cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8896
Views
0
Helpful
7
Replies

l2tp/ipsec passthrough cisco router firewall

andrew_xfeel
Level 1
Level 1

Hi ! I've got the following problem.

Users from outside network would like to connect to internal network and share windows 2012 resources(run software, files etc)

So it's time to deploy a vpn server, and as I haven't got free license to run it on my windows 2012, I've decided to use my qnap for this(as it has this feature built in) So I've choosen l2tp/ipsec and tested it on home lab with simple tplink router with upnp function and it worked like a charm.

However, in real production environment I need to use cisco router, and that's how the story begins ;)

So,  clients with their windlows machines (7, 8.1, 10) need to pass cisco firewall router(with nat) and get to internal network and vpn server on qnap.

I've googled for sample configuration but most of them concerned the configuration of router itself to be vpn server, and what I would like to achieve is to make my router pass vpn traffic. Once I've found same pptp sample config, I've modified it a little bit, but don't know if this works as I haven't tested it yet.

Anyway, could you check my config, and see if it's ok? Should I do a static nat for vpn server 192.168.5.253 to external address ?

here is also a short diagram

vpn clients (win 7,8,10)---------------------------------------cisco 1921 router--------------------------------------qnap vpn server

                                                  cloud             xxx.194                                5.254                                    5.253 (internal network)

test#show runn
Building configuration...

Current configuration : 3611 bytes
!
! Last configuration change at 19:31:01 UTC Wed May 4 2016 by
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.5.1 192.168.5.189
!
ip dhcp pool network
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.254
 domain-name network
 dns-server xxx.x.xxx.244
!
!
!
ip domain name temp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn xxxxxx
license boot module c1900 technology-package securityk9
!
!
username abc secret 5
username cisco privilege 15 password 7
!
redundancy
!
!
!
!
!
ip ssh version 2
!
class-map type inspect match-any cm_helpdek_protocols
 match protocol http
 match protocol https
 match protocol ssh
class-map type inspect match-any cm_gre_protocols
 match access-group name GRE
class-map type inspect match-any cm_icmp
 match access-group name icmp
class-map type inspect match-all cm_helpdesk
 match access-group name helpdesk
class-map type inspect match-any inside_to_outside
 match protocol h323
 match protocol pptp
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect pm_outside_to_inside
 class type inspect cm_gre_protocols
  pass
 class type inspect cm_icmp
  inspect
 class type inspect cm_helpdesk
  inspect
 class class-default
  drop log
policy-map type inspect pm_inside_to_outside
 class type inspect inside_to_outside
  inspect
 class type inspect cm_gre_protocols
  pass
 class class-default
  drop log
!
zone security inside
 description inside trusted zone
zone security outside
 description outside untrusted zone
zone-pair security zonep_insiede_to_outside source inside destination outside
 service-policy type inspect pm_inside_to_outside
zone-pair security zonep_outside_to_inside source outside destination inside
 service-policy type inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description "LAN"
 ip address 192.168.5.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description "WAN CID: xxxxx
 ip address xxx.xxx.xxx.194 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 zone-member security outside
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
ip nat inside source list 1 pool network overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
ip access-list extended GRE
 remark ACL to allow PPTP GRE OUTBOUND
 permit gre any any
 permit udp any any eq 1701
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
ip access-list extended helpdesk
 permit ip any host 192.168.5.253
ip access-list extended icmp
 permit icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin xxxxx
 stopbits 1
line vty 0 4
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Regards,

Andrew

1 Accepted Solution

Accepted Solutions

After the client connects to the VPN, you want return traffic to flow back to the client. That can be easily allowed with "inspect".

And from the standpoint of the firewall, you don't have ESP-traffic (which would be IP/50). You only have UDP-traffic (initially UDP/500 which switches to UDP/4500)

And you are right with your last ACE. That one is much to permissive and not needed for this function.

View solution in original post

7 Replies 7

You are talking about L2TP/IPsec, but your config is still for PPTP ...

To allow L2TP/IPsec to your internal VPN-server you need:

  1. A static translation for the VPN-server to a public IP for the ports UDP/500 and UDP/4500
  2. Allow these ports to the VPN-server

Have you considered to run the VPN-server on the router itself? With the Security-License you can also use VPN on the router.

Yes, I was thinking even about, deploying anyconnect, but due to leasing issues with my provider, i can't get smartnet from them. I've considered also as you've said to run l2tp/ipsec on router, but it lacks the AD authentication mechanism, in qnap it is the feature to be released soon.

BTW, I've redesigned my config a little bit. Could you look at it ?

I'm not sure about putting " permit ip any host 192.168.5.253" to acl named L2TP (cm_L2TP_protocols out_in)

test#show runn
Building configuration...

Current configuration : 3611 bytes
!
! Last configuration change at 19:31:01 UTC Wed May 4 2016 by
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.5.1 192.168.5.189
!
ip dhcp pool network
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.254
 domain-name network
 dns-server xxx.x.xxx.244
!
!
!
ip domain name temp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn xxxxxx
license boot module c1900 technology-package securityk9
!
!
username abc secret 5
username cisco privilege 15 password 7
!
redundancy
!
!
!
!
!
ip ssh version 2
!

class-map type inspect match-any 
 match access-group name L2TP


class-map type inspect match-any cm_icmp
match access-group name icmp


class-map type inspect match-any cm_L2TP_protocols in_out
match access-group name vpn_server


class-map type inspect match-any inside_to_outside
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
 
!
policy-map type inspect pm_outside_to_inside
 class type inspect cm_L2TP_protocols out_in
  pass
 class type inspect cm_icmp
  inspect
 class class-default
  drop log
policy-map type inspect pm_inside_to_outside
 class type inspect inside_to_outside
  inspect
 class type inspect cm_L2TP_protocols in_out
  pass
 class class-default
  drop log
!
zone security inside
 description inside trusted zone
zone security outside
 description outside untrusted zone
zone-pair security zonep_insiede_to_outside source inside destination outside
 service-policy type inspect pm_inside_to_outside
zone-pair security zonep_outside_to_inside source outside destination inside
 service-policy type inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description "LAN"
 ip address 192.168.5.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description "WAN CID: xxxxx
 ip address xxx.xxx.xxx.194 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 zone-member security outside
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
ip nat inside source list 1 pool network overload
ip nat inside source static udp 192.168.5.253 500 xxx.xxx.xxx.202 500 extendable
ip nat inside source static udp 192.168.5.253 4500 xxx.xxx.xxx.202 4500 extendable
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
ip access-list extended L2TP
 remark ACL to allow L2TP FROM OUTSIDE TO INSIDE
 
 permit udp any host 192.168.5.253 eq non500-isakmp
 permit udp any host 192.168.5.253 eq isakmp
 permit udp any host 192.168.5.253 eq 4500
 permit esp any host 192.168.5.253
 permit ip any host 192.168.5.253 ??  - should I put it here ?

ip access-list extended vpn_server
remark acl to allow vpn_server from inside to outside
permit ip 10.2.0.0 0.0.0.255 any
permit ip host 192.168.5.253 any

ip access-list extended icmp
 permit icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin xxxxx
 stopbits 1
line vty 0 4
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Regards,

Overall it looks good. Some noes on the config:

policy-map type inspect pm_outside_to_inside
 class type inspect cm_L2TP_protocols out_in
  pass

You can use inspect here.

ip access-list extended L2TP
 permit udp any host 192.168.5.253 eq 4500

 permit esp any host 192.168.5.253

These two ACEs are not needed. UDP/4500 is "non500-isakmp" and ESP will always be encapsulated in UDP.

Thanks !

I was wondering of putting "inspect" there but I read somewhere that according to vpn traffic the difference between "inspect" and "pass" matters.

"

  • inspect: used to detect connection requests and provide the appropriate openings for return traffic. (Similar to what is achieved with the ip inspect command within a CBAC environment).
  • pass: this unidirectional action is equivalent to a permit statement inside an ACL and is not capable of handling return traffic. The pass action fits well for dealing with stateless flows such as traffic encrypted with Encapsulating Security Payload (ESP) protocol."

And the last thing:

What about the statement "permit ip any host 192.168.5.253" Does it mean "permit all ip addresses from outside to vpn_server with ip 192.168.5.253, along with all tcp and udp ports ? If so, I guess it's potentially unsafe to place it in the acl.

Regards,

After the client connects to the VPN, you want return traffic to flow back to the client. That can be easily allowed with "inspect".

And from the standpoint of the firewall, you don't have ESP-traffic (which would be IP/50). You only have UDP-traffic (initially UDP/500 which switches to UDP/4500)

And you are right with your last ACE. That one is much to permissive and not needed for this function.

thank you Karsten Iwen for help. I'll put config on my router and  write here if it works. See Yaa.

Hi Andrew - did you end up making this work? I would be interested to know the method if you did.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: