Solved: Re: VPN Tunnel

katheer_4u · ‎02-26-2020

Hi

i having issue with VPN and i can see those tunnels are up but im unable to telnet privet IP to port 443

!
object-group network USER-Local-server
host 192.168.1.152
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 14
!

crypto isakmp key xxxxxxxxxxx address 200.200.200.12
crypto isakmp key xxxxxxxxxxx address 200.200.200.10
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set IPSEC_TSET1 esp-aes 256 esp-sha256-hmac
mode tunnel

!
!
crypto map cmap 10 ipsec-isakmp
set peer 200.200.200.12
set transform-set IPSEC_TSET1
match address 109
crypto map cmap 11 ipsec-isakmp
set peer 200.200.200.10
set transform-set IPSEC_TSET1
match address 110

interface FastEthernet3
switchport access vlan 2
no ip address
!
interface Vlan1
ip address 192.168.1.165 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 100.100.100.172 255.255.255.248
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1412
crypto map cmap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 108 interface Vlan2 overload
ip nat inside source static 192.168.1.152 100.100.100.220 route-map VPN-2-Remote extendable

ip access-list extended Nat-for-VPN
permit ip object-group USER-Local-server host 66.66.72.5
permit ip object-group USER-Local-server host 66.66.62.5

ip access-list extended vpn_charlotte
permit ip host 100.100.100.220 host 66.66.62.5

ip access-list extended vpn_plano
permit ip host 100.100.100.220 host 66.66.72.5
!

route-map VPN-2-Remote permit 10
match ip address Nat-for-VPN
!

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 permit tcp any any
access-list 109 permit ip host 100.100.100.220 host 66.66.72.5
access-list 109 permit ip host 66.66.72.5 host 100.100.100.220
access-list 110 permit tcp any any
access-list 110 permit ip host 100.100.100.220 host 66.66.62.5
access-list 110 permit ip host 66.66.62.5 host 100.100.100.220

Rob Ingram · ‎02-26-2020

Hi,

I received your private message.....when you say you cannot telnet to the private IP address, which tunnel are you referring to?

One tunnel has been established and sending/receiving traffic.

 local ident (addr/mask/prot/port): (100.100.100.220/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (66.66.62.5/255.255.255.255/0/0)
current_peer 200.200.200.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

Does the device you are telnetting to on port 443 actually listening on port 443?

Can you ping across the tunnel?

HTH

View solution in original post

Rob Ingram · ‎02-26-2020

....but is 66.66.62.5 actually listening on 443? Assuming it's a cisco router "ip http secure-server"

View solution in original post

Sheraz.Salim · ‎02-26-2020

telnet port is 23 not 443 unless i am missing some thing here? Anyways have you check the ports are open at the other end?

please do not forget to rate.

View solution in original post

Rob Ingram · ‎02-26-2020

You've established IPSec SAs from 100.100.100.220 to 66.66.62.5, so therefore as per your ACL all IP traffic between those IP address should be permitted across the tunnel.

What device is 66.66.62.5? I assume that tcpdump is from the other end, therefore your traffic is being sent over the tunnel and dropped on their end?

View solution in original post

Rob Ingram · ‎02-26-2020

I assume that was captured on the remote end?

"10.4.67.160" is not your IP address, your traffic should come from 100.100.100.220??

Run a packet capture on your end between the 2 ip addresses and upload the pcap file for review.

View solution in original post

Sheraz.Salim · ‎02-26-2020

can you share the output of these commands

show crypto ipsec sa

!

show crypto session

!

show crypto isakmp sa

please do not forget to rate.

katheer_4u · ‎02-26-2020

hi

Please see the attached files

thanks you for the prompt responding

Rob Ingram · ‎02-26-2020

Hi,

I received your private message.....when you say you cannot telnet to the private IP address, which tunnel are you referring to?

One tunnel has been established and sending/receiving traffic.

 local ident (addr/mask/prot/port): (100.100.100.220/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (66.66.62.5/255.255.255.255/0/0)
current_peer 200.200.200.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

Does the device you are telnetting to on port 443 actually listening on port 443?

Can you ping across the tunnel?

HTH

katheer_4u · ‎02-26-2020

hi

1st of all thank you for the response

actually i can ping both tunnel privet IP 66.66.72.5 and 66.66.62.5

but i cant telnet 66.66.62.5 443

i can telnet 66.66.72.5 443

Rob Ingram · ‎02-26-2020

....but is 66.66.62.5 actually listening on 443? Assuming it's a cisco router "ip http secure-server"

katheer_4u · ‎02-26-2020

Dear

its not a ip http secure-server

Sheraz.Salim · ‎02-26-2020

telnet port is 23 not 443 unless i am missing some thing here? Anyways have you check the ports are open at the other end?

please do not forget to rate.

katheer_4u · ‎02-26-2020

Dear Mr.Sheraz

our client said HTTP port 80 is restricted, only HTTPS and icmp are allowed

TCP dump showing your failing telnet attempts followed by Resets to 66.66.62.5 from your PROD 100.100.100.220

and 66.66.62.5.443: R 4046777178:4046777178(0) win 0 the packets are getting

Rob Ingram · ‎02-26-2020

You've established IPSec SAs from 100.100.100.220 to 66.66.62.5, so therefore as per your ACL all IP traffic between those IP address should be permitted across the tunnel.

What device is 66.66.62.5? I assume that tcpdump is from the other end, therefore your traffic is being sent over the tunnel and dropped on their end?

katheer_4u · ‎02-26-2020

yes end server with domain ip 66.66.62.5 this https of our client

our client said the packets getting reset

1320,nop,wscale 8,nop,nop,sackOK>
09:50:15.431932 P 00:08:e3:ff:fc:04 ethertype IPv4 (0x0800), length 64: 66.66.62.5.443 > 10.4.67.160.12041: S 3770473945:3770473945(0) ack 2328315235 win 3960 <mss 1380,sackOK,eol>
09:50:15.633323 Out 00:1c:7f:42:04:21 ethertype IPv4 (0x0800), length 56: 10.4.67.160.12041 > 66.66.62.5.443: R 4046777178:4046777178(0) win 0
09:50:18.430671 Out 00:1c:7f:42:04:21 ethertype IPv4 (0x0800), length 68: 10.4.67.160.12041 > 66.66.62.5.443: SWE 2524290618:2524290618(0) win 8192 <mss 1320,nop,wscale 8,nop,nop,sackOK>
09:50:18.432129 P 00:08:e3:ff:fc:04 ethertype IPv4 (0x0800), length 64: 66.66.62.5.443 > 10.4.67.160.12041: S 3770473945:3770473945(0) ack 2328315235 win 3960 <mss

Rob Ingram · ‎02-26-2020

I assume that was captured on the remote end?

"10.4.67.160" is not your IP address, your traffic should come from 100.100.100.220??

Run a packet capture on your end between the 2 ip addresses and upload the pcap file for review.

Sheraz.Salim · ‎02-26-2020

can you provide the dump from your side ? the provided one are from remote side?

please do not forget to rate.

Sheraz.Salim · ‎02-26-2020

any reason why you define this

access-list 110 permit tcp any any
access-list 110 permit ip host 100.100.100.220 host 66.66.62.5
access-list 110 permit ip host 66.66.62.5 host 100.100.100.220

please do not forget to rate.

katheer_4u · ‎02-26-2020

Dear Mr.Sheraz

Thank you for the response

i want to allow the port 443 and 80 only unfortunately i allowed all the ports