12-15-2009 11:44 AM - edited 03-21-2019 01:55 AM
We are using dynamic ip in our site , with the help of dyndns we can use RDP , FTP, etc , while doing the port forwarding to UC 500 ,we cannot connect using cisco vpn dialer , but applications like telnet ,ssh will work properly , we created dmz zone and hosted UC 500 in dmz zone too ,but the vpn dialer is not terminating.
Any other ports must be forwarded to UC 500 ?
12-15-2009 01:22 PM
Are you talking about EZVPN or something else? When using DHCP and IPSEC, you might need dynamic peers. Read this to see if it helps.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_ipspp.html#wp1055034
12-16-2009 09:56 AM
Yes I want to configure EZVPN , we don’t have static ip , so we use DYNDNS , while portforwading which ports I need to port forward for EZVPN.
I have enabled pass-through of IPSec ESP tunnels with port 50, Then forwarded UDP port 500, but the vpn tunnel is not establishing.
Which are ports, which need to be forwarded while enabling EZVPN?
12-17-2009 08:42 AM
Yes, you do need to forward IPsec ESP traffic and IPsec UDP port 500 to the UC520, but you also need to forward UDP port 4500 to the UC520. UDP port 4500 is used for NAT traversal, and has to be forwarded for Easy VPN to work. The UC520 unit can deal with NAT traversal if the IPsec ESP, UDP port 500, and UDP port 4500 traffic is all forwarded to the UC520 unit, even if the UC520 is configured with a private IP address instead of a public IP address. However, the CCA multisite manager currently requires you to have either the UC520 configured with a public IP address, or the UC520 placed behind a SR520-T1 with a public IP address. Be sure that you use the public IP address or DDNS hostname of the other VPN endpoint instead of the private IP address of the other VPN endpoint when configuring any site to site VPN tunnels. Hope this helps.
12-19-2009 10:17 AM
HI John Platt
Now the vpn client is terminating using the DYNDNS host name , but I cannot access my internal network , what is next for accessing my internal network?
My Internal address starts with 192.168.1.0/24.
Thanks
12-19-2009 02:48 PM
Could you send me the output of the show run command from the UC520 please?
Are you able to ping the UC520? Another way to check to see if the Easy VPN is working is to log into the CUE Web GUI, provided that the CUE subnet is added to the Easy VPN ACL. The factory default CUE IP address is 10.1.10.1, and the CUE web GUI can be accessed at http://10.1.10.1 if the CUE address has not been overridden in CLI.
12-19-2009 09:34 PM
12-20-2009 08:37 AM
I have looked over the configuration of your UC520. I have noticed these lines in your UC520 configuration, and these lines should not be there on the UC520 because the VPNs are being terminated on the UC520 unit:
ip nat inside source static tcp 192.168.1.1 4500 interface FastEthernet0/0 4500
ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/0 4500
ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500
ip nat inside source static tcp 192.168.1.1 500 interface FastEthernet0/0 500
In addition, it appears that the FastEthernet0/0 interface has a public IP address. Port forwarding should only be configured if the UC520 FastEthernet0/0 interface is configured with a private IP address, and it should only be configured on the other router that is connected to the UC520 WAN port, and not on the UC520 unit itself.
IPsec VPNs use UDP port 4500 and UDP port 500, but not TCP port 4500 and TCP port 500.
Here are the other port forwarding entries that you have on your UC520:
ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.1.1 50 interface FastEthernet0/0 50
ip nat inside source static udp 192.168.1.1 50 interface FastEthernet0/0 50
ip nat inside source static tcp 192.168.1.1 7 interface FastEthernet0/0 7
ip nat inside source static udp 192.168.1.1 7 interface FastEthernet0/0 7
I do not know any reason why TCP port 50, UDP port 50, TCP port 7, or UDP port 7 should ever be port forwarded. You should leave the port 22 access control entry, since you might need to SSH into the UC500 unit to make changes remotely.
Here are the commands to remove the incorrect access control entries in configuration mode:
no ip nat inside source static tcp 192.168.1.1 4500 interface FastEthernet0/0 4500
no ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/0 4500
no ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500
no ip nat inside source static tcp 192.168.1.1 500 interface FastEthernet0/0 500
no ip nat inside source static tcp 192.168.1.1 50 interface FastEthernet0/0 50
no ip nat inside source static udp 192.168.1.1 50 interface FastEthernet0/0 50
no ip nat inside source static tcp 192.168.1.1 7 interface FastEthernet0/0 7
no ip nat inside source static udp 192.168.1.1 7 interface FastEthernet0/0 7
I have looked over your WAN access list, which looks like the following:
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_28##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 165.1.1.3 eq echo log
access-list 104 permit tcp any host 165.1.1.3 eq echo log
access-list 104 permit tcp any host 165.1.1.3 eq 500 log
access-list 104 permit udp any host 165.1.1.3 eq isakmp log
access-list 104 permit udp any host 165.1.1.3 eq non500-isakmp log
access-list 104 permit tcp any host 165.1.1.3 eq 4500 log
access-list 104 permit udp any host 165.1.1.3 eq 50 log
access-list 104 permit tcp any host 165.1.1.3 eq 50 log
access-list 104 permit tcp any host 165.1.1.3 eq 22 log
access-list 104 permit esp any host 165.1.1.3
access-list 104 permit ahp any host 165.1.1.3
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp host 195.229.241.222 eq domain any
access-list 104 permit udp host 213.42.20.20 eq domain any
access-list 104 permit icmp any host 165.1.1.3 echo-reply
access-list 104 permit icmp any host 165.1.1.3 time-exceeded
access-list 104 permit icmp any host 165.1.1.3 unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
Here is how to edit that access list, which controls inbound traffic into the WAN interface:
Extended IP access list 104
10 permit udp any host 165.1.1.3 eq echo log
20 permit tcp any host 165.1.1.3 eq echo log
30 permit tcp any host 165.1.1.3 eq 500 log
40 permit udp any host 165.1.1.3 eq isakmp log
50 permit udp any host 165.1.1.3 eq non500-isakmp log
60 permit tcp any host 165.1.1.3 eq 4500 log
70 permit udp any host 165.1.1.3 eq 50 log
80 permit tcp any host 165.1.1.3 eq 50 log
90 permit tcp any host 165.1.1.3 eq 22 log
100 permit esp any host 165.1.1.3
110 permit ahp any host 165.1.1.3
120 deny ip 10.1.10.0 0.0.0.3 any
130 deny ip 192.168.1.0 0.0.0.255 any
140 deny ip 10.1.1.0 0.0.0.255 any
150 permit udp host 195.229.241.222 eq domain any
160 permit udp host 213.42.20.20 eq domain any
170 permit icmp any host 165.1.1.3 echo-reply
180 permit icmp any host 165.1.1.3 time-exceeded
190 permit icmp any host 165.1.1.3 unreachable
200 deny ip 10.0.0.0 0.255.255.255 any
210 deny ip 172.16.0.0 0.15.255.255 any
220 deny ip 192.168.0.0 0.0.255.255 any
230 deny ip 127.0.0.0 0.255.255.255 any
240 deny ip host 255.255.255.255 any
250 deny ip host 0.0.0.0 any
260 deny ip any any log
The firewall configuration features of CCA have not seen any major improvements since CCA 1.0, at least for the UC500 series, but improvements to firewall and access control list configuration are planned to be made in future CCA releases.
12-20-2009 09:05 AM
Thanks Jhon
The changes applied successfully.
I can get the ICMP REPLY from Reply from 165.1.1.3: bytes=32 time=331ms TTL=235
However, still I cannot ping the internal interface 192.168.1.1, then acess cue http://10.1.10.1 , can you help in resolving this.
12-20-2009 09:37 AM
I have also found an problem with the Easy VPN Access Control List. This access control list controls what traffic will be carried over the VPN tunnel.
Here is the access list controlling what traffic will be carried over the VPN tunnel, as it currently appears in your configuration:
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 0.0.0.0 0.0.0.255 any
Here is the corrected version of that access control list:
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.1.1 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.10.0 0.0.0.3 any
Here is what you need to do to correct your Easy VPN access control list:
Extended IP access list 105
10 permit ip 0.0.0.0 0.0.0.255 any
You should now be able to connect to the UC520 through the VPN client, and access machines on your local network through the VPN connection.
12-20-2009 10:04 AM
Thanks a Lot Jhon, I hade added the following entry ,
50 permit access-list 105 permit ip 10.1.10.0 0.0.0.255 any
Now I can access CUE through Http
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide