dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7707
HELLFIRE
MVM
join:2009-11-25

2 edits

HELLFIRE

MVM

[HELP] IPSec VPN and DVTI -- attempting a Full Tunnel config, re

Like tired_runner See Profile, trying to get a full-tunnel IPSec remote access working. Based on
a config supplied by RyanG1 See Profile, and reviewing the video here about DVTI, thought
I had this all set up correctly.

Below is the config, some relevant highlights :

- Router has networks 172.16.0.0/24, 172.16.10.0/24, 172.16.20.0/24, and 172.16.30.0/24

- VPN clients get a pool 172.16.40.0/7

- DVTI interface is Virtual-Template 1, currently set to ip unnumbered on VLAN 30 / 172.16.30.1

- NAT ACL is controlled by ACL111 as follows

access-list 111 deny   ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.7
access-list 111 deny   ip 172.16.40.0 0.0.0.7 172.16.0.0 0.0.255.255
access-list 111 permit ip 172.16.0.0 0.0.0.3 any
access-list 111 permit ip 172.16.10.0 0.0.0.255 any
access-list 111 permit ip 172.16.20.0 0.0.0.255 any
access-list 111 permit ip 172.16.30.0 0.0.0.255 any
access-list 111 permit ip 172.16.40.0 0.0.0.7 any
 

Where I've gotten this so far is the tunnel comes up, and I'm able to browse computers on
the local LAN and ping the VLAN SVIs on the router I'm VPN'ing to.

Where things break down is that internet bound traffic doesn't seem to work at all. Some
output I`ve collected to help troubleshoot is as follows :

- NAT translation tables show translation is happening, confirming the router's NAT'ing for
the 172.16.40.x host.

R1811#sh ip nat trans | i 172.16.40.1
udp xx.xx.xx.xx:49869 172.16.40.1:49869 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:49869 172.16.40.1:49869 208.67.222.222:53 208.67.222.222:53
udp xx.xx.xx.xx:50296 172.16.40.1:50296 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:50296 172.16.40.1:50296 208.67.222.222:53 208.67.222.222:53
udp xx.xx.xx.xx:57677 172.16.40.1:57677 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:57677 172.16.40.1:57677 208.67.222.222:53 208.67.222.222:53
udp xx.xx.xx.xx:58314 172.16.40.1:58314 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:58314 172.16.40.1:58314 208.67.222.222:53 208.67.222.222:53
udp xx.xx.xx.xx:63950 172.16.40.1:63950 208.67.220.220:53 208.67.220.220:53
udp xx.xx.xx.xx:63950 172.16.40.1:63950 208.67.222.222:53 208.67.222.222:53
 

- IP interface brief output from my router for reference

R1811#sh ip int brief
Any interface listed with OK? value "NO" does not have a valid configuration
 
Interface                  IP-Address      OK? Method Status                Protocol
Async1                     unassigned      YES TFTP   down                  down
FastEthernet0              XX.XX.XX.XX  YES DHCP   up                    up
FastEthernet1              unassigned      YES TFTP   administratively down down
FastEthernet2              unassigned      YES unset  up                    up
FastEthernet3              unassigned      YES unset  up                    up
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    up
FastEthernet6              unassigned      YES unset  administratively down down
FastEthernet7              unassigned      YES unset  up                    up
FastEthernet8              unassigned      YES unset  up                    down
FastEthernet9              unassigned      YES unset  up                    down
Loopback0                  unassigned      YES TFTP   up                    up
NVI0                       unassigned      YES unset  administratively down down
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Access2            unassigned      NO  TFTP   down                  down
Virtual-Access3            unassigned      NO  TFTP   down                  down
Virtual-Access4            unassigned      NO  TFTP   down                  down
Virtual-Access5            172.16.30.1     YES TFTP   up                    up
Virtual-Access6            unassigned      NO  TFTP   down                  down
Virtual-Access7            unassigned      NO  TFTP   down                  down
Virtual-Template1          172.16.30.1     YES TFTP   down                  down
Vlan1                      172.16.0.1      YES NVRAM  up                    up
Vlan10                     172.16.10.1     YES NVRAM  up                    up
Vlan20                     172.16.20.1     YES NVRAM  up                    up
Vlan30                     172.16.30.1     YES NVRAM  up                    up
 

The specfic things I've tried so far to troubleshoot this, but without success, is as follows :

- set Virtual-template1 to ìp unumbered Fa0 (my WAN interface above) and several of the VLAN
interfaces above.

- set Virtual-template1 to not NAT

- wiresharked on the Cisco Virtual adapter -- I`ve confirmed DNS requests are sourced from
172.16.40.1 to the DNS servers configured, just no return traffic comes back, so it reverts
to a Netbios resolution of any web address put in.

- traceroute to external IP addresses like 4.2.2.2, it hits the 172.16.30.1 address above, and
times out after that.

Not sure if I'm missing something, or I should just forget about a full tunnel VPN config that
isn't operating on a device behind my existing NAT device above.

Anyone have any thoughts / comments?

Regards
HELLFIRE

HELLFIRE

MVM

Re: [HELP] IPSec VPN and DVTI -- attempting a Full Tunnel config

Full config of my router and VPN setup, with sensitive bits removed :

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.08.30 17:17:30 =~=~=~=~=~=~=~=~=~=~=~=
 
R1811#
R1811#term len 0
R1811#sh run
Building configuration...
 
Current configuration : 24670 bytes
!
! Last configuration change at 17:14:19 MDT Fri Aug 30 2013 by remotesess
! NVRAM config last updated at 17:16:53 MDT Fri Aug 30 2013 by remotesess
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname R1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384
no logging rate-limit
no logging console
enable secret 5 [SNIP]
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login vpnuserauth local
aaa authorization exec local_authen local 
aaa authorization network vpnnetworkauth local 
!
!
aaa session-id unique
clock timezone MST -7
clock summer-time MDT recurring
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 172.16.20.7 172.16.20.254
ip dhcp excluded-address 172.16.30.7 172.16.30.254
!
ip dhcp pool MADLAX
   host 172.16.10.110 255.255.255.0
   client-identifier 0100.1731.c406.38
   default-router 172.16.10.1 
   dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool CORE2DUO_WIRED
   host 172.16.10.101 255.255.255.0
   client-identifier 0100.e0b8.ae45.b1
   default-router 172.16.10.1 
   dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool CORE2DUO_WIRELESS
   host 172.16.10.111 255.255.255.0
   client-identifier 0100.18de.206a.77
   default-router 172.16.10.1 
   dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool VLAN20
   network 172.16.20.0 255.255.255.0
   default-router 172.16.20.1 
   dns-server 208.67.222.222 208.67.220.220 [SNIP]
   lease 0 4
!
ip dhcp pool VLAN30
   network 172.16.30.0 255.255.255.0
   default-router 172.16.30.1 
   dns-server 208.67.222.222 208.67.220.220 [SNIP]
   lease 0 4
!
ip dhcp pool SYSLOG
   host 172.16.10.105 255.255.255.0
   client-identifier 0100.40f4.2086.59
   default-router 172.16.10.1 
   dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool HELLFIRE
   host 172.16.10.100 255.255.255.0
   client-identifier 0100.248c.c539.2c
   default-router 172.16.10.1 
   dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
ip dhcp pool RED-OCTOBER
   host 172.16.10.115 255.255.255.0
   client-identifier 011c.6f65.98f3.fd
   default-router 172.16.10.1 
   dns-server 208.67.222.222 208.67.220.220 [SNIP]
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name LCHEnterprise.com
ip ips config location flash:/ips/ retries 1
ip ips fail closed
ip ips deny-action ips-interface
ip ips name IPS_POLICY
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
   enabled true
  category ios_ips advanced
   retired false
   enabled true
  category reconnaissance icmp_host_sweeps
   retired false
   enabled true
  category reconnaissance tcp/udp_combo_sweeps
   retired false
   enabled true
  category reconnaissance udp_port_sweeps
   retired false
   enabled true
  category attack general_attack
   retired false
   enabled true
  category attack ids_evasion
   retired false
   enabled true
  category ddos all-ddos
   retired false
   enabled true
  category dos icmp_floods
   retired false
   enabled true
  category dos tcp_floods
   retired false
   enabled true
  category dos udp_floods
   retired false
   enabled true
  category reconnaissance tcp_ports_sweeps
   retired false
   enabled true
!
ip inspect log drop-pkt
ip inspect udp idle-time 15
ip inspect hashtable-size 8192
ip inspect dns-timeout 2
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect tcp block-non-session
ip inspect tcp max-incomplete host 25 block-time 120
ip inspect tcp reassembly timeout 2
ip inspect tcp reassembly alarm on
ip inspect name OUTBOUND_FW appfw APP_FW
ip inspect name OUTBOUND_FW fragment maximum 10 timeout 3
ip inspect name OUTBOUND_FW icmp alert off router-traffic
ip inspect name OUTBOUND_FW appleqtc alert off
ip inspect name OUTBOUND_FW bittorrent alert off
ip inspect name OUTBOUND_FW echo alert off
ip inspect name OUTBOUND_FW ftp alert off
ip inspect name OUTBOUND_FW ftps alert off
ip inspect name OUTBOUND_FW imap alert off
ip inspect name OUTBOUND_FW imap3 alert off
ip inspect name OUTBOUND_FW imaps alert off
ip inspect name OUTBOUND_FW nntp alert off
ip inspect name OUTBOUND_FW ntp alert off
ip inspect name OUTBOUND_FW pop3 alert off
ip inspect name OUTBOUND_FW pop3s alert off
ip inspect name OUTBOUND_FW router alert off
ip inspect name OUTBOUND_FW ssh alert off
ip inspect name OUTBOUND_FW smtp alert off
ip inspect name OUTBOUND_FW telnet alert off
ip inspect name OUTBOUND_FW dns alert off audit-trail off
ip inspect name OUTBOUND_FW irc alert off audit-trail on
ip inspect name OUTBOUND_FW ircs alert off audit-trail on
ip inspect name OUTBOUND_FW udp alert off router-traffic
ip inspect name OUTBOUND_FW tcp alert off router-traffic
ip inspect name INBOUND_FW fragment maximum 3 timeout 1
ip inspect name INBOUND_FW udp alert on audit-trail off router-traffic
ip inspect name INBOUND_FW tcp alert on audit-trail off router-traffic
login block-for 1800 attempts 3 within 60
login delay 2
login on-failure trap
no ipv6 cef
!
appfw policy-name APP_FW
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    audit-trail on
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    audit-trail on
  application http
    strict-http action allow alarm
    content-type-verification unknown-type action allow alarm
    port-misuse im action allow alarm
    port-misuse p2p action allow alarm
    port-misuse tunneling action allow alarm
!
multilink bundle-name authenticated
!
!
!
username remotesess privilege 5 secret 5 [SNIP]
username localsess privilege 5 secret 5 [SNIP]
username vpn.[SNIP].user privilege 0 secret 5 $[SNIP]
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 
   F3020301 0001
  quit
! 
crypto logging session
!
crypto isakmp policy 30
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp keepalive 60 10
crypto isakmp nat keepalive 60
!
crypto isakmp client configuration group HOME_VPN_SPLIT
 key [SNIP]
 dns 208.67.222.222 208.67.220.220
 domain LCHEnterprise.com
 pool VPN_DHCP_POOL
 acl VPN_SPLIT_ACL
 include-local-lan
 max-users 5
 netmask 255.255.255.0
 banner ^C
 
Warning Notice - Authorized Access Only. This Access Session Is Being 
Monitored And Logged For Administrative And Security Purposes. If You 
Are Not An Authorized User Of This System, Or Do Not Consent To Such
Monitoring Disconnect From This System Now.   ^C
!
crypto isakmp client configuration group HOME_VPN_NOSPLIT
 key [SNIP]
 dns 208.67.222.222 208.67.220.220
 domain LCHEnterprise.com
 pool VPN_DHCP_POOL
 include-local-lan
 max-users 5
 netmask 255.255.255.0
 banner ^C
 
Warning Notice - Authorized Access Only. This Access Session Is Being 
Monitored And Logged For Administrative And Security Purposes. If You 
Are Not An Authorized User Of This System, Or Do Not Consent To Such
Monitoring Disconnect From This System Now.   ^C
crypto isakmp profile PROFILE_HOME_VPN_SPLIT
   match identity group HOME_VPN_SPLIT
   client authentication list vpnuserauth
   isakmp authorization list vpnnetworkauth
   client configuration address respond
   virtual-template 1
crypto isakmp profile PROFILE_HOME_VPN_NOSPLIT
   match identity group HOME_VPN_NOSPLIT
   client authentication list vpnuserauth
   isakmp authorization list vpnnetworkauth
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac 
!
crypto ipsec profile PROFILE_HOME_VPN
 set transform-set ESP-AES256-SHA 
 set reverse-route distance 20
!
!
archive
 log config
  hidekeys
!
!
ip ssh maxstartups 2
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh rsa keypair-name R1811-HOME-KEY
ip ssh logging events
ip ssh version 2
!
class-map match-all COPP_POLICY_SSH
 match access-group 101
!
!
policy-map COPP_POLICY
 class COPP_POLICY_SSH
   police rate 8 pps
     conform-action transmit 
     exceed-action drop 
     violate-action drop 
!
!
!
!
interface Loopback0
 no ip address
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description "WAN - ISP"
 ip address dhcp
 ip access-group INBOUND_ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect INBOUND_FW in
 ip inspect OUTBOUND_FW out
 ip virtual-reassembly max-fragments 3 max-reassemblies 64 timeout 1
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1
 description "WAN - ISP - FUTURE"
 ip address dhcp
 ip verify unicast source reachable-via rx allow-default
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly max-fragments 3 max-reassemblies 64 timeout 1
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet2
 description [SNIP]
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet3
 description [SNIP]
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet4
 description "VLAN30 SPARE PORT"
 switchport access vlan 30
 spanning-tree portfast
!
interface FastEthernet5
 description "LAN - TRUNK PORT - EXPANSION"
 switchport trunk allowed vlan 1,10,20,30,1002-1005
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet6
 description "VLAN10 EXPANSION"
 switchport access vlan 10
 shutdown
 spanning-tree portfast
!
interface FastEthernet7
 description "VLAN20 SPARE PORT"
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet8
 description "VLAN30 SPARE PORT"
 switchport access vlan 30
 spanning-tree portfast
!
interface FastEthernet9
 description "LAN - TRUNK PORT - WAP"
 switchport trunk allowed vlan 1,10,20,30,1002-1005
 switchport mode trunk
 duplex full
 speed 100
!
interface Virtual-Template1 type tunnel
 ip unnumbered Vlan30
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE_HOME_VPN
!
interface Vlan1
 ip address 172.16.0.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan10
 ip address 172.16.10.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan20
 ip address 172.16.20.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan30
 ip address 172.16.30.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool VPN_DHCP_POOL 172.16.40.1 172.16.40.5
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 Null0
ip route 41.93.0.0 255.255.128.0 Null0
ip route 50.56.85.245 255.255.255.255 Null0
ip route 58.9.146.21 255.255.255.255 Null0
ip route 58.60.188.27 255.255.255.255 Null0
ip route 58.64.134.0 255.255.255.0 Null0
ip route 58.114.96.26 255.255.255.255 Null0
ip route 60.191.222.0 255.255.255.0 Null0
ip route 61.12.124.140 255.255.255.255 Null0
ip route 61.132.244.0 255.255.255.0 Null0
ip route 61.143.248.178 255.255.255.255 Null0
ip route 61.190.172.2 255.255.255.255 Null0
ip route 64.28.176.0 255.255.240.0 Null0
ip route 64.120.26.34 255.255.255.255 Null0
ip route 67.210.0.0 255.255.240.0 Null0
ip route 67.228.251.6 255.255.255.255 Null0
ip route 69.64.90.34 255.255.255.255 Null0
ip route 71.43.140.174 255.255.255.255 Null0
ip route 77.67.83.0 255.255.255.0 Null0
ip route 78.108.155.202 255.255.255.255 Null0
ip route 82.194.76.128 255.255.255.128 Null0
ip route 84.208.0.0 255.248.0.0 Null0
ip route 85.114.130.113 255.255.255.255 Null0
ip route 85.255.112.0 255.255.240.0 Null0
ip route 88.208.230.201 255.255.255.255 Null0
ip route 93.126.0.0 255.255.192.0 Null0
ip route 93.188.160.0 255.255.248.0 Null0
ip route 94.102.14.0 255.255.255.0 Null0
ip route 101.64.234.130 255.255.255.255 Null0
ip route 113.107.167.224 255.255.255.255 Null0
ip route 115.87.141.162 255.255.255.255 Null0
ip route 115.238.55.0 255.255.255.0 Null0
ip route 115.238.55.59 255.255.255.255 Null0
ip route 119.161.145.206 255.255.255.255 Null0
ip route 121.254.170.23 255.255.255.255 Null0
ip route 122.49.11.185 255.255.255.255 Null0
ip route 122.155.162.134 255.255.255.255 Null0
ip route 122.228.197.0 255.255.255.0 Null0
ip route 123.30.128.15 255.255.255.255 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 180.153.127.111 255.255.255.255 Null0
ip route 183.88.66.37 255.255.255.255 Null0
ip route 184.105.177.21 255.255.255.255 Null0
ip route 187.33.0.243 255.255.255.255 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 196.28.38.0 255.255.255.0 Null0
ip route 201.49.208.82 255.255.255.255 Null0
ip route 201.236.221.254 255.255.255.255 Null0
ip route 202.10.78.41 255.255.255.255 Null0
ip route 202.169.58.96 255.255.255.248 Null0
ip route 204.74.218.211 255.255.255.255 Null0
ip route 211.27.225.183 255.255.255.255 Null0
ip route 211.118.0.0 255.255.0.0 Null0
ip route 211.161.32.0 255.255.240.0 Null0
ip route 212.31.252.32 255.255.255.224 Null0
ip route 212.150.0.0 255.255.0.0 Null0
ip route 213.109.64.0 255.255.240.0 Null0
ip route 216.64.96.32 255.255.255.255 Null0
ip route 218.77.85.130 255.255.255.255 Null0
ip route 218.188.0.0 255.254.0.0 Null0
ip route 218.204.64.0 255.255.192.0 Null0
ip route 218.204.128.0 255.255.192.0 Null0
ip route 219.84.143.46 255.255.255.255 Null0
ip route 221.176.11.13 255.255.255.255 Null0
ip route 222.171.135.140 255.255.255.255 Null0
no ip http server
no ip http secure-server
!
!
ip nat inside source list 111 interface FastEthernet0 overload
!
ip access-list extended INBOUND_ACL
 remark "Inbound Traffic Control ACL"
 remark TCP Flag Filtering - NMAP xmas scan
 deny   tcp any any match-all +fin +psh +urg
 remark TCP Flag Filtering - NMAP null scan
 deny   tcp any any match-all -ack -fin -psh -rst -syn -urg
 remark TCP Flag Filtering - NMAP connect scan
 deny   tcp any any match-all +ack +rst
 remark TCP Flag Filtering - TCP SYNFIN
 deny   tcp any any match-all +fin +syn
 remark TCP Flag Filtering - Winnuke
 deny   tcp any any eq 139 match-all +urg
 deny   tcp any eq 0 any eq 0
 deny   udp any eq 0 any eq 0
 remark Permitted Inbound Traffic - DHCP
 permit udp any eq bootps any eq bootpc log
 remark Permitted Inbound Traffic - SSH
 permit tcp any any eq 22
 permit udp any any eq isakmp log
 permit udp any any eq non500-isakmp log
 permit esp any any log
 remark Cleanup Rules
 deny   icmp any any
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 remark Permitted Inbound Traffic - DHCP
 remark Permitted Inbound Traffic - VPN
 deny   tcp any range 0 65535 any range 0 65535 log
 deny   udp any range 0 65535 any range 0 65535 log
 deny   ip any any log
 remark Permitted Inbound Traffic - DHCP
 remark Permitted Inbound Traffic - VPN
ip access-list extended INBOUND_DEV
 remark "Inbound Traffic Control ACL - Development"
 remark TCP Flag Filtering - NMAP xmas scan
 deny   tcp any any match-all +fin +psh +urg
 remark TCP Flag Filtering - NMAP null scan
 deny   tcp any any match-all -ack -fin -psh -rst -syn -urg
 remark TCP Flag Filtering - NMAP connect scan
 deny   tcp any any match-all +ack +rst
 remark TCP Flag Filtering - TCP SYNFIN
 deny   tcp any any match-all +fin +syn
 remark TCP Flag Filtering - Winnuke
 deny   tcp any any eq 139 match-all +urg
 deny   tcp any any eq 0
 deny   udp any any eq 0
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 remark Permitted Inbound Traffic - DHCP
 permit udp any eq bootps any eq bootpc log
 remark Permitted Inbound Traffic - SSH
 permit tcp any any eq 22
 remark Permitted Inbound Traffic - DHCP
 remark Permitted Inbound Traffic - VPN
 permit udp any any eq isakmp log
 permit udp any any eq non500-isakmp log
 permit esp any any log
 remark Cleanup Rules
 deny   icmp any any
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 deny   tcp any range 0 65535 any range 0 65535 log
 deny   udp any range 0 65535 any range 0 65535 log
 deny   ip any any log
 remark Permitted Inbound Traffic - DHCP
 remark Permitted Inbound Traffic - VPN
ip access-list extended VPN_SPLIT_ACL
 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.7
 permit ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.7
 permit ip 172.16.30.0 0.0.0.255 172.16.40.0 0.0.0.7
!
logging trap debugging
logging 172.16.10.105
access-list 1 permit 172.16.0.0 0.0.0.3
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 1 permit 172.16.20.0 0.0.0.255
access-list 1 permit 172.16.30.0 0.0.0.255
access-list 1 permit 172.16.40.0 0.0.0.7
access-list 60 permit 172.16.10.105
access-list 101 permit tcp any any eq 22
access-list 111 deny   ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.7
access-list 111 deny   ip 172.16.40.0 0.0.0.7 172.16.0.0 0.0.255.255
access-list 111 permit ip 172.16.0.0 0.0.0.3 any
access-list 111 permit ip 172.16.10.0 0.0.0.255 any
access-list 111 permit ip 172.16.20.0 0.0.0.255 any
access-list 111 permit ip 172.16.30.0 0.0.0.255 any
access-list 111 permit ip 172.16.40.0 0.0.0.7 any
!
!
!
!
!
snmp-server community publicreadonly RO 60
snmp-server location SysLog
snmp-server contact SysLog
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps adslline
snmp-server enable traps flash insertion removal
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps envmon
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dlsw
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps pw vc
snmp-server enable traps event-manager
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
!
control-plane
 service-policy input COPP_POLICY
!
banner login ^CCCC
##########################################################################
#                                                                        #
#                        !!WARNING NOTICE!!                              #
# This system is restricted solely to authorized users only. The actual  #
# or attempted unauthorized access, use or modification of this system   #
# is strictly prohibited.  Unauthorized users are subject to criminal    #
# and civil penalties under provincial, federal or other applicable      #
# domestic and foreign laws.  The use of this system is monitored and    #
# recorded for administrative and security purposes.  Anyone accessing   #
# this system expressly consents to such monitoring and is advised that  #
# if such monitoring reveals possible evidence of criminal activity,     #
# the evidence of such activity will be provided to law enforcement      #
# officials.  If you do not consent to such monitoring disconnect from   #
# this system now.                                                       #
#                                                                        #
##########################################################################
^C
banner motd ^CCCC
##########################################################################
#                                                                        #
#                        !!WARNING NOTICE!!                              #
# This system is restricted solely to authorized users only. The actual  #
# or attempted unauthorized access, use or modification of this system   #
# is strictly prohibited.  Unauthorized users are subject to criminal    #
# and civil penalties under provincial, federal or other applicable      #
# domestic and foreign laws.  The use of this system is monitored and    #
# recorded for administrative and security purposes.  Anyone accessing   #
# this system expressly consents to such monitoring and is advised that  #
# if such monitoring reveals possible evidence of criminal activity,     #
# the evidence of such activity will be provided to law enforcement      #
# officials.  If you do not consent to such monitoring disconnect from   #
# this system now.                                                       #
#                                                                        #
##########################################################################
^C
!
line con 0
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 5 0
 authorization exec local_authen
 logging synchronous
 login authentication local_authen
 transport input telnet ssh
 transport output telnet ssh
!
ntp logging
ntp update-calendar
ntp server 136.159.2.9 prefer
ntp server 142.3.100.15
ntp server 209.87.233.53
ntp server 136.159.10.81
end
 
R1811#
 

RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE

interface Virtual-Template1 type tunnel
ip unnumbered Vlan30


needs to be

interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0


You have almost the exact same setup i have however im using ZBFW instead of CBAC inspects.

I was able to test mine and i can get out to the internet with tunneling everything over the IPSEC VTI.

Try that out and test. It is worth pointing out that while this setup works on a PC i cannot get an android device to work properly to tunnel everything.

Ryan
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Forgot to redact my public IP address from my NAT translation table.

thanks for responding RyanG1 See Profile, I actually did try using my Fa0 interface
as the ip unnumbered interface earlier without success; I'll try it again and
see...

Also got talking with a couple coworkers over the weekend... the running theory is
with routing as to why this isn't working. I'll have to get a "show ip route"
and some other output the next time I try this again...

Regards
tired_runner
Premium Member
join:2000-08-25
CT

tired_runner to HELLFIRE

Premium Member

to HELLFIRE
I look forward to your progress on this. I decided to close my laptop and tell my 1841 to kick rocks for the holiday weekend so I can restart with a fresh mind.


RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE
if need be i can post my config to my 1921 that has the setup. I still cant get my android devices to tunnel everything though so im guessing it has something to do with the latest build of jelly bean 4.3.

Ryan
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

@tired_runner See Profile If any of this helps you out at all man, happy to be of service...
Also, I was thinking of rigging up a VPN on my end BEHIND my NAT / firewall device...
if you want to be the guinea pig and remote into it sometime?

So I repointed my virtual-template interface back to my Fa0 interface and gathered the following outputs :

R1811#sh int virtual-temp 1
Virtual-Template1 is down, line protocol is down
  Hardware is Virtual Template interface
  Interface is unnumbered. Using address of FastEthernet0 (XX.XX.XX.XX)
  MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source UNKNOWN
  Tunnel protocol/transport IPSEC/IP
  Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0),  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "PROFILE_HOME_VPN")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
 

While I had a client remoted in, gathered the following and confirmed that web browsing was
STILL not working.

R1811#sh ip int brief
Any interface listed with OK? value "NO" does not have a valid configuration
 
Interface                  IP-Address      OK? Method Status                Protocol
Async1                     unassigned      YES TFTP   down                  down
FastEthernet0              XX.XX.XX.XX  YES DHCP   up                    up
FastEthernet1              unassigned      YES TFTP   administratively down down
FastEthernet2              unassigned      YES unset  up                    up
FastEthernet3              unassigned      YES unset  up                    up
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    up
FastEthernet6              unassigned      YES unset  administratively down down
FastEthernet7              unassigned      YES unset  up                    up
FastEthernet8              unassigned      YES unset  up                    down
FastEthernet9              unassigned      YES unset  up                    down
Loopback0                  unassigned      YES TFTP   up                    up
NVI0                       unassigned      YES unset  administratively down down
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Access2            unassigned      NO  TFTP   down                  down
Virtual-Access3            unassigned      NO  TFTP   down                  down
Virtual-Access4            unassigned      NO  TFTP   down                  down
Virtual-Access5            unassigned      NO  TFTP   down                  down
Virtual-Access6            XX.XX.XX.XX  YES TFTP   up                    up
Virtual-Access7            unassigned      NO  TFTP   down                  down
Virtual-Template1          XX.XX.XX.XX  YES TFTP   down                  down
Vlan1                      172.16.0.1      YES NVRAM  up                    up
Vlan10                     172.16.10.1     YES NVRAM  up                    up
Vlan20                     172.16.20.1     YES NVRAM  up                    up
Vlan30                     172.16.30.1     YES NVRAM  up                    up
 

Follows shows that while remoted in, the router doesn't know about the 172.16.40.x network in general,
but DOES know about the client remoting in, and to route to it via the created virtual-access interface :

R1811#sh ip route 172.16.40.0
% Subnet not in table
 
R1811#sh ip ro 172.16.40.3
Routing entry for 172.16.40.3/32
  Known via "static", distance 20, metric 0
  Routing Descriptor Blocks:
  * YY.YY.YY.YY, via Virtual-Access6
      Route metric is 0, traffic share count is 1
 

Something I was curious about was the interface statistics of the actual virtual access interface itself :

R1811#sh int virtual-access 6
Virtual-Access6 is up, line protocol is up
  Hardware is Virtual Access interface
  Interface is unnumbered. Using address of FastEthernet0 (68.144.220.106)
  MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL
  Tunnel vaccess, cloned from Virtual-Template1
  Vaccess status 0x4, loopback not set
  Keepalive not set
  Tunnel source XX.XX.XX.XX, destination YY.YY.YY.YY
  Tunnel protocol/transport IPSEC/IP
  Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0),  Tunnel TTL 255
  Tunnel transport MTU 1422 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "PROFILE_HOME_VPN")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 4d00h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     15 packets input, 1226 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
 

I was able to confirm that address XX.XX.XX.XX is the WAN IP address on my R1811. YY.YY.YY.YY is the
WAN IP address that the remote client is coming from... so THAT part seems to be working right.

So now I'm wondering if routing or NAT (order of operations) isn't what's borking it. Just for chuckles,
I adjusted the Virtual-Template 1 config to specify "tunnel source [one of the VLAN SVIs above]" Immediately
after configuring, now the remote access client can't connect for the following reason

"secure VPN connection terminated by Peer. Reason 433: reason not specified by peer"
 

Unfortunately also, I'm locked out of my 1811 as remote SSH access is down till I can contact someone to reboot
it... helluva time to forget to issue a "reload in" command while doing this.... :( :(

@RyanG1 See Profile
If you can post that 1921 config... that'd be helpful.

Also, can you get me the same outputs above with your working config and a remote client connected? I want to compare
to see if I'm missing something here.

I'm also wondering under my crypto isakmp profile if I need to add the following

 crypto isakmp profile [profile-name]
 match identity [addressip] [addressmask]
 

the IP and mask being the 172.16.40.x range of my clients... thoughts on that?

Regards

RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE
Here is my running config:

»www.switchbored.net/nat-gw1.txt

Below is the interface info and the IPSEC and ISAKMP SAs:


nat-gw1#sh int vi1
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of GigabitEthernet0/0 (24.243.xx.xx)
MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x4, loopback not set
Keepalive not set
Tunnel source 24.243.xx.xx, destination 50.56.xx.xx
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "profile_home_vpn")
Last input never, output never, output hang never
Last clearing of "show interface" counters 3d03h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
30839 packets input, 2332057 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
34125 packets output, 17457768 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
nat-gw1#sh cry isa
% Incomplete command.

nat-gw1#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
24.243.xx.xx 50.56.xx.xx QM_IDLE 1040 ACTIVE

IPv6 Crypto ISAKMP SA

nat-gw1#sh cry ipsec sa

interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 24.243.xx.xx

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.237.20/255.255.255.255/0/0)
current_peer 50.56.xx.xx port 56668
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34127, #pkts encrypt: 34127, #pkts digest: 34127
#pkts decaps: 30841, #pkts decrypt: 30841, #pkts verify: 30841
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 24.243.xx.xx, remote crypto endpt.: 50.56.xx.xx
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x9A3C4DB3(2587643315)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x16BBB7E5(381401061)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2935, flow_id: Onboard VPN:935, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4333636/2170)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x9A3C4DB3(2587643315)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2936, flow_id: Onboard VPN:936, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4333620/2170)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Thanks for that RyanG1 See Profile, will review it when I clear the cobwebs from my brain.

NOW where my brain is after taking a look at the output above why you would point the DVTI interface to
the WAN interface / IP address and call it "nat inside," which from a logical standpoint doesn't make
sense to me -- that's why earlier I'd thought that pointing it at an inside SVI was the key to pull traffic
FROM the Fa0 interface INTO the router to be decrypted / NAT'd.

Idunno... back to the drawing board I go...

Regards

RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE
the reason why the template is configured as unnumbered for the outside interface is to build the tunnel (the IP of the public interface will become the tunnel source). Its similar to applying a crypto map to the public interface when doing traditional IPSEC tunnels to determine which traffic brings up the IPSEC tunnel(s).

As for the ip nat inside, once the tunnel is is built i want the traffic riding the tunnel to be considered internal and to hairpin out from that tunnel interface and onto the public interface and to be considered for NAT if it matches the NAT ACL (when in reality its coming in the same physical interface that it will exit on).

The same logic applies to the zone member association to the inside zone. I want this traffic to not be filtered when reaching anything else deemed inside. You could also create a dedicated zone for the VPN and filter if you so desired.

Ryan
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Okay, THAT makes alittle more sense RyanG1 See Profile. Million dollar question at this point that I can see is while
the tunnel's built, exactly WHAT is my router doing with it... of which I may have to enable debugs or something.
Like Network Guy, the fact that tunneling to my LAN hosts works proves the tunnel's working... the question now
is I THINK about the hairpinning / routing part, and I'm contemplating about trying that route-map idea that was
suggested once.

Regards

RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE
Since you are using CBAC (ip inspect) you can try disabling that on the interfaces you have it turned on and see if that helps. I tried with ZBFW enabled and disabled and it worked fine.

Ryan
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner

Premium Member

I tried dissecting your config to make it work on my end. But now I keep getting this:

*Sep  6 20:57:48.199: map_db_find_best did not find matching map
*Sep  6 20:57:48.199: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-null esp-md5-hmac }
*Sep  6 20:57:48.199: map_db_find_best did not find matching map
*Sep  6 20:57:48.199: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-null esp-sha-hmac }
 

But what's even scarier is that the router allows the inbound connection without me having added a port forward for NAT traversal. I think I see why I'd want to enable ZBFW.

I shall keep playing with this. Your config was challenging to pick apart for the relevant pieces to HELLFIRE's puzzle as well as mine. :D

RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE
if you want to post a config i can look into it. as for the part about not needing a portforward, this is sitting directly on the internet so you could filter it via an acl applied inbound on the public interface.

Ryan
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

@RyanG1
As in a "no ip inspect" then reapplying "ip inspect" ? Or as in remove it entirely?

@Network Guy
Error messages sound like a phase 2 mismatch... might want to look at that.

Regards
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner to HELLFIRE

Premium Member

to HELLFIRE
Alright... So Ryan is the man... Got it working

That's pretty genius of you to figure out making the virtual template interface a NAT inside interface. My hat's off to you.

Here's his magical config at work as it applies to my router. Finally have myself a full tunnel.
quote:
Building configuration...

Current configuration : 6542 bytes
!
! Last configuration change at 21:46:15 UTC Mon Sep 9 2013 by me
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c1841-adventerprisek9-mz.151-4.M1.bin
boot-end-marker
!
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local

!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sslvpn_test local
aaa authentication login ipsecvpn local
aaa authorization network ipsecvpn local
!
!
!
!
!
aaa session-id common
!
dot11 syslog
no ip source-route
!
!
!
!
!
ip cef
ip domain name homenet.local
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1076092965
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1076092965
revocation-check none
rsakeypair TP-self-signed-1076092965
!
!
crypto pki certificate chain TP-self-signed-1076092965
certificate self-signed 01
xxxxxxxxx 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303736 30393239 3635301E 170D3133 30383237 30313538
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373630
39323936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B617 89998ED1 0593709A 2927FE25 D879B5AE 044536B8 2337B31A 43D040D6
DA1F4D02 A2A8A8F3 532F4D05 C1719E37 7C74C1B6 58334311 1A332B77 E21433DA
9919A9F9 E647E6CE 8257FE81 D00C2A32 650BD4F6 8CF82032 687890F9 2275A1AD
9EB8DA97 2F1BE517 47070B7B C8C3F909 539D83AB A921B7DF 5F8779DC 08CFBDA1
93C50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1410E081 9C7DB86C D0E59B40 D1F36C7F 5FC36C0E EB301D06
03551D0E 04160414 10E0819C 7DB86CD0 E59B40D1 F36C7F5F C36C0EEB 300D0609
2A864886 F70D0101 05050003 8181006A 2E718F86 F21ED1BE 34001519 6F5A74D3
940F7DC5 A5766515 0974434C 3ED7ED3C 0325CC43 5F029070 197C3D48 627FBA9D
1D58A31C A6DD3C15 06E675C0 EA958ADC C55E12D0 08EE723C 2F098C3D 11DBFE5E
3EC997D0 BA7F0298 3D9E06C8 0E2FA070 7F1E8D29 4C83183D 0E452BA5 5BCA102A
635437F3 3D9E3045 1BB44254 2BEAA9
quit
!
!

username fwwebadmin privilege 15 password 7 xxx
username xxx privilege 15 password 7 xxx
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group ipsec_full_tunnel
key xxx
dns 10.17.12.2
pool ipsecvpnclients
crypto isakmp profile isa_prof_ipsec_full_tunnel
match identity group ipsec_full_tunnel
client authentication list ipsecvpn
isakmp authorization list ipsecvpn
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile prof_ipsec_full_vpn
set transform-set ESP-3DES-SHA
set reverse-route distance 20
!
!
!
!
!
!
interface Loopback0
ip address 10.18.12.25 255.255.255.248
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.17.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/1
ip flow ingress
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile prof_ipsec_full_vpn
!
interface Dialer0
no ip address
!
ip local pool sslvpnclients 10.18.12.26 10.18.12.30
ip local pool ipsecvpnclients 10.18.12.33 10.18.12.38
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat translation udp-timeout 10
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static udp 10.17.12.18 5060 interface FastEthernet0/1 5060
ip nat inside source static tcp 10.17.12.2 5900 interface FastEthernet0/1 5900
ip nat inside source static tcp 10.17.12.2 143 interface FastEthernet0/1 143
ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002
ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001
ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000
ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990
ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062
ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.17.12.3 22 interface FastEthernet0/1 22
ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.17.12.3 443 interface FastEthernet0/1 443
ip route 0.0.0.0 0.0.0.0 24.188.xx.xx 254
ip route 0.0.0.0 0.0.0.0 24.188.xx.xx 254
!
access-list 100 permit ip 10.17.12.0 0.0.0.255 any
access-list 100 permit ip 10.18.12.0 0.0.0.255 any
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq 22
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq telnet
access-list 101 permit tcp host 143.104.xxx.xxx any eq 22
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
exec-timeout 0 0
privilege level 15
password 7 xxx
transport input ssh
line vty 5 15
access-class 101 in
exec-timeout 0 0
privilege level 15
password 7 xxx
transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway gateway_1
ip address 10.17.12.3 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1076092965
inservice
!
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
!
webvpn context router
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "sslvpnclients" netmask 255.255.255.248
svc default-domain "homenet.local"
svc keep-client-installed
svc dns-server primary 10.17.12.2
!
policy group group_1
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end

HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Thought about it some more...

Changed the configs...

Thought about it some more...

Reread RyanG1's configs...

Took a look at Network Guy's update...

Happy for ya man that you got it working! That a working full tunnel IPSec _AND_ SSL connection? IIRC, RyanG1
mentioned the DVTI option in your original thread, but I guess we were all bashing our heads against the wall
about the whole thing by that point.

Question for you Network Guy, do you have a 12.4T train code for your 1841 that you could load and try this working
config on? The _ONLY_ diff I can find at this time is that you and RyanG1 are on 15.x code, but I'm still running
12.4T. I'd be happy to turn off IP INSPECT if I were testing this in the lab, but I'm REALLY not s**thot to do that
on my actual internet-facing router... just from a personal comfort level.

Regards

RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE
Hey hellfire, i didnt mean to suggest permanently leaving it off but more as a means to test. If 12.4 code existed for the 1921 id downgrade to test it out. Im not sure what may have changed from the 12.4T line going into 15.x code other than maybe order of operations but thats as much as i can guess.

Glad you got yours working Network Guy, this is the same type of tunnel that you would have without the actual virtual interfaces; i just prefer this way so that i can create service policies and assign it to a zone.

Ryan
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner to HELLFIRE

Premium Member

to HELLFIRE
Yeah, I think he mentioned it but I was busy trying not to slam the keyboard against the wall in frustration.

That's only a full IPsec tunnel. I couldn't try Ryan's approach with the SSL portion of it; only split. The SSL VPN configuration templates I've read on Cisco have nothing in common with his stuff, and I can theoretically keep trying other scenarios but that will only encourage more head banging against the wall, like you were.

I think I have 12.4T in my collection. I'll load it tonight and test it.
tired_runner

tired_runner to RyanG1

Premium Member

to RyanG1
Thanks man.. That was very helpful..

So wait... What would be the trick if I didn't use VTI for this purpose?

RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE
virtual tunnels will not work with SSL as its entirely different setup in IOS. This is an alternative to configuring a crypto map on the public interface and building the tunnel the standard way. The caveat is that it becomes....tedious... to apply filtering, inspection, policing, etc the standard method.

This just takes an IPSEC policy and uses it to encrypt the tunnel interfaces traffic to the end host.

Ryan
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner to HELLFIRE

Premium Member

to HELLFIRE
Alright hellfire... I copied 12.4T and let it rip... It came right back up and the full tunnel still works.

I posted the config.. Still the same as before; plus or minus the differences that the newer IOS adds..

 
Router#sh crypto ipsec sa
 
interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 24.188.xxx.xxx
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.18.12.33/255.255.255.255/0/0)
   current_peer 172.56.35.xxx port 31958
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3665, #pkts encrypt: 3665, #pkts digest: 3665
    #pkts decaps: 4710, #pkts decrypt: 4710, #pkts verify: 4710
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 24.188.xxx.xxx, remote crypto endpt.: 172.56.35.xxx
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xE2BE37F0(3804116976)
 
     inbound esp sas:
      spi: 0x51CEC1B9(1372504505)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4574588/3254)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0xE2BE37F0(3804116976)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4574904/3251)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     outbound ah sas:
 
     outbound pcp sas:
 
 

Building configuration...
 
Current configuration : 5826 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.124-2.T1.bin
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sslvpn_test local
aaa authentication login ipsecvpn local
aaa authorization network ipsecvpn local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip domain name homenet.local
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1076092965
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1076092965
 revocation-check none
 rsakeypair TP-self-signed-1076092965
!
!
crypto pki certificate chain TP-self-signed-1076092965
 certificate self-signed 01
  xxxxxxxxx 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303736 30393239 3635301E 170D3133 30393131 30303539
  31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373630
  39323936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B617 89998ED1 0593709A 2927FE25 D879B5AE 044536B8 2337B31A 43D040D6
  DA1F4D02 A2A8A8F3 532F4D05 C1719E37 7C74C1B6 58334311 1A332B77 E21433DA
  9919A9F9 E647E6CE 8257FE81 D00C2A32 650BD4F6 8CF82032 687890F9 2275A1AD
  9EB8DA97 2F1BE517 47070B7B C8C3F909 539D83AB A921B7DF 5F8779DC 08CFBDA1
  93C50203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 14526F75 7465722E 686F6D65 6E65742E 6C6F6361 6C301F06
  03551D23 04183016 801410E0 819C7DB8 6CD0E59B 40D1F36C 7F5FC36C 0EEB301D
  0603551D 0E041604 1410E081 9C7DB86C D0E59B40 D1F36C7F 5FC36C0E EB300D06
  092A8648 86F70D01 01040500 03818100 A468ECCF 48A36E54 E54F5EC5 10E65BC1
  7D2669C4 BA6343F7 352A9FC2 21B5AF6E 9626D977 1089AABD 1EC8CE11 2848C3F2
  DE5A6418 421C9FD3 2537A2E4 79ECBCED 2C7EF9C7 1C6557CB 77C28812 66565BD7
  C783349D 8A7CF40C 0CB459B4 4FFC14F7 4FB2F950 0ACE65C0 B8BFCD75 66D01010
  0074EE65 9E195CB1 B6FA9860 B0586FEF
  quit
username fwwebadmin privilege 15 password 7 xxx
username xxx privilege 15 password 7 xxx
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ipsec_full_tunnel
 key xxx
 dns 10.17.12.2
 pool ipsecvpnclients
crypto isakmp profile isa_prof_ipsec_full_tunnel
   match identity group ipsec_full_tunnel
   client authentication list ipsecvpn
   isakmp authorization list ipsecvpn
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile prof_ipsec_full_vpn
 set transform-set ESP-3DES-SHA
!
!
!
!
interface Loopback0
 ip address 10.18.12.25 255.255.255.248
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 10.17.12.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Virtual-Template1
 no ip address
!
interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0/1
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile prof_ipsec_full_vpn
!
interface Dialer0
 no ip address
!
ip local pool sslvpnclients 10.18.12.26 10.18.12.30
ip local pool ipsecvpnclients 10.18.12.33 10.18.12.38
ip classless
ip route 0.0.0.0 0.0.0.0 24.188.xxx.1 254
!
ip http server
ip http authentication local
ip http secure-server
ip nat translation udp-timeout 10
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.17.12.3 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.17.12.3 22 interface FastEthernet0/1 22
ip nat inside source static tcp 10.17.12.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.17.12.82 8062 interface FastEthernet0/1 8062
ip nat inside source static tcp 10.17.12.2 990 interface FastEthernet0/1 990
ip nat inside source static tcp 10.17.12.2 60000 interface FastEthernet0/1 60000
ip nat inside source static tcp 10.17.12.2 60001 interface FastEthernet0/1 60001
ip nat inside source static tcp 10.17.12.2 60002 interface FastEthernet0/1 60002
ip nat inside source static tcp 10.17.12.2 143 interface FastEthernet0/1 143
ip nat inside source static tcp 10.17.12.2 5900 interface FastEthernet0/1 5900
ip nat inside source static udp 10.17.12.18 5060 interface FastEthernet0/1 5060
!
access-list 10 permit 4.79.142.200
access-list 100 permit ip 10.17.12.0 0.0.0.255 any
access-list 100 permit ip 10.18.12.0 0.0.0.255 any
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq 22
access-list 101 permit tcp 10.17.12.0 0.0.0.255 any eq telnet
access-list 101 permit tcp host 143.104.xxx.xxx any eq 22
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 access-class 101 in
 exec-timeout 0 0
 privilege level 15
 password 7 xxx
 transport input ssh
line vty 5 15
 access-class 101 in
 exec-timeout 0 0
 privilege level 15
 password 7 xxx
 transport input ssh
!
scheduler allocate 20000 1000
end
 
 
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

@RyanG1
Did you still have your 891 that you originally had the DVTI config you sent, and 12.4T code for it?

Well bugger about SSL (so far) not being able to do full tunnel... and I got enough to think about right now
that I want to leave SSL VPN alone for a bit. If I come across anything, will definately share.

@Network Guy
Thanks for sharing / testing as well... looks like the only thing not present is the CBAC... which seems to swing
things back towards taking off the CBAC inspect on my end and trying that out... I'll give it a shot at least.
Nothing to lose at this point.

Regards

RyanG1
Premium Member
join:2002-02-10
San Antonio, TX

RyanG1 to HELLFIRE

Premium Member

to HELLFIRE
unfortunately no i do not have that device any longer but i do have an 1841 router.

Ryan
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Happy to report that after removing "ip inspect INBOUND_FW in" from my WAN interface and firing
up the VPN client, full tunnel worked as expected -- tried a few websites, pinged to 4.2.2.2
to test. Also, checking my WAN IP address also confirmed this as seeing the public ip address
XX.XX.XX.XX from my router below :

R1811#sh ip nat trans | i 172.16.40
tcp XX.XX.XX.XX:1129 172.16.40.2:1129  54.230.141.116:80  54.230.141.116:80
tcp XX.XX.XX.XX:1130 172.16.40.2:1130  54.230.141.116:80  54.230.141.116:80
tcp XX.XX.XX.XX:1131 172.16.40.2:1131  54.230.141.116:80  54.230.141.116:80
tcp XX.XX.XX.XX:1134 172.16.40.2:1134  54.230.141.116:80  54.230.141.116:80
tcp XX.XX.XX.XX:1212 172.16.40.2:1212  8.27.236.252:80    8.27.236.252:80
tcp XX.XX.XX.XX:1213 172.16.40.2:1213  54.230.141.116:80  54.230.141.116:80
tcp XX.XX.XX.XX:1215 172.16.40.2:1215  54.230.141.116:80  54.230.141.116:80
tcp XX.XX.XX.XX:1216 172.16.40.2:1216  54.230.141.116:80  54.230.141.116:80
tcp XX.XX.XX.XX:1218 172.16.40.2:1218  54.230.141.116:80  54.230.141.116:80
tcp XX.XX.XX.XX:1230 172.16.40.2:1230  176.32.101.81:80   176.32.101.81:80
tcp XX.XX.XX.XX:1232 172.16.40.2:1232  74.125.239.128:443 74.125.239.128:443
 

R1811# sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Async1                     unassigned      YES NVRAM  down                  down
FastEthernet0              XX.XX.XX.XX  YES DHCP   up                    up
FastEthernet1              unassigned      YES NVRAM  administratively down down
FastEthernet2              unassigned      YES unset  up                    up
FastEthernet3              unassigned      YES unset  up                    up
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    up
FastEthernet6              unassigned      YES unset  administratively down down
FastEthernet7              unassigned      YES unset  up                    up
FastEthernet8              unassigned      YES unset  up                    down
FastEthernet9              unassigned      YES unset  up                    down
Loopback0                  unassigned      YES NVRAM  up                    up
NVI0                       unassigned      YES unset  administratively down down
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Access2            XX.XX.XX.XX  YES TFTP   up                    up
Virtual-Template1          XX.XX.XX.XX  YES TFTP   down                  down
Vlan1                      172.16.0.1      YES NVRAM  up                    up
Vlan10                     172.16.10.1     YES NVRAM  up                    up
Vlan20                     172.16.20.1     YES NVRAM  up                    up
Vlan30                     172.16.30.1     YES NVRAM  up                    up
 

Address YY.YY.YY.YY confirmed to be the public address client 172.16.40.2 is comming from

R1811#sh int virtual-acc 2
Virtual-Access2 is up, line protocol is up
  Hardware is Virtual Access interface
  Interface is unnumbered. Using address of FastEthernet0 (XX.XX.XX.XX)
  MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 138/255, rxload 2/255
  Encapsulation TUNNEL
  Tunnel vaccess, cloned from Virtual-Template1
  Vaccess status 0x0, loopback not set
  Keepalive not set
  Tunnel source XX.XX.XX.XX, destination YY.YY.YY.YY
 
  Tunnel protocol/transport IPSEC/IP
  Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0),  Tunnel TTL 255
  Tunnel transport MTU 1422 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "PROFILE_HOME_VPN")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:10:11
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 1000 bits/sec, 22 packets/sec
  5 minute output rate 255000 bits/sec, 22 packets/sec
     20562 packets input, 1174841 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     20217 packets output, 25925426 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
 

R1811#sh ip ro 172.16.40.2
Routing entry for 172.16.40.2/32
  Known via "static", distance 20, metric 0
  Routing Descriptor Blocks:
  * YY.YY.YY.YY, via Virtual-Access2
      Route metric is 0, traffic share count is 1
 

R1811#sh cryp ipsec sa
 
interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr XX.XX.XX.XX
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.40.2/255.255.255.255/0/0)
   current_peer YY.YY.YY.YY port 1084
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 20297, #pkts encrypt: 20297, #pkts digest: 20297
    #pkts decaps: 20657, #pkts decrypt: 20657, #pkts verify: 20657
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 1
 
     local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: 68.145.101.228
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0xBE8AE200(3196772864)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
      spi: 0x9450795(155518869)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map:
Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4508967/3093)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0xBE8AE200(3196772864)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map:
Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4488827/3093)
 

Rereading your whole config RyanG1 See Profile you've got inbound ZBFW coming in AND a full tunnel
config. So wonder what part of inbound CBAC wasn't playing nice with this that stopped full
tunnel from working then... now I'm REALLY interested in this...

Least now I know what I have to do to get it to work... problem is it seems to open ANOTHER
security hole in the process -- removes inbound inspection. _OR_ I get around to getting a
working ZBFW config into place...

...choices, choices...

tired_runner See Profile are you planning / doing any sort of firewall config onto your box since you
got this working yourself?

Regards
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner

Premium Member

I need to get a firewall going. I just discovered my PBX was potentially compromised by the DoD recently. They apparently want to listen in on my dirty convos with the females I deal with. LOL

I need to understand the order of operations for NAT. I attempted to get an ACL going to block incoming traffic to specific internal hosts and have not had any success so far.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Click for full size
Dirty conversations with women? Who doesn't want to listen in on that?

I attached a NAT order of operations for 12.3(8)T, if that helps. Otherwise, you know we're here to help
out tired_runner See Profile

Regards
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner

Premium Member

Who would have thought :D

I guess I'm puzzled by how it's processing inbound traffic to hosts on the inside for which I have port mappings.

For example; my Apache server is running on port 80, so naturally I have this on the list:

ip nat inside source static tcp 10.17.12.2 80 interface FastEthernet0/1 80
 

To test, I'm trying to block my own IP address at work to access the Apache box by using this:
 21 deny tcp host xxx.104.198.xxx host 10.17.12.2 eq www
 

But it still allows the traffic. And I get it; the ACL is filtering traffic in the opposite direction for which I'm trying to filter.

So I also tried setting an inbound ACL on the Internet-facing interface and using this:

 21 deny tcp host xxx.104.198.xxx host 10.17.12.2 eq www
 

But it still allows the traffic.

The only way I can block any inbound traffic at all to hosts behind NAT is if I block it all this way:
    21 deny tcp host xxx.104.198.xxx any eq www (6 matches)
 

And well... That seems a little counter-intuitive.

Here's what my ACL's look like now...

Extended IP access list 100
    10 deny ip any 22.0.0.0 0.255.255.255 (247 matches)
    20 deny udp any 22.0.0.0 0.255.255.255
    30 permit ip 10.17.12.0 0.0.0.255 any (49514 matches)
    40 permit ip 10.18.12.0 0.0.0.255 any (525 matches)
Extended IP access list 101
    10 permit tcp 10.17.12.0 0.0.0.255 any eq 22 (32 matches)
    20 permit tcp 10.17.12.0 0.0.0.255 any eq telnet
    30 permit tcp host xxx.104.198.xxx any eq 22 (20 matches)
Extended IP access list 103
    10 deny ip 22.0.0.0 0.255.255.255 any
    20 deny udp 22.0.0.0 0.255.255.255 any
    21 deny tcp host xxx.104.198.xxx any eq www (9 matches)
    30 permit ip any any (1575531 matches)
Extended IP access list 105
    10 deny ip any 22.0.0.0 0.255.255.255 (361 matches)
    20 deny udp any 22.0.0.0 0.255.255.255
    30 permit ip any any (1037355 matches)
 

A real head scratcher.... I know... :)
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

said by tired_runner:

To test, I'm trying to block my own IP address at work to access the Apache box by using this:

21 deny tcp host xxx.104.198.xxx host 10.17.12.2 eq www

You realize the reason why is because on the public internet that 10.x.x.x will NOT be seen, right tired_runner See Profile?
It'll see your WAN IP address that the ACL matches.

Put another way, following that pix I posted, the input ACL is matched at step 12, while OUTSIDE-TO-INSIDE NAT doesn't happen till step 20.
said by tired_runner:

And well... That seems a little counter-intuitive.

Gripe out the guy that wrote that into IOS if ya want... not sure what else to tell ya, man!

Regards
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner

Premium Member

Yeah, from an operational point of view, it makes sense that the ACL on the Internet-facing interface won't know what to do with a packet destined to an internal host in the same manner that an ACL on the inside won't know what to do with a packet destined to an external host without the intermediary broker in the middle; or in my case NAT.

I guess I could write the ACL's in such way that unwanted inbound traffic to a specific port stops at the outside interface, and allow everything else in via NAT. The objective is to create a TCP whitelist in an effort to stop getting my PBX compromised via SIP.