Access-list problm (for a site to site vpn w/ nat)

txtek · Aug 24, 2003

Greetings,

Here is the setup, there are two offices with a working site to site vpn. Internal clients are natted to the outside world (mostly just http), but they retain their address when they access our servers and vice versa.

Due to all the recent virus activity, I have been trying to add an inbound access list to the remote router to no avail. This acess list (#120 below) is supposed to allow all traffic from us, for the internet allow http, https, and dns (only to the caching server) and block netbios in all its forms. As soon as I apply it to the external interface (to E0 inbound)clients are not able to browse the internet, everything else does work. Any pointers will be greatly appreciated. Here is the rem office config....
--------------------

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 1722
!
enable password
!
memory-size iomem 20
ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key xxxxx address 1.2.3.4
!
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-3des
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set cm-transformset-1
match address 115
!
!
!
!
interface Ethernet0
description connected to Internet
ip address 2.3.4.5 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
crypto map cm-cryptomap
!
interface FastEthernet0
description connected to RMTOFFCLAN
ip address 192.168.222.1 255.255.255.0
ip nat inside
speed auto
!
router rip
version 2
passive-interface Ethernet0
network 192.168.222.0
no auto-summary
!
ip nat pool rem-natpool-0 2.3.4.20 2.3.4.50 netmask 255.255.255.0
ip nat inside source list 1 pool rem-natpool-0 overload
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static tcp 192.168.222.101 80 2.3.4.5 80 extendable
ip classless
no ip http server
ip pim bidir-enable
!
access-list 110 deny ip 192.168.222.0 0.0.0.255 192.168.221.0 0.0.0.255
access-list 110 permit tcp 192.168.222.0 0.0.0.255 any eq 80
access-list 110 permit tcp 192.168.222.0 0.0.0.255 any eq 443
access-list 110 permit udp host 192.168.222.101 any eq domain
access-list 110 permit tcp host 192.168.222.101 any eq domain
access-list 115 permit ip 192.168.222.0 0.0.0.255 192.168.221.0 0.0.0.255
access-list 120 permit ip 192.168.221.0 0.0.0.255 192.168.222.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.255.255.255 any
access-list 120 deny ip 192.168.0.0 0.0.255.255 any
access-list 120 deny ip 172.16.0.0 0.15.255.255 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 deny ip 255.0.0.0 0.255.255.255 any
access-list 120 deny ip 224.0.0.0 0.255.255.255 any
access-list 120 deny ip host 0.0.0.0 any
access-list 120 permit tcp any 192.168.222.0 0.0.0.255 established
access-list 120 deny tcp any any eq 135
access-list 120 deny tcp any any eq 137
access-list 120 deny tcp any any eq 138
access-list 120 deny tcp any any eq 139
access-list 120 deny udp any any eq netbios-ns
access-list 120 deny udp any any eq netbios-dgm
access-list 120 deny udp any any eq 139

!
route-map nonat permit 10
match ip address 110

tschouten · Aug 25, 2003

I would say remove this line (access-list 120 deny ip host 0.0.0.0 any) and it should work how you want it to work.

That line is saying block any any.

Frenchie2069 · Aug 25, 2003

The problem is that the access-list is processed before the NAT rules so you need to use the external addresses in your acl. You also need to allow your 2 routers to communicate using GRE. I would recommend changing the nat pool slightly to make the rules easier:

ip nat pool rem-natpool-0 2.3.4.32 2.3.4.63 netmask 255.255.255.0

access-list 120 permit gre host 1.2.3.4 host 2.3.4.5
access-list 120 permit tcp any 2.3.4.32 0.0.0.31 established
access-list 120 permit udp any eq domain 2.3.4.32 0.0.0.31
access-list 120 deny ip 10.0.0.0 0.255.255.255 any
access-list 120 deny ip 192.168.0.0 0.0.255.255 any
access-list 120 deny ip 172.16.0.0 0.15.255.255 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 deny ip 255.0.0.0 0.255.255.255 any
access-list 120 deny ip 224.0.0.0 0.255.255.255 any
access-list 120 deny ip host 0.0.0.0 any
access-list 120 deny tcp any any eq 135
access-list 120 deny tcp any any eq 137
access-list 120 deny tcp any any eq 138
access-list 120 deny tcp any any eq 139
access-list 120 deny udp any any eq netbios-ns
access-list 120 deny udp any any eq netbios-dgm
access-list 120 deny udp any any eq 139
access-list 120 deny ip any any log

The last entry logs any ip packets that are dropped. Use show log to see what has been dropped. This will help you develop your acl further.

If your router has the firewall feature set then it is much easier to build your access-lists as the router automatically adds acl entries based on the traffic that is flowing through it. To check whether or not you have the firewall feature set type ip inspect ? at the global config prompt - if it recognises it then you have it.

HTH,
Michael.

txtek · Aug 25, 2003

Thanks for the suggestions, I will try tonite and let you know...Thanks again for the help.

jr

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Access-list problm (for a site to site vpn w/ nat)

txtek

MIS

tschouten

IS-IT--Management

Frenchie2069

MIS

txtek

MIS

Similar threads

Part and Inventory Search

Sponsor