Re: allow msn messenger through cisco router

Spinu Viorel · ‎07-14-2008

My configuration:

internet - linux router - (acl 104, in)cisco router(acl 102 in)

-acl 102 is for originating traffic for 172.31.0.0/24 and acl 104 is for returning traffic.

router has:

- 172.31.5.0/24 (linux - internet)

- 172.31.2.0/24 (cisco - linux - internet)

- 172.31.0.0/24 (cisco - linux - internet)

I know that msn works with 1863 tcp port, but to be sure I permitet all IP traffic.

For 172.31.0.0.24, I have a VPN IPSEC, esp with nat overload built. acl 106 is (access-list 106 permit ip 172.31.0.0 0.0.0.255 VPN-peer)

For 172.31.0.0/24, I have also acl 102 (access-list 102 permit ip any any) and for returning traffic acl 104 (access-list 104 permit ip any any)

The linux router is just forwording everything that comes from cisco, both directions.

tcpdump -i eth0 | grep 1863:

11:45:51.363235 IP 80.86.103.114.1319 > 65.54.239.140.1863: S 1454326243:1454326243(0) win 65535 <mss 1460,nop,nop,sackOK>

11:45:51.549590 IP 65.54.239.140.1863 > 80.86.103.114.1319: S 1352546280:1352546280(0) ack 1454326244 win 16384 <mss 1460,nop,nop,sackOK>

11:45:51.550343 IP 80.86.103.114.1319 > 65.54.239.140.1863: . ack 1 win 65535

11:45:51.551922 IP 80.86.103.114.1319 > 65.54.239.140.1863: P 1:28(27) ack 1 win 65535

11:45:51.737816 IP 65.54.239.140.1863 > 80.86.103.114.1319: P 1:28(27) ack 28 win 65508

11:45:51.739330 IP 80.86.103.114.1319 > 65.54.239.140.1863: R 1454326271:1454326271(0) win 65508

The VPN is working fine. Only this msn traffic is not working. The subnet 172.31.5.0 which is going drirectly through linux server(not through cisco router) is working fine with msn.

Msn is not working only for the 172.31.0.0 which is going through cisco, then through linux.

I hope u understand the topology.

What is the R (reset) from the last line fron tcpdump output means?

I don't know where to look anymore?

thanks

Spinu Viorel · ‎07-14-2008

I did a search on Internet and I found this information:

Cisco IOS Firewall Instant Messenger Support Restriction

Cisco IOS firewall supports only the following versions of each Instant Messenger (IM) application:

"Yahoo Messenger supported versions: 6.0.0.1922, 6.0.0.1750, 6.0.0.1671, and 6.0.0.1643

"MSN supported versions: 6.2.0205 and 7.0.0816

"AOL supported version: 5.9.3702

Note All other IM version connections will be reset.

I have MSN 7.0.0.820... I tried to install 7.0.0816 but it says that a newer version is available and if I want to continue I have to install it (the newer version). So I guess this means I can't use MSN with cisco router(I forgot: I have cisco 1812, IOS Version 12.3(8r)YH8)

Can anybody confirm this information?

I thought my problem comes from acl,vpn configuration, but it seems is a aplication version problem!

cisco24x7 · ‎07-14-2008

LAN---C2621----Internet

LAN network is 192.168.1.0/24

Internet is 1.2.3.4

C2621 has an IP of 192.168.1.1 on the LAN side

and 1.2.3.4 on the Internet

interface F0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface F0/0

ip address 1.1.1.1 255.255.255.252

ip nat outside

access-list 100 permit ip 192.168.1.0/24 any

ip nat inside source list 100 interface F0/0 overload

I have a host on a LAN side with Microsoft

MSN version 8.1 and it is working fine.

Furthermore, I am using IOS version 12.3(12)19

with CBAC.

Spinu Viorel · ‎07-14-2008

and your CBAC has an acl with the MSN ports ?

cisco24x7 · ‎07-15-2008

I have this:

ip inspect name CBAC tcp alert on audit-trail on timeout 43200

ip inspect name CBAC udp alert on audit-trail on timeout 43200

ip inspect name CBAC icmp alert on audit-trail on

ip inspect name CBAC http alert on audit-trail on

ip inspect name CBAC smtp alert on audit-trail on

interface f0/0

ip inspect CBAC out

ip access-group black_hole in

ip access-list extended black_hole

deny ip any any log