Access lists and VPNs

[eclidad]

We've got an 1841. There is a T1-CSU, an HWIC with a vlan that supports our public machines, FastEthernet0/0 connects to the internal network and FastEthernet0/1 connects to a second ISP with a cable modem. I setup a VPN on the cable modem connection using SDM. After some tinkering I got that working. By that, I mean I use the Cisco VPN client and get as far as entering a username and password.

Our internal machines use 192.168.0.0/21 and the pool for the VPN uses 10.2.2.32 - 10.2.2.64. If I look in my log files from the router after the client connects I see that DNS packets from my internal server to the client are being blocked by the access-list that controls FastEthernet0/0. These packets appear to be responses. My understanding was that it should behave as though the machine in my house was on the internal network. If we are looking to do VNC connections to our office desktops and maybe Telnet/SSH what mods do I need to make?

As always, references to docs are appreciated. Sometimes navigating the volumes of info out there is the hardest part.

Thanks,
- Joel

 

[burtsbees]

Post a config of the router.

Burt

 

[eclidad]

Here's the config. I hope I didn't sanitize it too much. I also tried to get rid of stuff that shouldn't matter. I think the access-list to focus on is 130.

Current configuration : 47452 bytes
!
! Last configuration change at 09:54:21 EST Thu Dec 13 2007 by cisco1841
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1841
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 YYYYYYY
enable password XXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name fixftp ftp
!
!
no ip bootp server
ip domain name wmi.com
ip name-server 192.168.3.10
!
!
!
crypto pki trustpoint TP-self-signed-1195001578
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1195001578
revocation-check none
rsakeypair TP-self-signed-1195001578
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group GROUPNAME
key VPNKEY
dns 192.168.3.10
domain foo.com
pool SDM_POOL_3
max-users 32
netmask 255.255.255.224
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description Internet Access & Firewall for Internal LAN$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
ip address 192.168.4.4 255.255.255.0
ip access-group 130 in
ip inspect fixftp in
ip nat inside
ip virtual-reassembly
ip policy route-map Static_Map
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description Comcast cable modem
ip address 75.146.x.y 255.255.255.248
ip access-group 122 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet0/1/0
description Public IP - Portal
switchport access vlan 2
!
interface FastEthernet0/1/1
switchport access vlan 2
!
interface FastEthernet0/1/2
shutdown
!
interface FastEthernet0/1/3
shutdown
!
interface Serial0/0/0
ip address 209.137.y.y 255.255.255.252
ip access-group 120 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 209.137.x.y 255.255.255.240
ip access-group 140 in
ip nat outside
ip virtual-reassembly
ip policy route-map Vlan2_Map
!
ip local pool SDM_POOL_3 10.2.2.32 10.2.2.64
ip classless
ip route 0.0.0.0 0.0.0.0 75.146.x.y
ip route 192.168.1.0 255.255.255.0 192.168.4.2
ip route 192.168.3.0 255.255.255.0 192.168.4.2
ip route 192.168.10.0 255.255.255.0 192.168.4.2
!

ip nat pool T1_Pool 209.137.x.y 209.137.x.y netmask 255.255.255.240
ip nat pool Cable_Pool 75.146.x.y 75.146.x.y netmask 255.255.255.248
ip nat inside source route-map Cable_Map pool Cable_Pool overload
ip nat inside source route-map T1_Map pool T1_Pool overload
ip nat inside source static tcp 192.168.10.2 5900 209.137.x.y 5900 route-map SDM_RMAP_2 extendable
ip nat inside source static 192.168.1.9 209.137.x.y route-map SDM_RMAP_3
ip nat inside source static 192.168.3.10 209.137.x.y route-map SDM_RMAP_1
!
ip access-list standard internal
permit 192.168.1.0 0.0.0.255
!
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip host 192.168.3.10 host 10.2.2.64
access-list 100 deny ip host 192.168.3.10 host 10.2.2.63
access-list 100 deny ip host 192.168.3.10 host 10.2.2.62
access-list 100 deny ip host 192.168.3.10 host 10.2.2.61
access-list 100 deny ip host 192.168.3.10 host 10.2.2.60
access-list 100 deny ip host 192.168.3.10 host 10.2.2.59
access-list 100 deny ip host 192.168.3.10 host 10.2.2.58
access-list 100 deny ip host 192.168.3.10 host 10.2.2.57
access-list 100 deny ip host 192.168.3.10 host 10.2.2.56
access-list 100 deny ip host 192.168.3.10 host 10.2.2.55
access-list 100 deny ip host 192.168.3.10 host 10.2.2.54
access-list 100 deny ip host 192.168.3.10 host 10.2.2.53
access-list 100 deny ip host 192.168.3.10 host 10.2.2.52
access-list 100 deny ip host 192.168.3.10 host 10.2.2.51
access-list 100 deny ip host 192.168.3.10 host 10.2.2.50
access-list 100 deny ip host 192.168.3.10 host 10.2.2.49
access-list 100 deny ip host 192.168.3.10 host 10.2.2.48
access-list 100 deny ip host 192.168.3.10 host 10.2.2.47
access-list 100 deny ip host 192.168.3.10 host 10.2.2.46
access-list 100 deny ip host 192.168.3.10 host 10.2.2.45
access-list 100 deny ip host 192.168.3.10 host 10.2.2.44
access-list 100 deny ip host 192.168.3.10 host 10.2.2.43
access-list 100 deny ip host 192.168.3.10 host 10.2.2.42
access-list 100 deny ip host 192.168.3.10 host 10.2.2.41
access-list 100 deny ip host 192.168.3.10 host 10.2.2.40
access-list 100 deny ip host 192.168.3.10 host 10.2.2.39
access-list 100 deny ip host 192.168.3.10 host 10.2.2.38
access-list 100 deny ip host 192.168.3.10 host 10.2.2.37
access-list 100 deny ip host 192.168.3.10 host 10.2.2.36
access-list 100 deny ip host 192.168.3.10 host 10.2.2.35
access-list 100 deny ip host 192.168.3.10 host 10.2.2.34
access-list 100 deny ip host 192.168.3.10 host 10.2.2.33
access-list 100 deny ip host 192.168.3.10 host 10.2.2.32
access-list 100 permit ip host 192.168.3.10 any
access-list 101 remark This list is applied to the T1 route map
access-list 101 remark SDM_ACL Category=18
access-list 101 deny ip any host 10.2.2.32
access-list 101 deny ip any host 10.2.2.33
access-list 101 deny ip any host 10.2.2.34
access-list 101 deny ip any host 10.2.2.35
access-list 101 deny ip any host 10.2.2.36
access-list 101 deny ip any host 10.2.2.37
access-list 101 deny ip any host 10.2.2.38
access-list 101 deny ip any host 10.2.2.39
access-list 101 deny ip any host 10.2.2.40
access-list 101 deny ip any host 10.2.2.41
access-list 101 deny ip any host 10.2.2.42
access-list 101 deny ip any host 10.2.2.43
access-list 101 deny ip any host 10.2.2.44
access-list 101 deny ip any host 10.2.2.45
access-list 101 deny ip any host 10.2.2.46
access-list 101 deny ip any host 10.2.2.47
access-list 101 deny ip any host 10.2.2.48
access-list 101 deny ip any host 10.2.2.49
access-list 101 deny ip any host 10.2.2.50
access-list 101 deny ip any host 10.2.2.51
access-list 101 deny ip any host 10.2.2.52
access-list 101 deny ip any host 10.2.2.53
access-list 101 deny ip any host 10.2.2.54
access-list 101 deny ip any host 10.2.2.55
access-list 101 deny ip any host 10.2.2.56
access-list 101 deny ip any host 10.2.2.57
access-list 101 deny ip any host 10.2.2.58
access-list 101 deny ip any host 10.2.2.59
access-list 101 deny ip any host 10.2.2.60
access-list 101 deny ip any host 10.2.2.61
access-list 101 deny ip any host 10.2.2.62
access-list 101 deny ip any host 10.2.2.63
access-list 101 deny ip any host 10.2.2.64
access-list 101 deny ip host 192.168.10.2 any
access-list 101 deny ip host 192.168.1.9 any
access-list 101 deny ip host 192.168.3.10 any
access-list 101 remark for dynamic NAT to portal and T1
access-list 101 deny ip host 192.168.1.9 host 209.137.x.y
access-list 101 deny ip host 192.168.1.9 host 209.137.x.y
access-list 101 deny ip host 192.168.3.10 host 209.137.x.y
access-list 101 deny ip host 192.168.3.10 host 209.137.x.y
access-list 101 remark entries for .244 and .245 are temporary during new portal setup
access-list 101 deny ip host 192.168.1.9 host 209.137.x.y
access-list 101 deny ip host 192.168.1.9 host 209.137.x.y
access-list 101 deny ip host 192.168.3.10 host 209.137.x.y
access-list 101 deny ip host 192.168.3.10 host 209.137.x.y
access-list 102 remark This list is applied to the Cable route map
access-list 102 remark SDM_ACL Category=18
access-list 102 deny ip any host 10.2.2.32
access-list 102 deny ip any host 10.2.2.33
access-list 102 deny ip any host 10.2.2.34
access-list 102 deny ip any host 10.2.2.35
access-list 102 deny ip any host 10.2.2.36
access-list 102 deny ip any host 10.2.2.37
access-list 102 deny ip any host 10.2.2.38
access-list 102 deny ip any host 10.2.2.39
access-list 102 deny ip any host 10.2.2.40
access-list 102 deny ip any host 10.2.2.41
access-list 102 deny ip any host 10.2.2.42
access-list 102 deny ip any host 10.2.2.43
access-list 102 deny ip any host 10.2.2.44
access-list 102 deny ip any host 10.2.2.45
access-list 102 deny ip any host 10.2.2.46
access-list 102 deny ip any host 10.2.2.47
access-list 102 deny ip any host 10.2.2.48
access-list 102 deny ip any host 10.2.2.49
access-list 102 deny ip any host 10.2.2.50
access-list 102 deny ip any host 10.2.2.51
access-list 102 deny ip any host 10.2.2.52
access-list 102 deny ip any host 10.2.2.53
access-list 102 deny ip any host 10.2.2.54
access-list 102 deny ip any host 10.2.2.55
access-list 102 deny ip any host 10.2.2.56
access-list 102 deny ip any host 10.2.2.57
access-list 102 deny ip any host 10.2.2.58
access-list 102 deny ip any host 10.2.2.59
access-list 102 deny ip any host 10.2.2.60
access-list 102 deny ip any host 10.2.2.61
access-list 102 deny ip any host 10.2.2.62
access-list 102 deny ip any host 10.2.2.63
access-list 102 deny ip any host 10.2.2.64
access-list 102 deny ip host 192.168.10.2 any
access-list 102 deny ip host 192.168.1.9 any
access-list 102 deny ip host 192.168.3.10 any
access-list 102 remark for dynamic NAT to rest of internet
access-list 102 deny ip 209.237.x.y 0.0.0.15 any
access-list 103 remark This list is applied to the Vlan2 route map
access-list 103 remark to force routing of pacckets from vlan2 to internet
access-list 103 deny ip 209.137.x.y 0.0.0.15 209.137.x.y 0.0.0.15
access-list 103 permit ip 209.137.x.y 0.0.0.15 any
access-list 104 remark This list is applied to the StaticNat route map
access-list 104 remark to force routing for inside hosts that are statically
access-list 104 remark natted to one of the T1 ip addresses.
access-list 104 permit ip host 192.168.1.9 any
access-list 104 permit ip host 192.168.3.10 any
access-list 104 permit ip host 192.168.10.2 any
access-list 120 remark Access from internet to internal and static NAT addresses
access-list 120 remark Deny anything coming in that says it is from one of our IP addresses
access-list 120 deny ip 209.137.x.y 0.0.0.15 any log
access-list 120 deny icmp 209.137.x.y 0.0.0.15 any log
access-list 120 permit icmp any host 209.137.x.y
access-list 120 permit icmp any host 209.137.x.y
access-list 120 permit tcp any host 209.137.x.y
access-list 120 permit tcp any host 209.137.x.y
access-list 120 permit udp any host 209.137.x.y
access-list 120 permit udp any host 209.137.x.y
access-list 120 remark Do we need these in response to legitimate outgoing requests
access-list 120 permit icmp any any unreachable
access-list 120 permit icmp any any time-exceeded
access-list 120 remark Allow access to ip address 151 port forwarding of VNC on port 5900
access-list 120 remark from floyd's home (64.0.107.231/31)
access-list 120 remark and Affiliated Tech (72.236.148.0/26)
access-list 120 permit tcp 64.0.x.y 0.0.0.3 host 209.137.x.y eq 5900
access-list 120 permit tcp 72.236.x.0 0.0.0.63 host 209.137.x.y eq 5900
access-list 120 permit tcp any any established
access-list 120 deny ip any host 209.137.x.y
access-list 120 deny ip any host 209.137.x.y
access-list 120 remark Entries for xx and yy are temporary for new portal setup
access-list 120 deny ip any host 209.137.x.y
access-list 120 deny ip any host 209.137.x.y
access-list 120 deny tcp any eq smtp any
access-list 120 remark Avoid logging denied packets we expect or have seen lots of
access-list 120 deny tcp any any eq 5900
access-list 120 deny tcp any any eq 5901
access-list 120 deny tcp any any eq telnet
access-list 120 deny tcp any eq domain any
access-list 120 deny udp any eq domain any
access-list 120 deny tcp any any eq 135
access-list 120 deny udp any any eq 135
access-list 120 deny tcp any any eq 139
access-list 120 deny udp any any eq netbios-ss
access-list 120 deny icmp any any
access-list 120 deny udp any any eq 1026
access-list 120 deny udp any any eq 1027
access-list 120 deny tcp any any eq 1433
access-list 120 deny udp any any eq 1433
access-list 120 deny tcp any any eq 1434
access-list 120 deny udp any any eq 1434
access-list 120 deny ip any any log
access-list 122 permit esp any host 75.146.x.y
access-list 122 permit udp any host 75.146.x.y eq isakmp
access-list 122 permit udp any host 75.146.x.y eq non500-isakmp
access-list 122 remark Access from internet to internal and static NAT addresses
access-list 122 remark Deny anything coming in that says it is from one of our IP addresses
access-list 122 deny ip 75.146.x.y 0.0.0.7 any log
access-list 122 deny icmp 75.146.x.y 0.0.0.7 any log
access-list 122 permit icmp any host 75.146.x.y
access-list 122 remark Do we need these in response to legitimate outgoing requests
access-list 122 permit icmp any any unreachable
access-list 122 permit icmp any any time-exceeded
access-list 122 permit tcp any any established
access-list 122 deny tcp any eq smtp any
access-list 122 remark Avoid logging denied packets we expect or have seen lots of
access-list 122 deny tcp any any eq 5900
access-list 122 deny tcp any any eq 5901
access-list 122 deny tcp any any eq telnet
access-list 122 deny tcp any eq domain any
access-list 122 deny udp any eq domain any
access-list 122 deny tcp any any eq 135
access-list 122 deny udp any any eq 135
access-list 122 deny tcp any any eq 139
access-list 122 deny udp any any eq netbios-ss
access-list 122 deny icmp any any
access-list 122 deny udp any any eq 1026
access-list 122 deny udp any any eq 1027
access-list 122 deny tcp any any eq 1433
access-list 122 deny udp any any eq 1433
access-list 122 deny tcp any any eq 1434
access-list 122 deny udp any any eq 1434
access-list 122 deny ip any any log
access-list 130 remark Access from internal network to Vlan2 (portal)
access-list 130 remark The following are only permitted from cac0 and/or cluster1
access-list 130 permit udp host 192.168.1.9 host 209.137.x.y eq ntp
access-list 130 permit udp host 192.168.1.9 host 209.137.x.y eq ntp
access-list 130 permit tcp host 192.168.1.9 host 209.137.x.y eq smtp
access-list 130 permit udp host 192.168.3.10 host 209.137.x.y eq ntp
access-list 130 permit udp host 192.168.3.11 host 209.137.x.y eq ntp
access-list 130 permit udp host 192.168.3.12 host 209.137.x.y eq ntp
access-list 130 permit udp host 192.168.3.10 host 209.137.x.y eq ntp
access-list 130 permit udp host 192.168.3.11 host 209.137.x.y eq ntp
access-list 130 permit udp host 192.168.3.12 host 209.137.x.y eq ntp
access-list 130 permit tcp host 192.168.3.10 host 209.137.x.y eq smtp
access-list 130 permit tcp host 192.168.3.11 host 209.137.x.y eq smtp
access-list 130 permit tcp host 192.168.3.12 host 209.137.x.y eq smtp
access-list 130 remark Port 5432 is for PostgreSQL database access from cac0 or cluster1
access-list 130 permit tcp host 192.168.1.9 host 209.137.x.y eq 5432
access-list 130 permit tcp host 192.168.1.9 host 209.137.x.y eq 5432
access-list 130 permit tcp host 192.168.3.10 host 209.137.x.y eq 5432
access-list 130 permit tcp host 192.168.3.10 host 209.137.x.y eq 5432
access-list 130 permit tcp host 192.168.3.11 host 209.137.x.y eq 5432
access-list 130 permit tcp host 192.168.3.11 host 209.137.x.y eq 5432
access-list 130 permit tcp host 192.168.3.12 host 209.137.x.y eq 5432
access-list 130 permit tcp host 192.168.3.12 host 209.137.x.y eq 5432
access-list 130 remark Port 7007 is for apcupsd UPS monitoring
access-list 130 remark Access from internal network to internet
access-list 130 permit tcp any any eq domain
access-list 130 permit udp any any eq domain
access-list 130 permit tcp any any eq telnet
access-list 130 permit tcp any any eq 22
access-list 130 permit tcp any any eq ftp
access-list 130 permit udp any any eq ntp
access-list 130 permit tcp any any eq www
access-list 130 permit tcp any any eq 443
access-list 130 permit tcp any any eq 8000
access-list 130 permit tcp any any eq 8080
access-list 130 remark Port 8090 is for Wayne's raquetball score server
access-list 130 permit tcp any any eq 8090
access-list 130 remark port 5999 is for CVS
access-list 130 permit tcp any any eq 5999
access-list 130 remark port 3690 is for Subversion (CVS replacement)
access-list 130 permit tcp any any eq 3690
access-list 130 permit tcp any any established
access-list 130 deny tcp any any eq 995
access-list 130 deny ip any any log
snmp-server community mrtgmon RO
route-map Vlan2_Map permit 10
match ip address 103
set default interface Serial0/0/0
!
route-map Static_Map permit 10
match ip address 104
set default interface Serial0/0/0
!
route-map Cable_Map permit 10
match ip address 102
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map T1_Map permit 10
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 105
!
route-map SDM_RMAP_3 permit 1
match ip address 106
!

Thanks,
- Joel

 

[burtsbees]

First of all, acl's 101 and 102 can be shortened...
access-list 101 deny ip any 10.2.2.32 0.0.0.31
same for 102.

Second, the mask 255.255.255.224 will cover IP addresses 10.2.2.33 through 10.2.2.62---10.2.2.32 and 10.2.2.64 are network addresses for those subnets, and 10.2.2.63 is the broadcast for 10.2.2.32/27, so the vpn pool should be
ip local pool SDM_POOL_3 10.2.2.33 10.2.2.63

Third, I don't see a permit in the acl 101 and 102, which you are using for NAT...

One more thing---try this command...
crypto isakmp client configuration group GROUPNAME
include-local-lan

Burt

 

[burtsbees]

Also, what happens when you do
interface FastEthernet0/0
no ip access-group 130 in

?

Burt

 

[eclidad]

I'll put those changes in. When I setup the pool I specified 10.2.2.32 and 10.2.2.64 as the endpoints. The last address should be 10.2.2.63. That could be what messed things up. Making that more compact was a clean up thing to do once everything was working.

Oops! I must have mucked up my edits. 101 ends with

permit ip 192.168.0.0 0.0.255.255 209.137.x.y 0.0.0.15

102 ends with

permit ip 192.168.0.0 0.0.255.255 any

so anything going to our outside machines get public addresses on that net. Anything else gets public address from the other pool.

I don't know anywat to test the change from my office. I'll give it a try when I get home and report back tomorrow.

- Joel

 

[eclidad]

Also, what happens when you do
interface FastEthernet0/0
no ip access-group 130 in


Do I really want to do this? The only way to test this that I know of is from a remote location. I don't know that I want to leave the FastEthernet0/0 exposed until I get back in the morning. It might be safer to something like

access-list 130 permit ip any 10.2.2.32 0.0.0.31

- Joel

 

[burtsbees]

The pool should start with .33, not .32---that is also a network address. I would clean up the acl's like I suggested and then they won't be so convoluted. Was anything even getting out to the internet? The route maps you have associated with NAT don't point to any acl's with any permit statements in them...

Burt

 

[eclidad]

The only problems I having right now are with the VPN. I'll do the cleanup now to fix the minor problems and make maintenance easier. The posted config is an editing problem. When I removed lines to post it I was not careful. The initial config of the VPN was setup to use some free addresses in the 192.168.0.0 block. When I edited those out it mucked up some stuff in the access lists.

I was able to access some stuff from my house last night. That's a good sign that we are moving in the right direction. I think I've got a problem with my DNS server. It has a static nat so even if the responses get through access-list 130 they'll have the wrong address.

- Joel