Re: Cisco 886VA ISAKMP ports closed

memmas nanashi · ‎09-26-2018

Hi

I have a dynamic multipoint VPN using GRE working on a 1841 and I would like to migrate it to cisco 886VA with advipservices license...

Now while ISAKMP ports are listening

c886#sh control-plane host open-ports | i ISAKMP
 udp                      *:4500                         *:0                   ISAKMP   LISTEN
 udp                       *:500                         *:0                   ISAKMP   LISTEN

when I tried to connect I get timeout, and if I nmap the ports from outside I get

PORT     STATE  SERVICE
500/udp  closed isakmp
4500/udp closed sae-urn

While on 1841 I get

PORT     STATE         SERVICE
500/udp  open|filtered isakmp
4500/udp open|filtered sae-urn

I don't have any firewall in front of the routers and not configured any rule for udp ports 500/4500 on them...

any help is appreciated...

Rob Ingram · ‎09-26-2018

Hi,

Have you configured the new router yet with ike policies, transform set and tunnel interface etc yet?

Until you see "*Sep 26 12:05:02.102: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON" message the ports won't appear open.

HTH

memmas nanashi · ‎09-26-2018

This is the last reboot I made yesterday and message for ISAKMP.

Sep 26 01:49:44 192.168.2.1 38: *Sep 25 22:43:56.475: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

All profiles and transport sets are copied from 1841 config. The weird part is that before 2 weeks I was able to login to VPN while testing it, and now I get this...

At first I thought it was a license issue but it's not

Index 1 Feature: advipservices                  
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
Index 2 Feature: advsecurity                    
        Period left: Life time
        License Type: Permanent
        License State: Active, Not in Use
        License Count: Non-Counted
        License Priority: Medium
Index 3 Feature: ios-ips-update                 
        Period left: Not Activated
        Period Used: 0  minute  0  second  
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None

Rob Ingram · ‎09-26-2018

Sorry, I've re-read your original post, you'd already mentioned the ports were listening on the router.

Can you post the configuration please?
Is there an NAT device in front of the router?....any port forwarding required?
Do you have an ACLs on the router's wan interface?

memmas nanashi · ‎09-26-2018

Sorry for the late reply, I had to wait, because router is on production...

I found the problem, although I can't understand it...

I have some nat translations because we run a few services and one of them is an asterisk server, so I had to put some access-lists

ip nat inside source route-map NAT interface Dialer46 overload
.....
ip nat inside source static <asterisk-server> <router's statis IP> route-map SIP

route-map SIP permit 10
 match ip address ASTERISK
 match interface Dialer46
!
route-map NAT permit 10
 match ip address PAT XVPN
 match interface Dialer46

ip access-list extended ASTERISK
 permit udp host 192.168.2.150 any range 5000 8000
 permit udp host 192.168.2.150 any range 15000 18000
 permit udp host 192.168.2.150 any range 40000 50087
 permit udp host 192.168.2.150 any range 50100 60000

the problem occur when I apply

ip nat inside source static <asterisk-server> <router's statis IP> route-map SIP

if I remove the above line VPN works but I don't have voice on asterisk calls, as rtp packets are not forward to asterisk server, and I can't really understand why, is like when I apply the above rule it forward all udp traffic to asterisk server although I have certain ports...