05-05-2016 01:30 PM - edited 02-21-2020 08:48 PM
Hi ! I've got the following problem.
Users from outside network would like to connect to internal network and share windows 2012 resources(run software, files etc)
So it's time to deploy a vpn server, and as I haven't got free license to run it on my windows 2012, I've decided to use my qnap for this(as it has this feature built in) So I've choosen l2tp/ipsec and tested it on home lab with simple tplink router with upnp function and it worked like a charm.
However, in real production environment I need to use cisco router, and that's how the story begins ;)
So, clients with their windlows machines (7, 8.1, 10) need to pass cisco firewall router(with nat) and get to internal network and vpn server on qnap.
I've googled for sample configuration but most of them concerned the configuration of router itself to be vpn server, and what I would like to achieve is to make my router pass vpn traffic. Once I've found same pptp sample config, I've modified it a little bit, but don't know if this works as I haven't tested it yet.
Anyway, could you check my config, and see if it's ok? Should I do a static nat for vpn server 192.168.5.253 to external address ?
here is also a short diagram
vpn clients (win 7,8,10)---------------------------------------cisco 1921 router--------------------------------------qnap vpn server
cloud xxx.194 5.254 5.253 (internal network)
test#show runn
Building configuration...
Current configuration : 3611 bytes
!
! Last configuration change at 19:31:01 UTC Wed May 4 2016 by
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.5.1 192.168.5.189
!
ip dhcp pool network
network 192.168.5.0 255.255.255.0
default-router 192.168.5.254
domain-name network
dns-server xxx.x.xxx.244
!
!
!
ip domain name temp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn xxxxxx
license boot module c1900 technology-package securityk9
!
!
username abc secret 5
username cisco privilege 15 password 7
!
redundancy
!
!
!
!
!
ip ssh version 2
!
class-map type inspect match-any cm_helpdek_protocols
match protocol http
match protocol https
match protocol ssh
class-map type inspect match-any cm_gre_protocols
match access-group name GRE
class-map type inspect match-any cm_icmp
match access-group name icmp
class-map type inspect match-all cm_helpdesk
match access-group name helpdesk
class-map type inspect match-any inside_to_outside
match protocol h323
match protocol pptp
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect pm_outside_to_inside
class type inspect cm_gre_protocols
pass
class type inspect cm_icmp
inspect
class type inspect cm_helpdesk
inspect
class class-default
drop log
policy-map type inspect pm_inside_to_outside
class type inspect inside_to_outside
inspect
class type inspect cm_gre_protocols
pass
class class-default
drop log
!
zone security inside
description inside trusted zone
zone security outside
description outside untrusted zone
zone-pair security zonep_insiede_to_outside source inside destination outside
service-policy type inspect pm_inside_to_outside
zone-pair security zonep_outside_to_inside source outside destination inside
service-policy type inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description "LAN"
ip address 192.168.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "WAN CID: xxxxx
ip address xxx.xxx.xxx.194 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
ip nat inside source list 1 pool network overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
ip access-list extended GRE
remark ACL to allow PPTP GRE OUTBOUND
permit gre any any
permit udp any any eq 1701
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
ip access-list extended helpdesk
permit ip any host 192.168.5.253
ip access-list extended icmp
permit icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin xxxxx
stopbits 1
line vty 0 4
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Regards,
Andrew
Solved! Go to Solution.
05-06-2016 03:13 AM
After the client connects to the VPN, you want return traffic to flow back to the client. That can be easily allowed with "inspect".
And from the standpoint of the firewall, you don't have ESP-traffic (which would be IP/50). You only have UDP-traffic (initially UDP/500 which switches to UDP/4500)
And you are right with your last ACE. That one is much to permissive and not needed for this function.
05-05-2016 02:56 PM
You are talking about L2TP/IPsec, but your config is still for PPTP ...
To allow L2TP/IPsec to your internal VPN-server you need:
Have you considered to run the VPN-server on the router itself? With the Security-License you can also use VPN on the router.
05-06-2016 01:39 AM
Yes, I was thinking even about, deploying anyconnect, but due to leasing issues with my provider, i can't get smartnet from them. I've considered also as you've said to run l2tp/ipsec on router, but it lacks the AD authentication mechanism, in qnap it is the feature to be released soon.
BTW, I've redesigned my config a little bit. Could you look at it ?
I'm not sure about putting " permit ip any host 192.168.5.253" to acl named L2TP (cm_L2TP_protocols out_in)
test#show runn
Building configuration...
Current configuration : 3611 bytes
!
! Last configuration change at 19:31:01 UTC Wed May 4 2016 by
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.5.1 192.168.5.189
!
ip dhcp pool network
network 192.168.5.0 255.255.255.0
default-router 192.168.5.254
domain-name network
dns-server xxx.x.xxx.244
!
!
!
ip domain name temp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn xxxxxx
license boot module c1900 technology-package securityk9
!
!
username abc secret 5
username cisco privilege 15 password 7
!
redundancy
!
!
!
!
!
ip ssh version 2
!
class-map type inspect match-any
match access-group name L2TP
class-map type inspect match-any cm_icmp
match access-group name icmp
class-map type inspect match-any cm_L2TP_protocols in_out
match access-group name vpn_server
class-map type inspect match-any inside_to_outside
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect pm_outside_to_inside
class type inspect cm_L2TP_protocols out_in
pass
class type inspect cm_icmp
inspect
class class-default
drop log
policy-map type inspect pm_inside_to_outside
class type inspect inside_to_outside
inspect
class type inspect cm_L2TP_protocols in_out
pass
class class-default
drop log
!
zone security inside
description inside trusted zone
zone security outside
description outside untrusted zone
zone-pair security zonep_insiede_to_outside source inside destination outside
service-policy type inspect pm_inside_to_outside
zone-pair security zonep_outside_to_inside source outside destination inside
service-policy type inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description "LAN"
ip address 192.168.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "WAN CID: xxxxx
ip address xxx.xxx.xxx.194 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
ip nat inside source list 1 pool network overload
ip nat inside source static udp 192.168.5.253 500 xxx.xxx.xxx.202 500 extendable
ip nat inside source static udp 192.168.5.253 4500 xxx.xxx.xxx.202 4500 extendable
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
ip access-list extended L2TP
remark ACL to allow L2TP FROM OUTSIDE TO INSIDE
permit udp any host 192.168.5.253 eq non500-isakmp
permit udp any host 192.168.5.253 eq isakmp
permit udp any host 192.168.5.253 eq 4500
permit esp any host 192.168.5.253
permit ip any host 192.168.5.253 ?? - should I put it here ?
ip access-list extended vpn_server
remark acl to allow vpn_server from inside to outside
permit ip 10.2.0.0 0.0.0.255 any
permit ip host 192.168.5.253 any
ip access-list extended icmp
permit icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin xxxxx
stopbits 1
line vty 0 4
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Regards,
05-06-2016 02:22 AM
Overall it looks good. Some noes on the config:
policy-map type inspect pm_outside_to_inside
class type inspect cm_L2TP_protocols out_in
pass
You can use inspect here.
ip access-list extended L2TP
permit udp any host 192.168.5.253 eq 4500
permit esp any host 192.168.5.253
These two ACEs are not needed. UDP/4500 is "non500-isakmp" and ESP will always be encapsulated in UDP.
05-06-2016 03:08 AM
Thanks !
I was wondering of putting "inspect" there but I read somewhere that according to vpn traffic the difference between "inspect" and "pass" matters.
"
And the last thing:
What about the statement "permit ip any host 192.168.5.253" Does it mean "permit all ip addresses from outside to vpn_server with ip 192.168.5.253, along with all tcp and udp ports ? If so, I guess it's potentially unsafe to place it in the acl.
Regards,
05-06-2016 03:13 AM
After the client connects to the VPN, you want return traffic to flow back to the client. That can be easily allowed with "inspect".
And from the standpoint of the firewall, you don't have ESP-traffic (which would be IP/50). You only have UDP-traffic (initially UDP/500 which switches to UDP/4500)
And you are right with your last ACE. That one is much to permissive and not needed for this function.
05-06-2016 03:23 AM
thank you Karsten Iwen for help. I'll put config on my router and write here if it works. See Yaa.
11-23-2016 05:41 PM
Hi Andrew - did you end up making this work? I would be interested to know the method if you did.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide