Problem with Inside to DMZ Configuration and accessing external PPTP servers on 2811

christopher.caruk · ‎01-08-2012

Hello,

I have a Cisco 2811 running Advance Enterprise v 15.1-2. I've just configured it using ccp for internet access (on 2 lines) and a firewall. The configuration is pretty much all default and I used the ccp wizard to create a 'medium-secure' firewall. I have 2 blocks of public IP addresses for my internal network and for the DMZ. The 2800 is configured as follows:

- 2 x default routes. one to each dialer.

- 6 zone pairs as follows:

- ccp-zp-self-out (seems to mostly work... I can ping any IP address from a console but not a hostname)

- ccp-zp-in-out (works fine, both interfaces seem to be in use)

- ccp-zp-in-dmz

- which by default set to ccp-permit-dmzservice

- which inspects ccp-dmz-traffic

- which matches group dmz_traffic and has a class map dmz-traffic

- cnc-zp-dmz-out which is set to ccp-inspect. (my own zone pair to allow systems in the DMZ zone to see the internet. This works fine.)

- ccp-zp-out-dmz (works fine. I can see my web server from any system outside my own network)

- ccp-zp-out-self (which, I guess allows anything permitted to get to the 2811)

Internet works from within the DMZ and in-zone. The outside can access my dmz servers. The inside can access most things on the outside using the firewall rules.

but... I am having 2 problems that I cannot seem to figure out.

1) Although I have the zones set up to allow the same access from in->dmz as I do from out->dmz and out->dmz seems to work, I cannot seem to access anything in the dmz from the inside.

2) When setting up the firewall I ticked the box for 'allow PPTP clients to make connections from the inside' (or something like that). I cannot seem to make a PPTP connection from my workstation.

I have scoured the internet for guides, looked through these forums & the cisco configuration guides and experimented all day but still cannot figure this out.

Do I need a special route between the inside and dmz? I have seem references to static routes on ASA firewalls but the command 'static (inside,dmz)...' does not work on a 2800 series router.

Assistance would be appreciated. Attached is an obfuscated config file.

Thanks

Chris

Julio Carvajal · ‎01-08-2012

Hello Christopher,

Hope you are having a great weekend!

Lets start working on this:

1) Although I have the zones set up to allow the same access from in->dmz as I do from out->dmz and out->dmz seems to work, I cannot seem to access anything in the dmz from the inside.

2) When setting up the firewall I ticked the box for 'allow PPTP clients to make connections from the inside' (or something like that). I cannot seem to make a PPTP connection from my workstation.

1-You have the following configured

class-map type inspect match-all ccp-dmz-traffic

As you can see there is a match-all so this will never work because a packet will need to match all the protocols you have into this class as well the Access-group, so for this to work lets change it to the following:

class-map type inspect match-any ccp-dmz-traffic

2-The inside users are making PPTP connections to witch zone, where is the PPTP server?

Regards,

Please rate the post if this helps..

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

christopher.caruk · ‎01-09-2012

Hello Julio,

Thank you for your suggestion.

RE question 1:

class-map type inspect match-all ccp-dmz-traffic

match access-group name dmz-traffic

match class-map ccp-dmz-protocols

In this situation, doesn't match-all mean that the host is in the ccp-dmz-traffic access-group AND the protocol is in the dmz-traffic class-map? I CAN access both http and ssh from the outside (on one of the machines in the DMZ).

Never the less, I have tried your suggestion abd chaged this to:

class-map type inspect match-any ccp-dmz-traffic

match access-group name dmz-traffic

match class-map ccp-dmz-protocols

and it does not seem to help. My gut feel is that the packets are not even getting there. Could this be a routing problem? Do I need to have a routing protocol configured to allow packets to move from the inside network to the dmz network?

I have asked the router to log unsuccessful attempts to get through but there does not seem to be anything in the syslog from an internal address.

RE question 2. Users on the inside need to connect to PPTP services on the outside.

Thanks Again for the help.

Chris

christopher.caruk · ‎01-09-2012

Looks like I've had a bit of a breakthrough...

While testing all the DMZ IPs, I found one that worked. As it turned out the machine that I was trying to test was a Linux VM which sits on both networks. It looks like the server was trying to be clever and send the response back through the gateway that it knew about on the inside network. My machine would have seen to response from an unidentified source and rejected it.

Once I removed the second network/gateway, it worked!

Now I just have issue 2 to deal with. PPTP on the inside not talking to PPTP servers on the outside.

Thanks

Chris

Julio Carvajal · ‎01-09-2012

Great to hear that the Inside---DMZ worked...

Did you leave it like this to make it work?

class-map type inspect match-all ccp-dmz-traffic or did you use the match-any??

PPTP issue:

class-map type inspect match-all PPTP

match protocol pptp

policy-map type inspect ccp-inspect

class type inspect PPTP

inspect.

Can you give it a try and let me know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

christopher.caruk · ‎01-09-2012

I did try your suggested change but it did not make a difference so I reverted back to 'match-all'. I do believe that the match-all in this situation means that the host must be in the ccp-dmz-traffic access-group AND the protocol must be in the dmz-traffic class-map but you would likely know better.

So the short answer is, I wound up leaving it as it was.

I have just tried your suggestion for PPTP by adding:

class-map type inspect match-all PPTP

match protocol pptp

policy-map type inspect ccp-inspect

class type inspect PPTP

inspect.

When I try to connect to a PPTP network, my system gets stuck at 'Verifying user name and password'. Even after I manually cancel, Windows networking seems to continue to try to connect until I reboot. If I disable the Cisco firewall, it works... so I am sure that this one is a configuration issue. Very strange.

Regards

Chris

Julio Carvajal · ‎01-09-2012

Hello Chris,

Do you have any logs of the firewall drop while you attempt to make the connection?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

christopher.caruk · ‎02-22-2012

Hello,

I've had a number of other matters to deal with and have not been able to come back to this for a while.

Since my last writing I have also tested a fairly default configuration on an ISR 1841 using 15.1(4)M3. It also does not seem to be letting PPTP or IPSec through.

So the question remains... How do I configure it the 2811 or 1841 to allow me to connect to external VPN servers?

Re the suggestion above… How do I set the Cisco to tell me what packets the firewall is dropping?

Thanks and Regards

Chris