06-04-2012 03:33 AM - edited 02-21-2020 06:06 PM
Hi,
Im trying to figure out why remote access vpn's to our company office fail. The scenario: Currently we have a working situation. The way it works is that users connect on the public ip of an adsl router which nat's the vpn traffic to an internal router. This router then forwards the traffic to the vpn server.
remote vpn client <=> {{internet}} <=> adsl cpe <=> router <=> vpn server
Now, Im implementing a 2nd internet line with more or less the same setup, but instead of a adsl cpe we use a cisco router. When active users should connect the same way with the only difference being a different public ip address
remote vpn client <=> {{internet}} <=> cisco router <=> router <=> vpn server
So the only change from the cisco vpn clients prepective is the host. However when testing it did not work. The vpn client times out. With something like 'the vpn peer did not respond' Dont remember the exact error message by heart. Now logic tells me that because it's now working the part between the internal router and vpn gateway is ok. My guess is that this is due to the cisco's access list. I had my own access list, but for some reason I decided to use the SDM firewall config wizard and it generated this access list.
Extended IP access list 100
10 permit tcp any host 90.90.150.82 eq 4500
20 permit tcp any host 90.90.150.82 eq 500
30 permit tcp any host 90.90.150.82 eq 51
40 permit tcp any host 90.90.150.82 eq 50
50 permit tcp any host 90.90.150.82 eq 3101
60 permit tcp any host 90.90.150.82 eq 993
70 permit tcp any host 90.90.150.82 eq 587
80 permit tcp any host 90.90.150.82 eq smtp (722 matches)
90 deny ip 192.168.0.8 0.0.0.7 any (20606 matches)
100 permit icmp any host 90.90.150.82 echo-reply (113 matches)
110 permit icmp any host 90.90.150.82 time-exceeded (54 matches)
120 permit icmp any host 90.90.150.82 unreachable (1051 matches)
130 deny ip 10.0.0.0 0.255.255.255 any (726 matches)
140 deny ip 172.16.0.0 0.15.255.255 any
150 deny ip 192.168.0.0 0.0.255.255 any
160 deny ip 127.0.0.0 0.255.255.255 any
170 deny ip host 255.255.255.255 any
180 deny ip host 0.0.0.0 any
190 deny ip any any log (5163 matches) Extended IP access list 100
Since the natting for the smtp works, I believe the natting is ok. I can ping the vpn server, so routing also seems to be ok. The vpn end-users should receive a vpn ip adres from the 192.168.x.x pool. Can it be that rule 150 is preventing them from connecting? I cannot test, since it's a live enviroment and I will have to schedule a window. Im just trying to figure out what is wrong so I can fix it during a window. Anyone any ideas?
Solved! Go to Solution.
06-05-2012 12:51 AM
No, you don't need AH if your VPN policy does not include AH.
06-04-2012 05:15 AM
The first 4 lines of access-list 100 is incorrect, it should be:
10 permit udp any host 90.90.150.82 eq 4500
20 permit udp any host 90.90.150.82 eq 500
30 permit ah any host 90.90.150.82
40 permit esp any host 90.90.150.82
06-04-2012 05:35 AM
Ehm yeah makes sense, I will try that. Thanks
This probably means I have to change the natting rules aswell no?
current:
ip nat inside source static tcp 10.81.0.5 25 interface FastEthernet1 25
ip nat inside source static tcp 10.81.0.5 587 interface FastEthernet1 587
ip nat inside source static tcp 10.81.0.5 993 interface FastEthernet1 993
ip nat inside source static tcp 10.81.0.7 3101 interface FastEthernet1 3101
ip nat inside source static tcp 10.85.1.2 50 interface FastEthernet1 50
ip nat inside source static tcp 10.85.1.2 51 interface FastEthernet1 51
ip nat inside source static tcp 10.85.1.2 500 interface FastEthernet1 500
ip nat inside source static tcp 10.85.1.2 4500 interface FastEthernet1 4500
I've added these three now. There is no option to add AH though? Any ideas on that or is this enough?
ip nat inside source static esp 10.85.1.2 interface FastEthernet1
ip nat inside source static udp 10.85.1.2 500 interface FastEthernet1 500
ip nat inside source static udp 10.85.1.2 4500 interface FastEthernet1 4500
06-05-2012 12:24 AM
Please see my previous update .Can Anyone tell me please if the last 3 nat rules should also be there? What about AH?
06-05-2012 12:51 AM
No, you don't need AH if your VPN policy does not include AH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide