05-02-2013 05:34 AM
Hi All,
I have 3x site-to-site vpn connections setup on my Cisco 2911 router which is based at Head Office. They all connect OK but there appears to be some ports blocked.
For example, I'm able to remote desktop to a server on the remote site, users are able to use Outlook whilst the Exchange server is located at Head Office but users are unable to the following resources from Head Office;
Access any applications using HTTPS
Our Proxy Agent uses port 8280 - When the internal address is used, it doesn't work. When the public address is used, it works.
Printers are unable to use scan to email - Port 25.
I'm confident that nothing is being restricted at the remote sites as all of these functions worked on our old Head Office router.
All i want to do is allow ANY traffic to and from Head Office and all the VPN sites.
I'm fairly new to this type of router having made the jump from small business equipment, so please be gentle on my config
================================================================================================================
Building configuration...
Current configuration : 11889 bytes
!
! Last configuration change at 11:58:26 PCTime Tue Apr 30 2013 by jwalkes
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 4 bomlT57l.1LxAG0LwBi7j1e.bJXLV76Vsxcg7JlchqQ
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone PCTime 0 0
!
ip cef
!
!
ip port-map user-protocol--2 port tcp 444
ip port-map user-protocol--1 port tcp 8280
!
!
!
!
ip domain name domain.local
ip name-server 66.28.0.45
ip name-server 66.28.0.61
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1441621744
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1441621744
revocation-check none
rsakeypair TP-self-signed-1441621744
!
!
crypto pki certificate chain TP-self-signed-1441621744
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343431 36323137 3434301E 170D3133 30343238 31303432
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34343136
32313734 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E79F FBCE3588 E0999E03 399AE1CA 3F0A9C5B 43E52185 86F04754 AAAC33D1
EF87B0EA 3DE3CEDD 99327CFA E9007D82 040D896D D7260775 E01C4B59 EBB87D35
7D8355C1 6EC2E212 6F312212 CCD8A6E4 C7EE9855 84D1D1C0 D29E15F9 072D0725
8A01E809 996868BB EF428975 4BED02C0 51BEE1EE D3C7A8A1 4A028FB0 49952108
0DD90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 149F0B86 73025ECC 0EE1B176 DAE35BD1 045FB736 50301D06
03551D0E 04160414 9F0B8673 025ECC0E E1B176DA E35BD104 5FB73650 300D0609
2A864886 F70D0101 05050003 8181002A 48DD276B 0854B06E 1FEAB009 0BD3A536
763E4872 5A04E66E B187695F B6DD1243 35D40883 44154378 302CD7E2 237BF566
9B691517 9F193CD1 A0B4C1FC B026DDB9 308026EC A153A95E FD94267C 9D2377A4
7D6B5E46 FAFD642F A9288484 7D9B154C C3A466E2 B1738E6B 1D97A61C 99CC6CB9
D69CDA16 76697E1F 5E6B22D3 94562B
quit
license udi pid CISCO2911/K9 sn FCZ17086062
!
!
username USER privilege 15 secret 4 bomlT57l.1LxAG0LwBi7j1e.bJXLV76Vsxcg7JlchqQ
!
redundancy
!
!
!
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 106
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 110
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 107
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 109
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 104
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 109
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-service-sdm-pol-VPNOutsideToInside-1
match protocol pptp
match class-map SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_VPN_PT
match access-group 105
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-nat-pptp-1
match access-group 108
match class-map sdm-service-sdm-pol-VPNOutsideToInside-1
!
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-pptp-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXX address 2.254.XXX.XXX
crypto isakmp key XXXXXXXX address 17.34.XXX.XXX
crypto isakmp key XXXXXXXX address 9.105.XXX.XXX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to2.254.XXX.XXX
set peer 2.254.XXX.XXX
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to17.34.XXX.XXX
set peer 17.34.XXX.XXX
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to9.105.XXX.XXX
set peer 9.105.XXX.XXX
set transform-set ESP-3DES-SHA2
match address 103
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 172.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address 49.7.XXX.XXX 255.255.255.192
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 172.168.4.5 8280 interface GigabitEthernet0/1 8280
ip nat inside source static tcp 172.168.4.10 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 172.168.4.11 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 172.168.4.11 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 172.168.4.16 444 interface GigabitEthernet0/1 444
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 49.7.XXX.XXX
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
ip sla auto discovery
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.168.4.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.168.4.0 0.0.0.255 172.168.3.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.168.4.0 0.0.0.255 172.168.6.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.168.4.0 0.0.0.255 172.168.5.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.168.4.0 0.0.0.255 172.168.3.0 0.0.0.255
access-list 101 permit ip 172.168.4.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.168.4.0 0.0.0.255 172.168.5.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.168.4.0 0.0.0.255 172.168.6.0 0.0.0.255
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host 255.255.255.255 any
access-list 104 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip 49.7.XXX.XX 0.0.0.63 any
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host 9.105.XXX.XXX any
access-list 105 permit ip host 2.254.XXX.XXX any
access-list 105 permit ip host 17.34.XXX.XXX any
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip 172.168.6.0 0.0.0.255 172.168.4.0 0.0.0.255
access-list 106 permit ip 172.168.5.0 0.0.0.255 172.168.4.0 0.0.0.255
access-list 106 permit ip 172.168.3.0 0.0.0.255 172.168.4.0 0.0.0.255
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 172.168.4.5
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 172.168.4.10
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 172.168.4.11
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip any host 172.168.4.16
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Solved! Go to Solution.
05-02-2013 05:48 AM
Hi
I went through the config.
These Nat rules are not allowing you to access the certian ports across the VPN tunnel as they are taking the precedence over the exempt that is configured.
ip nat inside source static tcp 172.168.4.5 8280 interface GigabitEthernet0/1 8280
ip nat inside source static tcp 172.168.4.10 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 172.168.4.11 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 172.168.4.11 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 172.168.4.16 444 interface GigabitEthernet0/1 444
You would need to configure the static nat rules with the route-map configured
To configure the static nat with the route-map follwo the follwoing doccuments
https://supportforums.cisco.com/docs/DOC-5061
After applying that it should work
Hope this helps you.
Thanks
Raj
05-02-2013 05:48 AM
Hi
I went through the config.
These Nat rules are not allowing you to access the certian ports across the VPN tunnel as they are taking the precedence over the exempt that is configured.
ip nat inside source static tcp 172.168.4.5 8280 interface GigabitEthernet0/1 8280
ip nat inside source static tcp 172.168.4.10 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 172.168.4.11 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 172.168.4.11 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 172.168.4.16 444 interface GigabitEthernet0/1 444
You would need to configure the static nat rules with the route-map configured
To configure the static nat with the route-map follwo the follwoing doccuments
https://supportforums.cisco.com/docs/DOC-5061
After applying that it should work
Hope this helps you.
Thanks
Raj
05-02-2013 06:43 AM
Thanks for your help! That's done the trick!
Thanks!!!!!!!!!!!!!!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide