cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
793
Views
0
Helpful
8
Replies

VPN with public addresses

hoffenheim
Level 1
Level 1

From my router conf:

crypto map CRYPTO 20 ipsec-isakmp

set peer 194.48.130.35

set transform-set TELCOM

set pfs group2

match address 102

access list consist of only one command:

access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63

Now what is a bit unusual is that this access list contains only public addresses instead of private addresses. 62.100.68.171 is the server public address located in my network. 194.48.129.192 0.0.0.63 is on my client side.

I could not find any info which is similar to my access list with public addresses on the internet. My client - telecom provider does not have any communication with me.

The problem is that I need to limit access to my server, and my intention is to allow only VPN access from my client site to my server, which is to be moved behind router-firewall).

So I have to nat my server public address:

ip nat inside source static 192.168.100.24 62.100.68.171

Therefore I have problem how to design acl list to do that:

Relating to NAT order I might have to put the following instructions in my outbound acl on the inside interface of the router:

access-list 123 permit ip host 194.48.130.35 host 192.168.100.24

access-list 123 deny ip any host 192.168.100.24

I have done that but it have caused VPN communication to stop. I do not know what I have done wrong?

8 Replies 8

Hi, can you share network disgram for your setup.

And in the new setup did u configure it in tunnel mode or transport mode?

Ok,

I have to make VPN connection several months ago and I have established VPN connection with them. That works fine, but the relating security issue is not OK.

http://www.vpnc.org/InteropProfiles/cisco-ios.txt

However, I have access list which contains only public addresses, which is not the same case as you can read from the paper above, which I tried to follow.

They did not want to know about the private adddress of my server. They asked for the public address of my server, as they stipulated that was the way they work.

Even their network subnet is of public addresses.

I have realised that I have to put server behind my central router, which includes nat operation together with ACL to add in order to limit access to the server.

Their gateway is firewall netscreen.

Here is an excerpt from my conf file of Cisco 2801 router-firewall.

....

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto iskamp clip

crypto isakmp clip

crypto isakmp clip

!

!

crypto ipsec transform-set MOBTEL esp-3des esp-md5-hmac

crypto ipsec transform-set TELCOM esp-3des esp-sha-hmac

!

crypto map CRYPTO 10 ipsec-isakmp

set peer clip

set transform-set MOBTEL

match address 151

crypto map CRYPTO 20 ipsec-isakmp

set peer clip

set transform-set TELCOM

set pfs group2

match address 102

crypto map CRYPTO 30 ipsec-isakmp

set peer clip

set transform-set TELCOM

match address 133

....

On the second thought your question is good. The client gateway is Natscreen firewall.

But “transport mode is used when both peers are hosts. It may also be used when one peer is host and the other is gateway if that gateway is acting as a host. Transport mode has an advantage of adding only a few bytes to the header of each packet. “

There is no:

Mode transport

After

crypto ipsec transform-set MOBTEL esp-3des esp-md5-hmac

In fact it is configured as tunnel mode, but I have doubt whether something is missing or not. I see that my router has an established tunnel with their firewall, and from there communication is decrypted. Then as decrypted communication it reaches over my server, which is not behind firewall (I have to route to make it going).

Jon Marshall
Hall of Fame
Hall of Fame

Do you have an acl on your outside interface ie. the interface that the VPN terminates on ?

If so add this to your acl

access-list permit ip host 194.48.130.35 host 62.100.68.171

access-list deny ip any host 62.100.68.171

Note i have used host 194.48.130.35 because that is what you used in your acl but there is some confusion in your acls ie.

194.48.129.192 0.0.0.63 = 194.48.129.192 - 255 which does not cover 194.48.130.35 ??

Jon

No, I do not have.

Regarding the hosts, it is correct that address of gateway is not in the same subnets as the hosts which are allowed to be accessed by my server 62.100.68.171. It seems logical to me?

"It seems logical to me?"

Not to me :-)

Where i am confused is this. Your VPN crypto map access-list says -

access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63

and the VPN peer is -

194.48.130.35

Now your inside acl says -

access-list 123 permit ip host 194.48.130.35 host 192.168.100.24

access-list 123 deny ip any host 192.168.100.24

So either

1) your inside acl should say -

access-list 123 permit ip 194.48.129.192 0.0.0.63 host 192.168.100.24

because the source addresses of the incoming packets are from 194.48.129.192 -> 194.48.129.254

OR

2) the source addresses are being Natted at the other end and hidden behind the peer IP address of 194.48.130.35 in which case your acl 123 is correct but your crypto map acl should read -

access-list 102 permit ip host 62.100.68.171 host 194.48.130.35

Now as the VPN was already working i'm assuming the problem is 1) rather than 2).

Does this make sense ?

Jon

I believe, it is 1. It makes sense. Thus, I have to try it next week. It seems not to be 2, because the access-list 102 are being given by them. The company is west european telecom provider operating in eastern europe, and I believe that is not mistake.

Review Cisco Networking for a $25 gift card