02-26-2020 10:02 AM - edited 02-26-2020 10:06 AM
Hi
i having issue with VPN and i can see those tunnels are up but im unable to telnet privet IP to port 443
!
object-group network USER-Local-server
host 192.168.1.152
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp key xxxxxxxxxxx address 200.200.200.12
crypto isakmp key xxxxxxxxxxx address 200.200.200.10
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set IPSEC_TSET1 esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
crypto map cmap 10 ipsec-isakmp
set peer 200.200.200.12
set transform-set IPSEC_TSET1
match address 109
crypto map cmap 11 ipsec-isakmp
set peer 200.200.200.10
set transform-set IPSEC_TSET1
match address 110
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface Vlan1
ip address 192.168.1.165 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 100.100.100.172 255.255.255.248
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1412
crypto map cmap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 108 interface Vlan2 overload
ip nat inside source static 192.168.1.152 100.100.100.220 route-map VPN-2-Remote extendable
ip access-list extended Nat-for-VPN
permit ip object-group USER-Local-server host 66.66.72.5
permit ip object-group USER-Local-server host 66.66.62.5
ip access-list extended vpn_charlotte
permit ip host 100.100.100.220 host 66.66.62.5
ip access-list extended vpn_plano
permit ip host 100.100.100.220 host 66.66.72.5
!
route-map VPN-2-Remote permit 10
match ip address Nat-for-VPN
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 permit tcp any any
access-list 109 permit ip host 100.100.100.220 host 66.66.72.5
access-list 109 permit ip host 66.66.72.5 host 100.100.100.220
access-list 110 permit tcp any any
access-list 110 permit ip host 100.100.100.220 host 66.66.62.5
access-list 110 permit ip host 66.66.62.5 host 100.100.100.220
Solved! Go to Solution.
02-26-2020 11:09 AM
Hi,
I received your private message.....when you say you cannot telnet to the private IP address, which tunnel are you referring to?
One tunnel has been established and sending/receiving traffic.
local ident (addr/mask/prot/port): (100.100.100.220/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (66.66.62.5/255.255.255.255/0/0)
current_peer 200.200.200.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
Does the device you are telnetting to on port 443 actually listening on port 443?
Can you ping across the tunnel?
HTH
02-26-2020 11:39 AM
02-26-2020 11:46 AM - edited 02-26-2020 11:49 AM
telnet port is 23 not 443 unless i am missing some thing here? Anyways have you check the ports are open at the other end?
02-26-2020 12:05 PM
02-26-2020 12:37 PM - edited 02-26-2020 12:40 PM
I assume that was captured on the remote end?
"10.4.67.160" is not your IP address, your traffic should come from 100.100.100.220??
Run a packet capture on your end between the 2 ip addresses and upload the pcap file for review.
02-26-2020 10:06 AM
can you share the output of these commands
show crypto ipsec sa
!
show crypto session
!
show crypto isakmp sa
02-26-2020 10:37 AM
02-26-2020 11:09 AM
Hi,
I received your private message.....when you say you cannot telnet to the private IP address, which tunnel are you referring to?
One tunnel has been established and sending/receiving traffic.
local ident (addr/mask/prot/port): (100.100.100.220/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (66.66.62.5/255.255.255.255/0/0)
current_peer 200.200.200.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
Does the device you are telnetting to on port 443 actually listening on port 443?
Can you ping across the tunnel?
HTH
02-26-2020 11:33 AM - edited 02-26-2020 11:35 AM
hi
1st of all thank you for the response
actually i can ping both tunnel privet IP 66.66.72.5 and 66.66.62.5
but i cant telnet 66.66.62.5 443
i can telnet 66.66.72.5 443
02-26-2020 11:39 AM
02-26-2020 11:57 AM
Dear
its not a ip http secure-server
02-26-2020 11:46 AM - edited 02-26-2020 11:49 AM
telnet port is 23 not 443 unless i am missing some thing here? Anyways have you check the ports are open at the other end?
02-26-2020 11:55 AM - edited 02-26-2020 12:00 PM
Dear Mr.Sheraz
our client said HTTP port 80 is restricted, only HTTPS and icmp are allowed
TCP dump showing your failing telnet attempts followed by Resets to 66.66.62.5 from your PROD 100.100.100.220
and 66.66.62.5.443: R 4046777178:4046777178(0) win 0 the packets are getting
02-26-2020 12:05 PM
02-26-2020 12:31 PM
yes end server with domain ip 66.66.62.5 this https of our client
our client said the packets getting reset
1320,nop,wscale 8,nop,nop,sackOK>
09:50:15.431932 P 00:08:e3:ff:fc:04 ethertype IPv4 (0x0800), length 64: 66.66.62.5.443 > 10.4.67.160.12041: S 3770473945:3770473945(0) ack 2328315235 win 3960 <mss 1380,sackOK,eol>
09:50:15.633323 Out 00:1c:7f:42:04:21 ethertype IPv4 (0x0800), length 56: 10.4.67.160.12041 > 66.66.62.5.443: R 4046777178:4046777178(0) win 0
09:50:18.430671 Out 00:1c:7f:42:04:21 ethertype IPv4 (0x0800), length 68: 10.4.67.160.12041 > 66.66.62.5.443: SWE 2524290618:2524290618(0) win 8192 <mss 1320,nop,wscale 8,nop,nop,sackOK>
09:50:18.432129 P 00:08:e3:ff:fc:04 ethertype IPv4 (0x0800), length 64: 66.66.62.5.443 > 10.4.67.160.12041: S 3770473945:3770473945(0) ack 2328315235 win 3960 <mss
02-26-2020 12:37 PM - edited 02-26-2020 12:40 PM
I assume that was captured on the remote end?
"10.4.67.160" is not your IP address, your traffic should come from 100.100.100.220??
Run a packet capture on your end between the 2 ip addresses and upload the pcap file for review.
02-26-2020 12:32 PM
can you provide the dump from your side ? the provided one are from remote side?
02-26-2020 11:13 AM
any reason why you define this
access-list 110 permit tcp any any
access-list 110 permit ip host 100.100.100.220 host 66.66.62.5
access-list 110 permit ip host 66.66.62.5 host 100.100.100.220
02-26-2020 11:42 AM
Dear Mr.Sheraz
Thank you for the response
i want to allow the port 443 and 80 only unfortunately i allowed all the ports
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide