cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
850
Views
0
Helpful
1
Replies

LAN Connection to CCP works fine but nothing Remote/External Can Connect.

fbeye
Level 4
Level 4

I must have made a change to my configuration at some point because I would be at work on Verizon LTE on my iPad and connect to my Cisco Router IP and it would bring up CCP 3.5 Express no problem.

Then, I would also be able to Portscan and see port 80 open..

 

Now I can not connect and it shows 0 ports open.

If it helps, my static Gateway is the x.x.x.182 IP and if need be (ive never had to before), the "subnet"? I want to connect from would be 174.238.0.0 as it seems to always change but in that same range.

 

This is my current running-config.

 

Current configuration : 8090 bytes
!
! Last configuration change at 04:07:43 UTC Thu Feb 8 2018 by Cisco
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CHOM
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.153-3.M10.bin
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN local
aaa authorization exec default local
aaa authorization network EzVPN local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!


!
!
!
!
ip domain name hom.org
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL212791GJ
!
!
username ...
username ...
!
!
!
!
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all OUT-TO-SELF
match access-group name outsideacl
class-map type inspect match-any SELF-TO-OUT
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect VPN
class type inspect All_Protocols
inspect
class class-default
drop
policy-map type inspect OUT-TO-SELF
class type inspect OUT-TO-SELF
inspect
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect SELF-TO-OUT
class type inspect SELF-TO-OUT
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security Ezvpn
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security Self->Internet source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT
zone-pair security Internet->Self source OUTSIDE destination self
service-policy type inspect OUT-TO-SELF
zone-pair security Ezvpn->INSIDE source Ezvpn destination INSIDE
description LAN to INSIDE traffic
service-policy type inspect VPN
zone-pair security Ezvpn->Self source Ezvpn destination self
service-policy type inspect VPN
zone-pair security Self->Ezvpn source self destination Ezvpn
service-policy type inspect VPN
zone-pair security INSIDE->Ezvpn source INSIDE destination Ezvpn
description LAN to Ezvpn traffic
service-policy type inspect VPN
!
!
crypto isakmp policy 2
encr aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp client configuration address-pool local POOLVPN
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group EzVPN
key <key>
dns 8.8.8.8
domain hom.org
pool POOLVPN
acl 150
netmask 255.255.255.0
crypto isakmp profile EzVPN-PROFILE
match identity group EzVPN
client authentication list VPN
isakmp authorization list EzVPN
client configuration address respond
client configuration group EzVPN
virtual-template 99
!
!
crypto ipsec transform-set IPTRANSFORM esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE-IPSEC-EZVPN
set transform-set IPTRANSFORM
set isakmp-profile EzVPN-PROFILE
!
!
!
!
!
!
!
!
interface Loopback99
ip address 10.252.0.254 255.255.255.0
zone-member security Ezvpn
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description TPLink Wireless
no ip address
zone-member security INSIDE
!
interface GigabitEthernet1
description Email Server
no ip address
zone-member security INSIDE
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Virtual-Template99 type tunnel
ip unnumbered Loopback99
zone-member security Ezvpn
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE-IPSEC-EZVPN
!
interface Vlan1
ip address x.x.x.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <username>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
ppp ipcp route default
no cdp enable
!
ip local pool POOLVPN 10.252.0.1 10.252.0.200 recycle delay 30
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 x.x.x.177
ip ssh version 2
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip host x.x.x.x.176 any
permit ip host x.x.x.x.177 any
permit ip host x.x.x.x.178 any
permit ip host x.x.x.x.179 any
permit ip host x.x.x.180 any
permit ip host x.x.x.181 any
permit ip host x.x.x.182 any
permit tcp host x.x.x.180 any eq smtp
permit tcp host x.x.x.180 any eq 993
permit udp host x.x.x.177 any eq domain
permit udp host x.x.x.180 any eq domain
permit udp host x.x.x.182 any eq domain
permit tcp host x.x.x.180 any eq domain
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any host x.x.x.176
permit icmp any host x.x.x.177
permit icmp any host x.x.x.178
permit icmp any host x.x.x.179
permit icmp any host x.x.x.180
permit icmp any host x.x.x.181
permit icmp any host x.x.x.182
permit udp any host x.x.x.180 eq domain
permit udp any host x.x.x.177 eq domain
permit udp any host x.x.x.182 eq domain
permit tcp any host x.x.x.180 eq 993
permit tcp any host x.x.x.180 eq smtp
permit tcp any host x.x.x.180 eq domain
ip access-list extended outsideacl
permit icmp any host x.x.x.182 echo-reply
permit icmp any host x.x.x.182 echo
permit icmp any host x.x.x.182 traceroute
permit icmp any host x.x.x.182 time-exceeded
permit icmp any host x.x.x.182 unreachable
permit tcp any host x.x.x.182 eq 22
permit udp any host x.x.x.182 eq isakmp
permit udp any host x.x.x.182 eq non500-isakmp
permit esp any host x.x.x.182
deny ip any host x.x.x.182
!
dialer-list 1 protocol ip permit
no cdp run
!
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 10.252.0.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
vstack
!
line con 0
exec-timeout 5 30
password <password>
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
password <password>
transport input all
!
scheduler allocate 20000 1000
!
end

1 Reply 1

fbeye
Level 4
Level 4

I believe I found a solution to my problem which an actually raises a completely different question.

 

By default I naturally use my  ip access-list extended OUTSIDE-TO-INSIDE as my incoming Zone Protection but clearly had permit tcp any host x.x.x.182 eq www missing... Which would deny me. So I then add it as mentioned, but still no access!

I then noticed under my ip access-list extended outsideacl I had deny ip any host x.x.x.182 So 

I removed the deny ip any host x.x.x.182 which now has the permit tcp any host x.x.x.182 eq www (under ip access-list extended OUTSIDE-TO-INSIDE) only listed and still no go! 

I’m getting there....

 

The way I made it work was to add permit tcp any host x.x.x.182 eq www to both ip access-list extended outsideacl and ip access-list extended OUTSIDE-TO-INSIDE.

 

So is this then set up right being that I have to mention it in both places? Or is this just how the security is setup being that I am indeed listing 2 rulesets, therefore I need to mention it both instances? 

If that is the case, that is fine, but should I enable the deny ip any host x.x.x.182 along with my permit or will they cancel each other out?