Re: ERROR- Open port 1149 tcp for openvpn-nat

wyliansouzaup · ‎07-20-2019

I have to open port 1149 to be able to access OpenVPN, but I am not having success with the NAT configuration I made.
by the dTCP port checkert, is giving time out, in the output of the show ip nat translate is showing that is translating.
attached has the photos and the configuration of the router

the ip of the OpenVPN server is 10.10.10.1 and the ip of the wan is 200.216.228.48

If anyone can help me, thank you

----------------------------------------------------

interface FastEthernet0/0
ip address 192.168.5.254 255.255.255.0 secondary
ip address 200.149.100.81 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1200
encapsulation dot1Q 1200
ip address 200.216.228.49 255.255.255.252
ip nat outside
ip virtual-reassembly in
crypto map clientmap
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/1/0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation ppp
shutdown
crypto map clientmap
!
ip local pool ippool 10.1.1.10 10.1.1.200
ip local pool OpenVPN 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
ip nat inside source static tcp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat outside source static 200.149.100.81 192.168.5.1
ip route 0.0.0.0 0.0.0.0 200.216.228.50
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp any any
access-list 110 deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any

---------------------------------------------------------------------------------------------------

Georg Pauwen · ‎07-20-2019

Hello,

as far as I recall, Open VPN uses either UDP port 1194 or TCP port 443. Try and change the NAT statement and the access list:

ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
ip nat inside source static udp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat outside source static 200.149.100.81 192.168.5.1
ip route 0.0.0.0 0.0.0.0 200.216.228.50
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit udp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp any any
access-list 110 deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any

wyliansouzaup · ‎07-20-2019

Thanks for the answer.
I made the changes, but still not working

wyliansouzaup · ‎07-20-2019

The scan result

Host is up.
PORT STATE SERVICE
1194/tcp filtered openvpn
1194/udp open|filtered openvpn

Georg Pauwen · ‎07-20-2019

Hello,

what if you NAT/allow both the TCP and the UDP ports ?

ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
ip nat inside source static udp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194

ip nat inside source static tcp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat outside source static 200.149.100.81 192.168.5.1
ip route 0.0.0.0 0.0.0.0 200.216.228.50
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit udp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194

access-list 101 permit tcp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp any any
access-list 110 deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any

wyliansouzaup · ‎07-20-2019

I did just that before

Georg Pauwen · ‎07-20-2019

Hello,

it used to be that Cisco IOS did not support OpenVPN at all,and that you had to use a proprietary client such as AnyConnect, not sure if that is still the case...

wyliansouzaup · ‎07-20-2019

Let me explain the scenario, maybe it will help us.
This router already has a VPN on it, this VPN works normally, it is accessed with the CISCO VPN client and AnyConnect.
The OpenVPN server is totally separate, I just need to allow the port to the server 10.10.10.1.

Does the configuration of fa0/ 1.1200 seem right to you? "ip nat outside"

Georg Pauwen · ‎07-20-2019

Hello,

sorry, my bad, I thought you wanted to use the IOS router as VPN server.

Either way, what access list is matching your crypto map 'crypto map clientmap' ?

Post the full running configif possible...

wyliansouzaup · ‎07-20-2019

redundancy
!
!
crypto isakmp client configuration group nation
key xxxxx
dns 200.255.255.70
domain nxx.com
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.5.254 255.255.255.0 secondary
ip address 200.149.156.17 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0
ip address 192.168.5.254 255.255.255.0 secondary
ip address 200.149.100.81 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1200
encapsulation dot1Q 1200
ip address 200.216.228.49 255.255.255.252
ip nat outside
ip virtual-reassembly in
crypto map clientmap
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/1/0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation ppp
shutdown
crypto map clientmap
!
ip local pool ippool 10.1.1.10 10.1.1.200
ip local pool OpenVPN 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
!
ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
ip nat inside source static tcp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat inside source static udp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat outside source static 200.149.100.81 192.168.5.1
ip route 0.0.0.0 0.0.0.0 200.216.228.50
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp any any
access-list 101 permit udp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 110 deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
!
!
!
!
control-plane
!

end

wyliansouzaup · ‎07-20-2019

"crypto map clientmap" it is the VPN group configured on the router

Georg Pauwen · ‎07-20-2019

Hello,

where is the OpenVPN server with IP address 10.10.10.1 ? Sorry for the confusion, I cannot figure out what the local pool OpenVPN is for if you don't use the router as the VPN server for the OpenVPN clients...

Maybe you can draw this out and post a schematic drawing, so we know what is where...

wyliansouzaup · ‎07-20-2019

The server 10.10.10.1 is behind the interface fa 0/0
it is on the same computer as 192.168.5.245

Yes, it also has a public ip

Georg Pauwen · ‎07-21-2019

Hello,

ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload

You are using a nat pool that consists of addresses that are part of the subnet that is assigned to the inside. Do you have Internet access at all ?

wyliansouzaup · ‎07-21-2019

openVPN is inside a windows server 2008 server.
the interface fa0/0 192.168.5.254 connects to windows server 2008 192.168.5.245.

ip 10.10.10.1 is automatically generated by the OpenVPN server and assigned to a windows server interface.

when I try to ping from inside the windows server with the origin of the interface that is configured ip 192.168.5.245, everything works normal, I have normal access.
When I ping the source ip 10.10.10.1, it gives a general failure error in PING, I added a static route pointing to 10.10.10.1 for ip 192.168.5.245 and on the router I created a static route pointing to the network 10.10.10.0 / 24 for ip 192.168.5.254 but the ping error continues the same "general transmission failure", and the router I also can not get ip 10.10.10.1

what do you think?