03-26-2009 03:11 AM - edited 03-04-2019 04:06 AM
From my router conf:
crypto map CRYPTO 20 ipsec-isakmp
set peer 194.48.130.35
set transform-set TELCOM
set pfs group2
match address 102
access list consist of only one command:
access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63
Now what is a bit unusual is that this access list contains only public addresses instead of private addresses. 62.100.68.171 is the server public address located in my network. 194.48.129.192 0.0.0.63 is on my client side.
I could not find any info which is similar to my access list with public addresses on the internet. My client - telecom provider does not have any communication with me.
The problem is that I need to limit access to my server, and my intention is to allow only VPN access from my client site to my server, which is to be moved behind router-firewall).
So I have to nat my server public address:
ip nat inside source static 192.168.100.24 62.100.68.171
Therefore I have problem how to design acl list to do that:
Relating to NAT order I might have to put the following instructions in my outbound acl on the inside interface of the router:
access-list 123 permit ip host 194.48.130.35 host 192.168.100.24
access-list 123 deny ip any host 192.168.100.24
I have done that but it have caused VPN communication to stop. I do not know what I have done wrong?
03-26-2009 03:32 AM
Hi, can you share network disgram for your setup.
And in the new setup did u configure it in tunnel mode or transport mode?
03-26-2009 04:27 AM
Ok,
I have to make VPN connection several months ago and I have established VPN connection with them. That works fine, but the relating security issue is not OK.
http://www.vpnc.org/InteropProfiles/cisco-ios.txt
However, I have access list which contains only public addresses, which is not the same case as you can read from the paper above, which I tried to follow.
They did not want to know about the private adddress of my server. They asked for the public address of my server, as they stipulated that was the way they work.
Even their network subnet is of public addresses.
I have realised that I have to put server behind my central router, which includes nat operation together with ACL to add in order to limit access to the server.
Their gateway is firewall netscreen.
03-26-2009 04:34 AM
Here is an excerpt from my conf file of Cisco 2801 router-firewall.
....
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto iskamp clip
crypto isakmp clip
crypto isakmp clip
!
!
crypto ipsec transform-set MOBTEL esp-3des esp-md5-hmac
crypto ipsec transform-set TELCOM esp-3des esp-sha-hmac
!
crypto map CRYPTO 10 ipsec-isakmp
set peer clip
set transform-set MOBTEL
match address 151
crypto map CRYPTO 20 ipsec-isakmp
set peer clip
set transform-set TELCOM
set pfs group2
match address 102
crypto map CRYPTO 30 ipsec-isakmp
set peer clip
set transform-set TELCOM
match address 133
....
03-26-2009 05:40 AM
On the second thought your question is good. The client gateway is Natscreen firewall.
But âtransport mode is used when both peers are hosts. It may also be used when one peer is host and the other is gateway if that gateway is acting as a host. Transport mode has an advantage of adding only a few bytes to the header of each packet. â
There is no:
Mode transport
After
crypto ipsec transform-set MOBTEL esp-3des esp-md5-hmac
In fact it is configured as tunnel mode, but I have doubt whether something is missing or not. I see that my router has an established tunnel with their firewall, and from there communication is decrypted. Then as decrypted communication it reaches over my server, which is not behind firewall (I have to route to make it going).
03-26-2009 05:50 AM
Do you have an acl on your outside interface ie. the interface that the VPN terminates on ?
If so add this to your acl
access-list
access-list
Note i have used host 194.48.130.35 because that is what you used in your acl but there is some confusion in your acls ie.
194.48.129.192 0.0.0.63 = 194.48.129.192 - 255 which does not cover 194.48.130.35 ??
Jon
03-26-2009 06:19 AM
No, I do not have.
Regarding the hosts, it is correct that address of gateway is not in the same subnets as the hosts which are allowed to be accessed by my server 62.100.68.171. It seems logical to me?
03-26-2009 06:38 AM
"It seems logical to me?"
Not to me :-)
Where i am confused is this. Your VPN crypto map access-list says -
access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63
and the VPN peer is -
194.48.130.35
Now your inside acl says -
access-list 123 permit ip host 194.48.130.35 host 192.168.100.24
access-list 123 deny ip any host 192.168.100.24
So either
1) your inside acl should say -
access-list 123 permit ip 194.48.129.192 0.0.0.63 host 192.168.100.24
because the source addresses of the incoming packets are from 194.48.129.192 -> 194.48.129.254
OR
2) the source addresses are being Natted at the other end and hidden behind the peer IP address of 194.48.130.35 in which case your acl 123 is correct but your crypto map acl should read -
access-list 102 permit ip host 62.100.68.171 host 194.48.130.35
Now as the VPN was already working i'm assuming the problem is 1) rather than 2).
Does this make sense ?
Jon
03-26-2009 07:36 AM
I believe, it is 1. It makes sense. Thus, I have to try it next week. It seems not to be 2, because the access-list 102 are being given by them. The company is west european telecom provider operating in eastern europe, and I believe that is not mistake.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide