Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
0
Helpful
3
Replies

Firewall and VPN configuration on Cisco IOS with firewall and VPN feature

wongsusanto
Level 1
Level 1

‎10-23-2001 02:43 AM - edited ‎02-21-2020 11:27 AM

Hi,

I have configured the cisco router 1720, with firewall and VPN feature set. IOS version is 12.1(2)T. Access-list 101 is polices for inside to outside and acc 102 for out to in.....when I try to connect using the dial up and vpn client... i can ping all inside the stations, but when I tried to telnet using port 25 (smtp), the telnet can not go through...when i remove the access-list, the telnet can go through.....I suspect this is caused by firewall feature set which doesn't have a capability to allow the vpn packets ?

or

Somebody can help me ??

thanks

access-list 101 permit icmp any any

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq domain

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq telnet

access-list 101 permit tcp 192.168.10.0 0.0.0.255 host 192.168.0.1 eq telnet

access-list 101 permit tcp any any eq ftp-data

access-list 101 deny ip any any

access-list 102 permit tcp any host 202.100.100.100 eq smtp

access-list 102 permit udp any host 203.100.100.200 eq isakmp

access-list 102 permit esp any host 203.100.100.200

access-list 102 permit ahp any host 203.100.100.200

access-list 102 permit icmp any any

access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.0.1 eq telnet

access-list 102 deny ip any any

ip inspect name myfw http

ip inspect name myfw smtp

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw ftp

regards

Labels:
0 Helpful
3 Replies 3

nohare
Level 1
Level 1

‎10-23-2001 08:15 AM

Firstly, are you trying to telnet(SMTP) to a 192.168.10.x address ?? if you are then, your 6th statement in ACL-102 is wrong, that only allows TCP/23.

I assume, you are using NAT and the 202.100.100.100 host is your SMTP servers' static NAT address(public), translating to a 192.168.10.x address on your private subnet. SMTP connections to that address will work, but not to a 192.168.10.x address from your VPN client. You need to add an additonal ACL-102 entry to permit your VPN client (assumed to be host 192.168.0.1) to access your 192.168.10.x subnet on port TCP/25 otherwise known as "smtp" (the friendly name)

Give that a go, see what happens.

0 Helpful

wongsusanto
Level 1
Level 1
In response to nohare

‎10-23-2001 09:05 PM

Hi,

I have permit the ip address for vpn client which is 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255 eq smtp and pop3 but still can not get through

I have the error message

5d21h: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi f

or

destaddr=xxx.xxx.xxx.xxx, prot=50, spi=0xD9947F8D(-644579443)

thanks

0 Helpful

wongsusanto
Level 1
Level 1
In response to nohare

‎10-24-2001 01:57 AM

Hi,

Thanks for you respon.....but why i have to permit ip network which assigned to vpn client, to internal network, is that secure ??? because hackers can abuse this by using ip spoofing ? and when I see the example config, It seems that it doesn't create the access-list for this....

regards

0 Helpful
Customers Also Viewed These Support Documents