Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
7698
Views
0
Helpful
4
Comments

Cisco 877 ADSL - Access List/IOS Firewall Entries necessary for VPN(Software Client to Router)??

SoftechSupport
Community Member

‎10-27-2009 03:04 AM - edited ‎03-08-2019 06:30 PM

I am configuring a Cisco 877.

My experience with these is limited and I am editing an existing configuration which may not be perfect.

The router is used for:

-ADSL Connectivity

-Internet Access for local LAN.

-Routing EMail (Port 25) Traffic to mail server

-Routing RDP Traffic to server.

-Software VPN access to the network

However, the Port 25 and RDP access was open - i.e. not locked down by source - simply being allowed by NAT rules.

To remedy this I have created an access list and applied it to the Dialer interface, which is defined as the external interface.

In order to maintain Internet access I have also applied the IOS (Reverse)Firewal to the VLAN Interface.

However, since applying this the Software VPN fails to work.

Removing the Access List from the Dialer allows the Password Prompt to be received on the client side, but the client hangs authenticating - removing the IOS Firewall from the VLAN Int then allows full functionality again.

So I need to know what I need to add to the IOS Firewall or Access list to allow this traffic?

Or is there something else I should add?

Below are the bits of the config I think are relevant.:

===================================

ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
no ip auth-proxy max-nodata-conns 3
no ip admission max-nodata-conns 3
no ip domain lookup
ip domain name rhs.ie

==================================

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.100.254 255.255.255.0
ip access-group 101 in

ip nat inside
ip inspect DEFAULT100 in

no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1

ip access-group 103 in

===================================

ip nat inside source list 110 interface Dialer0 overload

ip nat inside source static tcp 192.168.100.1 25 Y.Y.80.108 25 extendable
ip nat inside source static tcp 192.168.100.1 1723 Y.Y.80.108 1723 extendable
ip nat inside source static tcp 192.168.100.1 3389 Y.Y.80.108 3389 extendable
!

access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any

access-list 103 remark Softech
access-list 103 permit tcp host x.x.x.x any log
access-list 103 permit tcp host x.x.x.x any log
access-list 103 permit tcp host x.x.x.x any eq 25 log
access-list 103 permit tcp host x.x.x.x any eq 25 log
access-list 103 permit tcp x.x.x.x 0.0.0.255 any eq 25 log
access-list 103 permit tcp x.x.x.x 0.0.0.192 any eq 25 log


access-list 110 remark NAT-list
access-list 110 deny   ip 192.168.100.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any

==================================

ip nat inside source list 110 interface Dialer0 overload

ip nat inside source static tcp 192.168.100.1 25 Y.Y.80.108 25 extendable
ip nat inside source static tcp 192.168.100.1 1723 Y.Y.80.108 1723 extendable
ip nat inside source static tcp 192.168.100.1 3389 Y.Y.80.108 3389 extendable

==================================================

dialer-list 1 protocol ip permit

Labels:
0 Helpful
Comments
YuspinAndrew
Community Member
‎10-27-2009 05:04 AM

Add "deny ip any any log" to access-list 110, so you can saw that is not allowed by explicit deny at the end of the list.

SoftechSupport
Community Member
‎10-27-2009 05:47 AM

How does list 110 affect the VPN Access?

Doesnt that just define the internal network?

YuspinAndrew
Community Member
‎10-27-2009 06:25 AM

sorry, 103 sure.If I remember, for vpn you must open esp and udp eq 500, 4500

access-list 103 permit esp  any host $FW_OUTSIDE$

access-list 103 permit udp any host $FW_OUTSIDE$ eq 500 4500

SoftechSupport
Community Member
‎10-29-2009 04:56 AM

Thanks, I'll try the logging and those entries. I hope to get a chance to work on this again tomorrow.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents