07-23-2008 11:30 AM - edited 03-09-2019 09:09 PM
IOS: c1841-advsecurityk9-mz.124-15.T4.bin
nmap reports port 1723 filtered.
Acl 101 doesn't deny port 1723. I have try to remove acl 101 from FastEthernet 0/1, but the result were the same... With or without acl 101 on FastEthernet0/1, nmap reports 1723 as filtered. On lan interface, FastEthernet0/0 1723 is "visible" and I can connect vpn client. I suspect that route-map may cause this, because the same configuration worked fine without second Cellular interface which we use as failover.
Interesting parts of conf:
vpdn enable
!
vpdn-group vpn-dialin
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name PPTP-Tunel
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip ips sdm_ips_rule in
ip nat outside
ip virtual-reassembly
rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop
duplex auto
speed auto
no mop enabled
!
interface Cellular0/0/0
description WAN MTS
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer string xxxxx
dialer-group 1
async mode interactive
ppp chap hostname xxx
ppp chap password 7 xxxxxxxxxx
ppp ipcp dns request
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
peer default ip address pool vpn-pool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip nat inside source route-map FR interface FastEthernet0/1 overload
ip nat inside source route-map 3G interface Cellular0/0/0 overload
route-map 3G permit 10
match ip address 1 103
match interface Cellular0/0/0
!
route-map FR permit 10
match ip address 1 103
match interface FastEthernet0/1
Solved! Go to Solution.
07-23-2008 01:03 PM
try the following
route-map 3G permit 10
match ip address 103
match interface Cellular0/0/0
!
route-map FR permit 10
match ip address 103
match interface FastEthernet0/1
access-list 103 deny ip 192.168.10.250 any
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip 192.168.11.0 0.0.0.255 any
access-list 103 permit ip host 192.168.9.4 any
access-list 103 permit ip host 192.168.9.5 any
end
clear ip nat tr *
07-23-2008 12:10 PM
show your access-lists
07-23-2008 12:46 PM
access-list 101 deny tcp any any eq 15000
access-list 101 deny tcp any any eq 8989
access-list 101 deny tcp any any eq 88
access-list 101 deny tcp any any eq www
access-list 101 deny tcp any any eq 16000
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq 2222
access-list 101 remark Permit all
access-list 101 permit ip any any
The upper part of acl is huge, and defines permited IPs to listed ports that is denied.
07-23-2008 12:52 PM
show access-l 1 and 103
07-23-2008 12:56 PM
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.11.0 0.0.0.255
access-list 1 permit any
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip 192.168.11.0 0.0.0.255 any
access-list 103 permit ip host 192.168.9.4 any
access-list 103 permit ip host 192.168.9.5 any
07-23-2008 12:58 PM
what is the ip address for lan interface?
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
07-23-2008 12:59 PM
192.168.10.250
07-23-2008 01:03 PM
try the following
route-map 3G permit 10
match ip address 103
match interface Cellular0/0/0
!
route-map FR permit 10
match ip address 103
match interface FastEthernet0/1
access-list 103 deny ip 192.168.10.250 any
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip 192.168.11.0 0.0.0.255 any
access-list 103 permit ip host 192.168.9.4 any
access-list 103 permit ip host 192.168.9.5 any
end
clear ip nat tr *
07-23-2008 01:00 PM
192.168.10.250
07-24-2008 02:10 AM
Hi, Aleksandar
Have you tried?
07-25-2008 02:42 AM
Yes, right now, and it works!!!
Can you give some insight, for mortals?
Any way, thanx a lot...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide