wiresharked on the Cisco Virtual adapter -- I`ve confirmed DNS requests are sourced from 172.16.40.1 to the DNS servers configured, just no return traffic comes back, so it reverts to a Netbios resolution of any web address put in. - traceroute to external IP addresses like 4.2.2.2, it hits the 172.16.30.1 address above, and times out after that. Not sure if I'm missing something, or I should just forget about a full tunnel VPN config that isn't operating on a device behind my existing NAT device above. Anyone have any thoughts / comments? Regards | | HELLFIRE |
Re: [HELP] IPSec VPN and DVTI -- attempting a Full Tunnel configFull config of my router and VPN setup, with sensitive bits removed : =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.08.30 17:17:30 =~=~=~=~=~=~=~=~=~=~=~=
R1811#
R1811#term len 0
R1811#sh run
Building configuration...
Current configuration : 24670 bytes
!
! Last configuration change at 17:14:19 MDT Fri Aug 30 2013 by remotesess
! NVRAM config last updated at 17:16:53 MDT Fri Aug 30 2013 by remotesess
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname R1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384
no logging rate-limit
no logging console
enable secret 5 [SNIP]
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login vpnuserauth local
aaa authorization exec local_authen local
aaa authorization network vpnnetworkauth local
!
!
aaa session-id unique
clock timezone MST -7
clock summer-time MDT recurring
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 172.16.20.7 172.16.20.254
ip dhcp excluded-address 172.16.30.7 172.16.30.254
!
ip dhcp pool MADLAX
host 172.16.10.110 255.255.255.0
client-identifier 0100.1731.c406.38
default-router 172.16.10.1
dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool CORE2DUO_WIRED
host 172.16.10.101 255.255.255.0
client-identifier 0100.e0b8.ae45.b1
default-router 172.16.10.1
dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool CORE2DUO_WIRELESS
host 172.16.10.111 255.255.255.0
client-identifier 0100.18de.206a.77
default-router 172.16.10.1
dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool VLAN20
network 172.16.20.0 255.255.255.0
default-router 172.16.20.1
dns-server 208.67.222.222 208.67.220.220 [SNIP]
lease 0 4
!
ip dhcp pool VLAN30
network 172.16.30.0 255.255.255.0
default-router 172.16.30.1
dns-server 208.67.222.222 208.67.220.220 [SNIP]
lease 0 4
!
ip dhcp pool SYSLOG
host 172.16.10.105 255.255.255.0
client-identifier 0100.40f4.2086.59
default-router 172.16.10.1
dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool HELLFIRE
host 172.16.10.100 255.255.255.0
client-identifier 0100.248c.c539.2c
default-router 172.16.10.1
dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool RED-OCTOBER
host 172.16.10.115 255.255.255.0
client-identifier 011c.6f65.98f3.fd
default-router 172.16.10.1
dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name LCHEnterprise.com
ip ips config location flash:/ips/ retries 1
ip ips fail closed
ip ips deny-action ips-interface
ip ips name IPS_POLICY
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
enabled true
category ios_ips advanced
retired false
enabled true
category reconnaissance icmp_host_sweeps
retired false
enabled true
category reconnaissance tcp/udp_combo_sweeps
retired false
enabled true
category reconnaissance udp_port_sweeps
retired false
enabled true
category attack general_attack
retired false
enabled true
category attack ids_evasion
retired false
enabled true
category ddos all-ddos
retired false
enabled true
category dos icmp_floods
retired false
enabled true
category dos tcp_floods
retired false
enabled true
category dos udp_floods
retired false
enabled true
category reconnaissance tcp_ports_sweeps
retired false
enabled true
!
ip inspect log drop-pkt
ip inspect udp idle-time 15
ip inspect hashtable-size 8192
ip inspect dns-timeout 2
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect tcp block-non-session
ip inspect tcp max-incomplete host 25 block-time 120
ip inspect tcp reassembly timeout 2
ip inspect tcp reassembly alarm on
ip inspect name OUTBOUND_FW appfw APP_FW
ip inspect name OUTBOUND_FW fragment maximum 10 timeout 3
ip inspect name OUTBOUND_FW icmp alert off router-traffic
ip inspect name OUTBOUND_FW appleqtc alert off
ip inspect name OUTBOUND_FW bittorrent alert off
ip inspect name OUTBOUND_FW echo alert off
ip inspect name OUTBOUND_FW ftp alert off
ip inspect name OUTBOUND_FW ftps alert off
ip inspect name OUTBOUND_FW imap alert off
ip inspect name OUTBOUND_FW imap3 alert off
ip inspect name OUTBOUND_FW imaps alert off
ip inspect name OUTBOUND_FW nntp alert off
ip inspect name OUTBOUND_FW ntp alert off
ip inspect name OUTBOUND_FW pop3 alert off
ip inspect name OUTBOUND_FW pop3s alert off
ip inspect name OUTBOUND_FW router alert off
ip inspect name OUTBOUND_FW ssh alert off
ip inspect name OUTBOUND_FW smtp alert off
ip inspect name OUTBOUND_FW telnet alert off
ip inspect name OUTBOUND_FW dns alert off audit-trail off
ip inspect name OUTBOUND_FW irc alert off audit-trail on
ip inspect name OUTBOUND_FW ircs alert off audit-trail on
ip inspect name OUTBOUND_FW udp alert off router-traffic
ip inspect name OUTBOUND_FW tcp alert off router-traffic
ip inspect name INBOUND_FW fragment maximum 3 timeout 1
ip inspect name INBOUND_FW udp alert on audit-trail off router-traffic
ip inspect name INBOUND_FW tcp alert on audit-trail off router-traffic
login block-for 1800 attempts 3 within 60
login delay 2
login on-failure trap
no ipv6 cef
!
appfw policy-name APP_FW
application im aol
service default action allow alarm
service text-chat action allow alarm
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
audit-trail on
application im yahoo
service default action allow alarm
service text-chat action allow alarm
audit-trail on
application http
strict-http action allow alarm
content-type-verification unknown-type action allow alarm
port-misuse im action allow alarm
port-misuse p2p action allow alarm
port-misuse tunneling action allow alarm
!
multilink bundle-name authenticated
!
!
!
username remotesess privilege 5 secret 5 [SNIP]
username localsess privilege 5 secret 5 [SNIP]
username vpn.[SNIP].user privilege 0 secret 5 $[SNIP]
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
crypto logging session
!
crypto isakmp policy 30
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 60 10
crypto isakmp nat keepalive 60
!
crypto isakmp client configuration group HOME_VPN_SPLIT
key [SNIP]
dns 208.67.222.222 208.67.220.220
domain LCHEnterprise.com
pool VPN_DHCP_POOL
acl VPN_SPLIT_ACL
include-local-lan
max-users 5
netmask 255.255.255.0
banner ^C
Warning Notice - Authorized Access Only. This Access Session Is Being
Monitored And Logged For Administrative And Security Purposes. If You
Are Not An Authorized User Of This System, Or Do Not Consent To Such
Monitoring Disconnect From This System Now. ^C
!
crypto isakmp client configuration group HOME_VPN_NOSPLIT
key [SNIP]
dns 208.67.222.222 208.67.220.220
domain LCHEnterprise.com
pool VPN_DHCP_POOL
include-local-lan
max-users 5
netmask 255.255.255.0
banner ^C
Warning Notice - Authorized Access Only. This Access Session Is Being
Monitored And Logged For Administrative And Security Purposes. If You
Are Not An Authorized User Of This System, Or Do Not Consent To Such
Monitoring Disconnect From This System Now. ^C
crypto isakmp profile PROFILE_HOME_VPN_SPLIT
match identity group HOME_VPN_SPLIT
client authentication list vpnuserauth
isakmp authorization list vpnnetworkauth
client configuration address respond
virtual-template 1
crypto isakmp profile PROFILE_HOME_VPN_NOSPLIT
match identity group HOME_VPN_NOSPLIT
client authentication list vpnuserauth
isakmp authorization list vpnnetworkauth
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac
!
crypto ipsec profile PROFILE_HOME_VPN
set transform-set ESP-AES256-SHA
set reverse-route distance 20
!
!
archive
log config
hidekeys
!
!
ip ssh maxstartups 2
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh rsa keypair-name R1811-HOME-KEY
ip ssh logging events
ip ssh version 2
!
class-map match-all COPP_POLICY_SSH
match access-group 101
!
!
policy-map COPP_POLICY
class COPP_POLICY_SSH
police rate 8 pps
conform-action transmit
exceed-action drop
violate-action drop
!
!
!
!
interface Loopback0
no ip address
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description "WAN - ISP"
ip address dhcp
ip access-group INBOUND_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect INBOUND_FW in
ip inspect OUTBOUND_FW out
ip virtual-reassembly max-fragments 3 max-reassemblies 64 timeout 1
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
description "WAN - ISP - FUTURE"
ip address dhcp
ip verify unicast source reachable-via rx allow-default
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly max-fragments 3 max-reassemblies 64 timeout 1
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
description [SNIP]
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet3
description [SNIP]
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet4
description "VLAN30 SPARE PORT"
switchport access vlan 30
spanning-tree portfast
!
interface FastEthernet5
description "LAN - TRUNK PORT - EXPANSION"
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet6
description "VLAN10 EXPANSION"
switchport access vlan 10
shutdown
spanning-tree portfast
!
interface FastEthernet7
description "VLAN20 SPARE PORT"
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet8
description "VLAN30 SPARE PORT"
switchport access vlan 30
spanning-tree portfast
!
interface FastEthernet9
description "LAN - TRUNK PORT - WAP"
switchport trunk allowed vlan 1,10,20,30,1002-1005
switchport mode trunk
duplex full
speed 100
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan30
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE_HOME_VPN
!
interface Vlan1
ip address 172.16.0.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Vlan30
ip address 172.16.30.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool VPN_DHCP_POOL 172.16.40.1 172.16.40.5
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 Null0
ip route 41.93.0.0 255.255.128.0 Null0
ip route 50.56.85.245 255.255.255.255 Null0
ip route 58.9.146.21 255.255.255.255 Null0
ip route 58.60.188.27 255.255.255.255 Null0
ip route 58.64.134.0 255.255.255.0 Null0
ip route 58.114.96.26 255.255.255.255 Null0
ip route 60.191.222.0 255.255.255.0 Null0
ip route 61.12.124.140 255.255.255.255 Null0
ip route 61.132.244.0 255.255.255.0 Null0
ip route 61.143.248.178 255.255.255.255 Null0
ip route 61.190.172.2 255.255.255.255 Null0
ip route 64.28.176.0 255.255.240.0 Null0
ip route 64.120.26.34 255.255.255.255 Null0
ip route 67.210.0.0 255.255.240.0 Null0
ip route 67.228.251.6 255.255.255.255 Null0
ip route 69.64.90.34 255.255.255.255 Null0
ip route 71.43.140.174 255.255.255.255 Null0
ip route 77.67.83.0 255.255.255.0 Null0
ip route 78.108.155.202 255.255.255.255 Null0
ip route 82.194.76.128 255.255.255.128 Null0
ip route 84.208.0.0 255.248.0.0 Null0
ip route 85.114.130.113 255.255.255.255 Null0
ip route 85.255.112.0 255.255.240.0 Null0
ip route 88.208.230.201 255.255.255.255 Null0
ip route 93.126.0.0 255.255.192.0 Null0
ip route 93.188.160.0 255.255.248.0 Null0
ip route 94.102.14.0 255.255.255.0 Null0
ip route 101.64.234.130 255.255.255.255 Null0
ip route 113.107.167.224 255.255.255.255 Null0
ip route 115.87.141.162 255.255.255.255 Null0
ip route 115.238.55.0 255.255.255.0 Null0
ip route 115.238.55.59 255.255.255.255 Null0
ip route 119.161.145.206 255.255.255.255 Null0
ip route 121.254.170.23 255.255.255.255 Null0
ip route 122.49.11.185 255.255.255.255 Null0
ip route 122.155.162.134 255.255.255.255 Null0
ip route 122.228.197.0 255.255.255.0 Null0
ip route 123.30.128.15 255.255.255.255 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 180.153.127.111 255.255.255.255 Null0
ip route 183.88.66.37 255.255.255.255 Null0
ip route 184.105.177.21 255.255.255.255 Null0
ip route 187.33.0.243 255.255.255.255 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 196.28.38.0 255.255.255.0 Null0
ip route 201.49.208.82 255.255.255.255 Null0
ip route 201.236.221.254 255.255.255.255 Null0
ip route 202.10.78.41 255.255.255.255 Null0
ip route 202.169.58.96 255.255.255.248 Null0
ip route 204.74.218.211 255.255.255.255 Null0
ip route 211.27.225.183 255.255.255.255 Null0
ip route 211.118.0.0 255.255.0.0 Null0
ip route 211.161.32.0 255.255.240.0 Null0
ip route 212.31.252.32 255.255.255.224 Null0
ip route 212.150.0.0 255.255.0.0 Null0
ip route 213.109.64.0 255.255.240.0 Null0
ip route 216.64.96.32 255.255.255.255 Null0
ip route 218.77.85.130 255.255.255.255 Null0
ip route 218.188.0.0 255.254.0.0 Null0
ip route 218.204.64.0 255.255.192.0 Null0
ip route 218.204.128.0 255.255.192.0 Null0
ip route 219.84.143.46 255.255.255.255 Null0
ip route 221.176.11.13 255.255.255.255 Null0
ip route 222.171.135.140 255.255.255.255 Null0
no ip http server
no ip http secure-server
!
!
ip nat inside source list 111 interface FastEthernet0 overload
!
ip access-list extended INBOUND_ACL
remark "Inbound Traffic Control ACL"
remark TCP Flag Filtering - NMAP xmas scan
deny tcp any any match-all +fin +psh +urg
remark TCP Flag Filtering - NMAP null scan
deny tcp any any match-all -ack -fin -psh -rst -syn -urg
remark TCP Flag Filtering - NMAP connect scan
deny tcp any any match-all +ack +rst
remark TCP Flag Filtering - TCP SYNFIN
deny tcp any any match-all +fin +syn
remark TCP Flag Filtering - Winnuke
deny tcp any any eq 139 match-all +urg
deny tcp any eq 0 any eq 0
deny udp any eq 0 any eq 0
remark Permitted Inbound Traffic - DHCP
permit udp any eq bootps any eq bootpc log
remark Permitted Inbound Traffic - SSH
permit tcp any any eq 22
permit udp any any eq isakmp log
permit udp any any eq non500-isakmp log
permit esp any any log
remark Cleanup Rules
deny icmp any any
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
remark Permitted Inbound Traffic - DHCP
remark Permitted Inbound Traffic - VPN
deny tcp any range 0 65535 any range 0 65535 log
deny udp any range 0 65535 any range 0 65535 log
deny ip any any log
remark Permitted Inbound Traffic - DHCP
remark Permitted Inbound Traffic - VPN
ip access-list extended INBOUND_DEV
remark "Inbound Traffic Control ACL - Development"
remark TCP Flag Filtering - NMAP xmas scan
deny tcp any any match-all +fin +psh +urg
remark TCP Flag Filtering - NMAP null scan
deny tcp any any match-all -ack -fin -psh -rst -syn -urg
remark TCP Flag Filtering - NMAP connect scan
deny tcp any any match-all +ack +rst
remark TCP Flag Filtering - TCP SYNFIN
deny tcp any any match-all +fin +syn
remark TCP Flag Filtering - Winnuke
deny tcp any any eq 139 match-all +urg
deny tcp any any eq 0
deny udp any any eq 0
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark Permitted Inbound Traffic - DHCP
permit udp any eq bootps any eq bootpc log
remark Permitted Inbound Traffic - SSH
permit tcp any any eq 22
remark Permitted Inbound Traffic - DHCP
remark Permitted Inbound Traffic - VPN
permit udp any any eq isakmp log
permit udp any any eq non500-isakmp log
permit esp any any log
remark Cleanup Rules
deny icmp any any
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny tcp any range 0 65535 any range 0 65535 log
deny udp any range 0 65535 any range 0 65535 log
deny ip any any log
remark Permitted Inbound Traffic - DHCP
remark Permitted Inbound Traffic - VPN
ip access-list extended VPN_SPLIT_ACL
permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.7
permit ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.7
permit ip 172.16.30.0 0.0.0.255 172.16.40.0 0.0.0.7
!
logging trap debugging
logging 172.16.10.105
access-list 1 permit 172.16.0.0 0.0.0.3
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 1 permit 172.16.20.0 0.0.0.255
access-list 1 permit 172.16.30.0 0.0.0.255
access-list 1 permit 172.16.40.0 0.0.0.7
access-list 60 permit 172.16.10.105
access-list 101 permit tcp any any eq 22
access-list 111 deny ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.7
access-list 111 deny ip 172.16.40.0 0.0.0.7 172.16.0.0 0.0.255.255
access-list 111 permit ip 172.16.0.0 0.0.0.3 any
access-list 111 permit ip 172.16.10.0 0.0.0.255 any
access-list 111 permit ip 172.16.20.0 0.0.0.255 any
access-list 111 permit ip 172.16.30.0 0.0.0.255 any
access-list 111 permit ip 172.16.40.0 0.0.0.7 any
!
!
!
!
!
snmp-server community publicreadonly RO 60
snmp-server location SysLog
snmp-server contact SysLog
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps adslline
snmp-server enable traps flash insertion removal
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps envmon
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dlsw
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps pw vc
snmp-server enable traps event-manager
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
!
control-plane
service-policy input COPP_POLICY
!
banner login ^CCCC
##########################################################################
# #
# !!WARNING NOTICE!! #
# This system is restricted solely to authorized users only. The actual #
# or attempted unauthorized access, use or modification of this system #
# is strictly prohibited. Unauthorized users are subject to criminal #
# and civil penalties under provincial, federal or other applicable #
# domestic and foreign laws. The use of this system is monitored and #
# recorded for administrative and security purposes. Anyone accessing #
# this system expressly consents to such monitoring and is advised that #
# if such monitoring reveals possible evidence of criminal activity, #
# the evidence of such activity will be provided to law enforcement #
# officials. If you do not consent to such monitoring disconnect from #
# this system now. #
# #
##########################################################################
^C
banner motd ^CCCC
##########################################################################
# #
# !!WARNING NOTICE!! #
# This system is restricted solely to authorized users only. The actual #
# or attempted unauthorized access, use or modification of this system #
# is strictly prohibited. Unauthorized users are subject to criminal #
# and civil penalties under provincial, federal or other applicable #
# domestic and foreign laws. The use of this system is monitored and #
# recorded for administrative and security purposes. Anyone accessing #
# this system expressly consents to such monitoring and is advised that #
# if such monitoring reveals possible evidence of criminal activity, #
# the evidence of such activity will be provided to law enforcement #
# officials. If you do not consent to such monitoring disconnect from #
# this system now. #
# #
##########################################################################
^C
!
line con 0
logging synchronous
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 5 0
authorization exec local_authen
logging synchronous
login authentication local_authen
transport input telnet ssh
transport output telnet ssh
!
ntp logging
ntp update-calendar
ntp server 136.159.2.9 prefer
ntp server 142.3.100.15
ntp server 209.87.233.53
ntp server 136.159.10.81
end
R1811#
| | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
interface Virtual-Template1 type tunnel ip unnumbered Vlan30
needs to be
interface Virtual-Template1 type tunnel ip unnumbered FastEthernet0
You have almost the exact same setup i have however im using ZBFW instead of CBAC inspects.
I was able to test mine and i can get out to the internet with tunneling everything over the IPSEC VTI.
Try that out and test. It is worth pointing out that while this setup works on a PC i cannot get an android device to work properly to tunnel everything.
Ryan
| | |
Forgot to redact my public IP address from my NAT translation table. thanks for responding RyanG1 , I actually did try using my Fa0 interface as the ip unnumbered interface earlier without success; I'll try it again and see... Also got talking with a couple coworkers over the weekend... the running theory is with routing as to why this isn't working. I'll have to get a "show ip route" and some other output the next time I try this again... Regards | | |
to HELLFIRE
I look forward to your progress on this. I decided to close my laptop and tell my 1841 to kick rocks for the holiday weekend so I can restart with a fresh mind. | | | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
if need be i can post my config to my 1921 that has the setup. I still cant get my android devices to tunnel everything though so im guessing it has something to do with the latest build of jelly bean 4.3.
Ryan | | |
@tired_runner If any of this helps you out at all man, happy to be of service... Also, I was thinking of rigging up a VPN on my end BEHIND my NAT / firewall device... if you want to be the guinea pig and remote into it sometime? So I repointed my virtual-template interface back to my Fa0 interface and gathered the following outputs : R1811#sh int virtual-temp 1
Virtual-Template1 is down, line protocol is down
Hardware is Virtual Template interface
Interface is unnumbered. Using address of FastEthernet0 (XX.XX.XX.XX)
MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source UNKNOWN
Tunnel protocol/transport IPSEC/IP
Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0), Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "PROFILE_HOME_VPN")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
While I had a client remoted in, gathered the following and confirmed that web browsing was STILL not working. R1811#sh ip int brief
Any interface listed with OK? value "NO" does not have a valid configuration
Interface IP-Address OK? Method Status Protocol
Async1 unassigned YES TFTP down down
FastEthernet0 XX.XX.XX.XX YES DHCP up up
FastEthernet1 unassigned YES TFTP administratively down down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up up
FastEthernet6 unassigned YES unset administratively down down
FastEthernet7 unassigned YES unset up up
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up down
Loopback0 unassigned YES TFTP up up
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned NO TFTP down down
Virtual-Access3 unassigned NO TFTP down down
Virtual-Access4 unassigned NO TFTP down down
Virtual-Access5 unassigned NO TFTP down down
Virtual-Access6 XX.XX.XX.XX YES TFTP up up
Virtual-Access7 unassigned NO TFTP down down
Virtual-Template1 XX.XX.XX.XX YES TFTP down down
Vlan1 172.16.0.1 YES NVRAM up up
Vlan10 172.16.10.1 YES NVRAM up up
Vlan20 172.16.20.1 YES NVRAM up up
Vlan30 172.16.30.1 YES NVRAM up up
Follows shows that while remoted in, the router doesn't know about the 172.16.40.x network in general, but DOES know about the client remoting in, and to route to it via the created virtual-access interface : R1811#sh ip route 172.16.40.0
% Subnet not in table
R1811#sh ip ro 172.16.40.3
Routing entry for 172.16.40.3/32
Known via "static", distance 20, metric 0
Routing Descriptor Blocks:
* YY.YY.YY.YY, via Virtual-Access6
Route metric is 0, traffic share count is 1
Something I was curious about was the interface statistics of the actual virtual access interface itself : R1811#sh int virtual-access 6
Virtual-Access6 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0 (68.144.220.106)
MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x4, loopback not set
Keepalive not set
Tunnel source XX.XX.XX.XX, destination YY.YY.YY.YY
Tunnel protocol/transport IPSEC/IP
Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0), Tunnel TTL 255
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "PROFILE_HOME_VPN")
Last input never, output never, output hang never
Last clearing of "show interface" counters 4d00h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
15 packets input, 1226 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
I was able to confirm that address XX.XX.XX.XX is the WAN IP address on my R1811. YY.YY.YY.YY is the WAN IP address that the remote client is coming from... so THAT part seems to be working right. So now I'm wondering if routing or NAT (order of operations) isn't what's borking it. Just for chuckles, I adjusted the Virtual-Template 1 config to specify "tunnel source [one of the VLAN SVIs above]" Immediately after configuring, now the remote access client can't connect for the following reason "secure VPN connection terminated by Peer. Reason 433: reason not specified by peer"
Unfortunately also, I'm locked out of my 1811 as remote SSH access is down till I can contact someone to reboot it... helluva time to forget to issue a "reload in" command while doing this.... :( :( @RyanG1 If you can post that 1921 config... that'd be helpful. Also, can you get me the same outputs above with your working config and a remote client connected? I want to compare to see if I'm missing something here. I'm also wondering under my crypto isakmp profile if I need to add the following crypto isakmp profile [profile-name]
match identity [addressip] [addressmask]
the IP and mask being the 172.16.40.x range of my clients... thoughts on that? Regards | | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
Here is my running config: » www.switchbored.net/nat-gw1.txtBelow is the interface info and the IPSEC and ISAKMP SAs: nat-gw1#sh int vi1 Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Using address of GigabitEthernet0/0 (24.243.xx.xx) MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL Tunnel vaccess, cloned from Virtual-Template1 Vaccess status 0x4, loopback not set Keepalive not set Tunnel source 24.243.xx.xx, destination 50.56.xx.xx Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1438 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "profile_home_vpn") Last input never, output never, output hang never Last clearing of "show interface" counters 3d03h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 30839 packets input, 2332057 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 34125 packets output, 17457768 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out nat-gw1#sh cry isa % Incomplete command.
nat-gw1#sh cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status 24.243.xx.xx 50.56.xx.xx QM_IDLE 1040 ACTIVE
IPv6 Crypto ISAKMP SA
nat-gw1#sh cry ipsec sa
interface: Virtual-Access1 Crypto map tag: Virtual-Access1-head-0, local addr 24.243.xx.xx
protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.237.20/255.255.255.255/0/0) current_peer 50.56.xx.xx port 56668 PERMIT, flags={origin_is_acl,} #pkts encaps: 34127, #pkts encrypt: 34127, #pkts digest: 34127 #pkts decaps: 30841, #pkts decrypt: 30841, #pkts verify: 30841 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 24.243.xx.xx, remote crypto endpt.: 50.56.xx.xx plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x9A3C4DB3(2587643315) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x16BBB7E5(381401061) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2935, flow_id: Onboard VPN:935, sibling_flags 80000040, crypto map: Virtual-Access1-head-0 sa timing: remaining key lifetime (k/sec): (4333636/2170) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x9A3C4DB3(2587643315) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2936, flow_id: Onboard VPN:936, sibling_flags 80000040, crypto map: Virtual-Access1-head-0 sa timing: remaining key lifetime (k/sec): (4333620/2170) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
| | |
Thanks for that RyanG1 , will review it when I clear the cobwebs from my brain. NOW where my brain is after taking a look at the output above why you would point the DVTI interface to the WAN interface / IP address and call it "nat inside," which from a logical standpoint doesn't make sense to me -- that's why earlier I'd thought that pointing it at an inside SVI was the key to pull traffic FROM the Fa0 interface INTO the router to be decrypted / NAT'd. Idunno... back to the drawing board I go... Regards | | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
the reason why the template is configured as unnumbered for the outside interface is to build the tunnel (the IP of the public interface will become the tunnel source). Its similar to applying a crypto map to the public interface when doing traditional IPSEC tunnels to determine which traffic brings up the IPSEC tunnel(s).
As for the ip nat inside, once the tunnel is is built i want the traffic riding the tunnel to be considered internal and to hairpin out from that tunnel interface and onto the public interface and to be considered for NAT if it matches the NAT ACL (when in reality its coming in the same physical interface that it will exit on).
The same logic applies to the zone member association to the inside zone. I want this traffic to not be filtered when reaching anything else deemed inside. You could also create a dedicated zone for the VPN and filter if you so desired.
Ryan | | |
Okay, THAT makes alittle more sense RyanG1 . Million dollar question at this point that I can see is while the tunnel's built, exactly WHAT is my router doing with it... of which I may have to enable debugs or something. Like Network Guy, the fact that tunneling to my LAN hosts works proves the tunnel's working... the question now is I THINK about the hairpinning / routing part, and I'm contemplating about trying that route-map idea that was suggested once. Regards | | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
Since you are using CBAC (ip inspect) you can try disabling that on the interfaces you have it turned on and see if that helps. I tried with ZBFW enabled and disabled and it worked fine.
Ryan | | ·Frontier FiberOp..
|
I tried dissecting your config to make it work on my end. But now I keep getting this: *Sep 6 20:57:48.199: map_db_find_best did not find matching map
*Sep 6 20:57:48.199: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-null esp-md5-hmac }
*Sep 6 20:57:48.199: map_db_find_best did not find matching map
*Sep 6 20:57:48.199: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-null esp-sha-hmac }
But what's even scarier is that the router allows the inbound connection without me having added a port forward for NAT traversal. I think I see why I'd want to enable ZBFW. I shall keep playing with this. Your config was challenging to pick apart for the relevant pieces to HELLFIRE's puzzle as well as mine. :D | | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
if you want to post a config i can look into it. as for the part about not needing a portforward, this is sitting directly on the internet so you could filter it via an acl applied inbound on the public interface.
Ryan | | |
@RyanG1 As in a "no ip inspect" then reapplying "ip inspect" ? Or as in remove it entirely?
@Network Guy Error messages sound like a phase 2 mismatch... might want to look at that.
Regards | | ·Frontier FiberOp..
|
to HELLFIRE
Alright... So Ryan is the man... Got it working That's pretty genius of you to figure out making the virtual template interface a NAT inside interface. My hat's off to you. Here's his magical config at work as it applies to my router. Finally have myself a full tunnel. quote: Building configuration...
Current configuration : 6542 bytes ! ! Last configuration change at 21:46:15 UTC Mon Sep 9 2013 by me version 15.1 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router ! boot-start-marker boot system flash:c1841-adventerprisek9-mz.151-4.M1.bin boot-end-marker ! ! enable secret 5 xxx ! aaa new-model ! ! aaa authentication login sdm_vpn_xauth_ml_1 local
! aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sslvpn_test local aaa authentication login ipsecvpn local aaa authorization network ipsecvpn local ! ! ! ! ! aaa session-id common ! dot11 syslog no ip source-route ! ! ! ! ! ip cef ip domain name homenet.local no ipv6 cef ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-1076092965 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1076092965 revocation-check none rsakeypair TP-self-signed-1076092965 ! ! crypto pki certificate chain TP-self-signed-1076092965 certificate self-signed 01 xxxxxxxxx 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31303736 30393239 3635301E 170D3133 30383237 30313538 32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373630 39323936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B617 89998ED1 0593709A 2927FE25 D879B5AE 044536B8 2337B31A 43D040D6 DA1F4D02 A2A8A8F3 532F4D05 C1719E37 7C74C1B6 58334311 1A332B77 E21433DA 9919A9F9 E647E6CE 8257FE81 D00C2A32 650BD4F6 8CF82032 687890F9 2275A1AD 9EB8DA97 2F1BE517 47070B7B C8C3F909 539D83AB A921B7DF 5F8779DC 08CFBDA1 93C50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 1410E081 9C7DB86C D0E59B40 D1F36C7F 5FC36C0E EB301D06 03551D0E 04160414 10E0819C 7DB86CD0 E59B40D1 F36C7F5F C36C0EEB 300D0609 2A864886 F70D0101 05050003 8181006A 2E718F86 F21ED1BE 34001519 6F5A74D3 940F7DC5 A5766515 0974434C 3ED7ED3C 0325CC43 5F029070 197C3D48 627FBA9D 1D58A31C A6DD3C15 06E675C0 EA958ADC C55E12D0 08EE723C 2F098C3D 11DBFE5E 3EC997D0 BA7F0298 3D9E06C8 0E2FA070 7F1E8D29 4C83183D 0E452BA5 5BCA102A 635437F3 3D9E3045 1BB44254 2BEAA9 quit ! !
username fwwebadmin privilege 15 password 7 xxx username xxx privilege 15 password 7 xxx ! redundancy ! ! ! ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp client configuration group ipsec_full_tunnel key xxx dns 10.17.12.2 pool ipsecvpnclients crypto isakmp profile isa_prof_ipsec_full_tunnel match identity group ipsec_full_tunnel client authentication list ipsecvpn isakmp authorization list ipsecvpn client configuration address respond virtual-template 2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile prof_ipsec_full_vpn set transform-set ESP-3DES-SHA set reverse-route distance 20 ! ! ! ! ! ! interface Loopback0 ip address 10.18.12.25 255.255.255.248 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 10.17.12.3 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface FastEthernet0/1 ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown ! interface Virtual-Template1 no ip address ! interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/1 ip flow ingress ip nat inside ip virtual-reassembly in tunnel mode ipsec ipv4 tunnel protection ipsec profile prof_ipsec_full_vpn ! interface Dialer0 no ip address ! ip local pool sslvpnclients 10.18.12.26 10.18.12.30 ip local pool ipsecvpnclients 10.18.12.33 10.18.12.38 ip forward-protocol nd ip http server ip http authentication local ip http secure-server ! ! ip nat translation udp-timeout 10 ip nat inside source list 100 interface FastEthernet0/1 overload ip nat inside source static udp 10.17.12.18 5060 interface FastEthernet0/1 5060 ip nat inside source static tcp 10.17.12.2 5900 interface FastEthernet0/1 5900 ip nat inside source static tcp 10.17.12.2 143 interface FastEthernet0/1 143 ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002 ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001 ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000 ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990 ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062 ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25 ip nat inside source static tcp 10.17.12.3 22 interface FastEthernet0/1 22 ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80 ip nat inside source static tcp 10.17.12.3 443 interface FastEthernet0/1 443 ip route 0.0.0.0 0.0.0.0 24.188.xx.xx 254 ip route 0.0.0.0 0.0.0.0 24.188.xx.xx 254 ! access-list 100 permit ip 10.17.12.0 0.0.0.255 any access-list 100 permit ip 10.18.12.0 0.0.0.255 any access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq 22 access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq telnet access-list 101 permit tcp host 143.104.xxx.xxx any eq 22 ! ! ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 access-class 101 in exec-timeout 0 0 privilege level 15 password 7 xxx transport input ssh line vty 5 15 access-class 101 in exec-timeout 0 0 privilege level 15 password 7 xxx transport input ssh ! scheduler allocate 20000 1000 ! webvpn gateway gateway_1 ip address 10.17.12.3 port 443 http-redirect port 80 ssl trustpoint TP-self-signed-1076092965 inservice ! webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1 ! webvpn context router secondary-color white title-color #CCCC66 text-color black ssl authenticate verify all ! ! policy group policy_1 functions svc-enabled svc address-pool "sslvpnclients" netmask 255.255.255.248 svc default-domain "homenet.local" svc keep-client-installed svc dns-server primary 10.17.12.2 ! policy group group_1 default-group-policy policy_1 aaa authentication list sdm_vpn_xauth_ml_1 gateway gateway_1 inservice ! end
| | |
Thought about it some more...
Changed the configs...
Thought about it some more...
Reread RyanG1's configs...
Took a look at Network Guy's update...
Happy for ya man that you got it working! That a working full tunnel IPSec _AND_ SSL connection? IIRC, RyanG1 mentioned the DVTI option in your original thread, but I guess we were all bashing our heads against the wall about the whole thing by that point.
Question for you Network Guy, do you have a 12.4T train code for your 1841 that you could load and try this working config on? The _ONLY_ diff I can find at this time is that you and RyanG1 are on 15.x code, but I'm still running 12.4T. I'd be happy to turn off IP INSPECT if I were testing this in the lab, but I'm REALLY not s**thot to do that on my actual internet-facing router... just from a personal comfort level.
Regards | | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
Hey hellfire, i didnt mean to suggest permanently leaving it off but more as a means to test. If 12.4 code existed for the 1921 id downgrade to test it out. Im not sure what may have changed from the 12.4T line going into 15.x code other than maybe order of operations but thats as much as i can guess.
Glad you got yours working Network Guy, this is the same type of tunnel that you would have without the actual virtual interfaces; i just prefer this way so that i can create service policies and assign it to a zone.
Ryan | | ·Frontier FiberOp..
|
to HELLFIRE
Yeah, I think he mentioned it but I was busy trying not to slam the keyboard against the wall in frustration. That's only a full IPsec tunnel. I couldn't try Ryan's approach with the SSL portion of it; only split. The SSL VPN configuration templates I've read on Cisco have nothing in common with his stuff, and I can theoretically keep trying other scenarios but that will only encourage more head banging against the wall, like you were. I think I have 12.4T in my collection. I'll load it tonight and test it. | | tired_runner |
to RyanG1
Thanks man.. That was very helpful..
So wait... What would be the trick if I didn't use VTI for this purpose? | | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
virtual tunnels will not work with SSL as its entirely different setup in IOS. This is an alternative to configuring a crypto map on the public interface and building the tunnel the standard way. The caveat is that it becomes....tedious... to apply filtering, inspection, policing, etc the standard method.
This just takes an IPSEC policy and uses it to encrypt the tunnel interfaces traffic to the end host.
Ryan | | ·Frontier FiberOp..
|
to HELLFIRE
Alright hellfire... I copied 12.4T and let it rip... It came right back up and the full tunnel still works. I posted the config.. Still the same as before; plus or minus the differences that the newer IOS adds..
Router#sh crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 24.188.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.18.12.33/255.255.255.255/0/0)
current_peer 172.56.35.xxx port 31958
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3665, #pkts encrypt: 3665, #pkts digest: 3665
#pkts decaps: 4710, #pkts decrypt: 4710, #pkts verify: 4710
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 24.188.xxx.xxx, remote crypto endpt.: 172.56.35.xxx
path mtu 1500, ip mtu 1500
current outbound spi: 0xE2BE37F0(3804116976)
inbound esp sas:
spi: 0x51CEC1B9(1372504505)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4574588/3254)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE2BE37F0(3804116976)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4574904/3251)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Building configuration...
Current configuration : 5826 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.124-2.T1.bin
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sslvpn_test local
aaa authentication login ipsecvpn local
aaa authorization network ipsecvpn local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip domain name homenet.local
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1076092965
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1076092965
revocation-check none
rsakeypair TP-self-signed-1076092965
!
!
crypto pki certificate chain TP-self-signed-1076092965
certificate self-signed 01
xxxxxxxxx 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303736 30393239 3635301E 170D3133 30393131 30303539
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373630
39323936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B617 89998ED1 0593709A 2927FE25 D879B5AE 044536B8 2337B31A 43D040D6
DA1F4D02 A2A8A8F3 532F4D05 C1719E37 7C74C1B6 58334311 1A332B77 E21433DA
9919A9F9 E647E6CE 8257FE81 D00C2A32 650BD4F6 8CF82032 687890F9 2275A1AD
9EB8DA97 2F1BE517 47070B7B C8C3F909 539D83AB A921B7DF 5F8779DC 08CFBDA1
93C50203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14526F75 7465722E 686F6D65 6E65742E 6C6F6361 6C301F06
03551D23 04183016 801410E0 819C7DB8 6CD0E59B 40D1F36C 7F5FC36C 0EEB301D
0603551D 0E041604 1410E081 9C7DB86C D0E59B40 D1F36C7F 5FC36C0E EB300D06
092A8648 86F70D01 01040500 03818100 A468ECCF 48A36E54 E54F5EC5 10E65BC1
7D2669C4 BA6343F7 352A9FC2 21B5AF6E 9626D977 1089AABD 1EC8CE11 2848C3F2
DE5A6418 421C9FD3 2537A2E4 79ECBCED 2C7EF9C7 1C6557CB 77C28812 66565BD7
C783349D 8A7CF40C 0CB459B4 4FFC14F7 4FB2F950 0ACE65C0 B8BFCD75 66D01010
0074EE65 9E195CB1 B6FA9860 B0586FEF
quit
username fwwebadmin privilege 15 password 7 xxx
username xxx privilege 15 password 7 xxx
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group ipsec_full_tunnel
key xxx
dns 10.17.12.2
pool ipsecvpnclients
crypto isakmp profile isa_prof_ipsec_full_tunnel
match identity group ipsec_full_tunnel
client authentication list ipsecvpn
isakmp authorization list ipsecvpn
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile prof_ipsec_full_vpn
set transform-set ESP-3DES-SHA
!
!
!
!
interface Loopback0
ip address 10.18.12.25 255.255.255.248
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.17.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/1
ip flow ingress
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile prof_ipsec_full_vpn
!
interface Dialer0
no ip address
!
ip local pool sslvpnclients 10.18.12.26 10.18.12.30
ip local pool ipsecvpnclients 10.18.12.33 10.18.12.38
ip classless
ip route 0.0.0.0 0.0.0.0 24.188.xxx.1 254
!
ip http server
ip http authentication local
ip http secure-server
ip nat translation udp-timeout 10
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.17.12.3 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.17.12.3 22 interface FastEthernet0/1 22
ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062
ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990
ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000
ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001
ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002
ip nat inside source static tcp 10.17.12.2 143 interface FastEthernet0/1 143
ip nat inside source static tcp 10.17.12.2 5900 interface FastEthernet0/1 5900
ip nat inside source static udp 10.17.12.18 5060 interface FastEthernet0/1 5060
!
access-list 10 permit 4.79.142.200
access-list 100 permit ip 10.17.12.0 0.0.0.255 any
access-list 100 permit ip 10.18.12.0 0.0.0.255 any
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq 22
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq telnet
access-list 101 permit tcp host 143.104.xxx.xxx any eq 22
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
exec-timeout 0 0
privilege level 15
password 7 xxx
transport input ssh
line vty 5 15
access-class 101 in
exec-timeout 0 0
privilege level 15
password 7 xxx
transport input ssh
!
scheduler allocate 20000 1000
end
| | |
@RyanG1 Did you still have your 891 that you originally had the DVTI config you sent, and 12.4T code for it?
Well bugger about SSL (so far) not being able to do full tunnel... and I got enough to think about right now that I want to leave SSL VPN alone for a bit. If I come across anything, will definately share.
@Network Guy Thanks for sharing / testing as well... looks like the only thing not present is the CBAC... which seems to swing things back towards taking off the CBAC inspect on my end and trying that out... I'll give it a shot at least. Nothing to lose at this point.
Regards | | RyanG1 Premium Member join:2002-02-10 San Antonio, TX |
to HELLFIRE
unfortunately no i do not have that device any longer but i do have an 1841 router.
Ryan | | |
Happy to report that after removing "ip inspect INBOUND_FW in" from my WAN interface and firing up the VPN client, full tunnel worked as expected -- tried a few websites, pinged to 4.2.2.2 to test. Also, checking my WAN IP address also confirmed this as seeing the public ip address XX.XX.XX.XX from my router below : R1811#sh ip nat trans | i 172.16.40
tcp XX.XX.XX.XX:1129 172.16.40.2:1129 54.230.141.116:80 54.230.141.116:80
tcp XX.XX.XX.XX:1130 172.16.40.2:1130 54.230.141.116:80 54.230.141.116:80
tcp XX.XX.XX.XX:1131 172.16.40.2:1131 54.230.141.116:80 54.230.141.116:80
tcp XX.XX.XX.XX:1134 172.16.40.2:1134 54.230.141.116:80 54.230.141.116:80
tcp XX.XX.XX.XX:1212 172.16.40.2:1212 8.27.236.252:80 8.27.236.252:80
tcp XX.XX.XX.XX:1213 172.16.40.2:1213 54.230.141.116:80 54.230.141.116:80
tcp XX.XX.XX.XX:1215 172.16.40.2:1215 54.230.141.116:80 54.230.141.116:80
tcp XX.XX.XX.XX:1216 172.16.40.2:1216 54.230.141.116:80 54.230.141.116:80
tcp XX.XX.XX.XX:1218 172.16.40.2:1218 54.230.141.116:80 54.230.141.116:80
tcp XX.XX.XX.XX:1230 172.16.40.2:1230 176.32.101.81:80 176.32.101.81:80
tcp XX.XX.XX.XX:1232 172.16.40.2:1232 74.125.239.128:443 74.125.239.128:443
R1811# sh ip int brief
Interface IP-Address OK? Method Status Protocol
Async1 unassigned YES NVRAM down down
FastEthernet0 XX.XX.XX.XX YES DHCP up up
FastEthernet1 unassigned YES NVRAM administratively down down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up up
FastEthernet6 unassigned YES unset administratively down down
FastEthernet7 unassigned YES unset up up
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up down
Loopback0 unassigned YES NVRAM up up
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 XX.XX.XX.XX YES TFTP up up
Virtual-Template1 XX.XX.XX.XX YES TFTP down down
Vlan1 172.16.0.1 YES NVRAM up up
Vlan10 172.16.10.1 YES NVRAM up up
Vlan20 172.16.20.1 YES NVRAM up up
Vlan30 172.16.30.1 YES NVRAM up up
Address YY.YY.YY.YY confirmed to be the public address client 172.16.40.2 is comming from R1811#sh int virtual-acc 2
Virtual-Access2 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0 (XX.XX.XX.XX)
MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 138/255, rxload 2/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x0, loopback not set
Keepalive not set
Tunnel source XX.XX.XX.XX, destination YY.YY.YY.YY
Tunnel protocol/transport IPSEC/IP
Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0), Tunnel TTL 255
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "PROFILE_HOME_VPN")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:10:11
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 1000 bits/sec, 22 packets/sec
5 minute output rate 255000 bits/sec, 22 packets/sec
20562 packets input, 1174841 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
20217 packets output, 25925426 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R1811#sh ip ro 172.16.40.2
Routing entry for 172.16.40.2/32
Known via "static", distance 20, metric 0
Routing Descriptor Blocks:
* YY.YY.YY.YY, via Virtual-Access2
Route metric is 0, traffic share count is 1
R1811#sh cryp ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr XX.XX.XX.XX
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.40.2/255.255.255.255/0/0)
current_peer YY.YY.YY.YY port 1084
PERMIT, flags={origin_is_acl,}
#pkts encaps: 20297, #pkts encrypt: 20297, #pkts digest: 20297
#pkts decaps: 20657, #pkts decrypt: 20657, #pkts verify: 20657
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1
local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: 68.145.101.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xBE8AE200(3196772864)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9450795(155518869)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map:
Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4508967/3093)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBE8AE200(3196772864)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map:
Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4488827/3093)
Rereading your whole config RyanG1 you've got inbound ZBFW coming in AND a full tunnel config. So wonder what part of inbound CBAC wasn't playing nice with this that stopped full tunnel from working then... now I'm REALLY interested in this... Least now I know what I have to do to get it to work... problem is it seems to open ANOTHER security hole in the process -- removes inbound inspection. _OR_ I get around to getting a working ZBFW config into place... ...choices, choices... tired_runner are you planning / doing any sort of firewall config onto your box since you got this working yourself? Regards | | ·Frontier FiberOp..
|
I need to get a firewall going. I just discovered my PBX was potentially compromised by the DoD recently. They apparently want to listen in on my dirty convos with the females I deal with. LOL
I need to understand the order of operations for NAT. I attempted to get an ACL going to block incoming traffic to specific internal hosts and have not had any success so far. | | |
Dirty conversations with women? Who doesn't want to listen in on that? I attached a NAT order of operations for 12.3(8)T, if that helps. Otherwise, you know we're here to help out tired_runner Regards | | ·Frontier FiberOp..
|
Who would have thought :D I guess I'm puzzled by how it's processing inbound traffic to hosts on the inside for which I have port mappings. For example; my Apache server is running on port 80, so naturally I have this on the list: ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
To test, I'm trying to block my own IP address at work to access the Apache box by using this: 21 deny tcp host xxx.104.198.xxx host 10.17.12.2 eq www
But it still allows the traffic. And I get it; the ACL is filtering traffic in the opposite direction for which I'm trying to filter. So I also tried setting an inbound ACL on the Internet-facing interface and using this: 21 deny tcp host xxx.104.198.xxx host 10.17.12.2 eq www
But it still allows the traffic. The only way I can block any inbound traffic at all to hosts behind NAT is if I block it all this way: 21 deny tcp host xxx.104.198.xxx any eq www (6 matches)
And well... That seems a little counter-intuitive. Here's what my ACL's look like now... Extended IP access list 100
10 deny ip any 22.0.0.0 0.255.255.255 (247 matches)
20 deny udp any 22.0.0.0 0.255.255.255
30 permit ip 10.17.12.0 0.0.0.255 any (49514 matches)
40 permit ip 10.18.12.0 0.0.0.255 any (525 matches)
Extended IP access list 101
10 permit tcp 10.17.12.0 0.0.0.255 any eq 22 (32 matches)
20 permit tcp 10.17.12.0 0.0.0.255 any eq telnet
30 permit tcp host xxx.104.198.xxx any eq 22 (20 matches)
Extended IP access list 103
10 deny ip 22.0.0.0 0.255.255.255 any
20 deny udp 22.0.0.0 0.255.255.255 any
21 deny tcp host xxx.104.198.xxx any eq www (9 matches)
30 permit ip any any (1575531 matches)
Extended IP access list 105
10 deny ip any 22.0.0.0 0.255.255.255 (361 matches)
20 deny udp any 22.0.0.0 0.255.255.255
30 permit ip any any (1037355 matches)
A real head scratcher.... I know... :) | | |
said by tired_runner:To test, I'm trying to block my own IP address at work to access the Apache box by using this:
21 deny tcp host xxx.104.198.xxx host 10.17.12.2 eq www You realize the reason why is because on the public internet that 10.x.x.x will NOT be seen, right tired_runner ? It'll see your WAN IP address that the ACL matches. Put another way, following that pix I posted, the input ACL is matched at step 12, while OUTSIDE-TO-INSIDE NAT doesn't happen till step 20. said by tired_runner:And well... That seems a little counter-intuitive. Gripe out the guy that wrote that into IOS if ya want... not sure what else to tell ya, man! Regards | | ·Frontier FiberOp..
|
Yeah, from an operational point of view, it makes sense that the ACL on the Internet-facing interface won't know what to do with a packet destined to an internal host in the same manner that an ACL on the inside won't know what to do with a packet destined to an external host without the intermediary broker in the middle; or in my case NAT.
I guess I could write the ACL's in such way that unwanted inbound traffic to a specific port stops at the outside interface, and allow everything else in via NAT. The objective is to create a TCP whitelist in an effort to stop getting my PBX compromised via SIP. | |
|