I am trying to setup a Site-to-Site VPN using basic shared keys with another 3000. The problem is my 3000 is natted on a DMZ on a 2811. On the public interface I have permitted esp,gre,pptp and 10000 udp to pass when directed at the public ip for the NATTED concentrator. I can only connect using pptp from a my home Windows computer. The Cisco vpn client will not even connect. What am I doing wrong I know it has to be the extended access-list but I am not sure what else I need to allow for to be able to establish this site-to-site. thnak you in advance for any help.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Concentrator 3000 in DMZ
- Thread starter Javamahn
- Start date
- Thread starter
- #2
As I recall with pptp sessions, the client initiates the pptp session (port 1723) and the pptp termination device responds with a gre session back to the client. Therefore these are the only ports you really need. You only need to allow esp etc for IPSEC connectivity as well.
Things I would check are:
1. Does the 3000 have a static NAT address defined. i.e. something like the following on the 2811:
ip nat inside source static 10.0.0.1 212.45.32.1
where 10.0.0.1 and 212.45.32.1 are the private and public addresses of the 3000 respectively.
2. I'd create an extended ACL on the 2811 such that it permits gre outbound (i.e. from the DMZ back to the internet) from the 3000's private address. Something like the following:
access-list 100 permit gre host 10.0.0.1 any
3. You also need to permit access to the 3000 for incoming pptp sessions (tcp port 1723). This access list will need to say the following for this to happen:
access-list 101 permit tcp any host 212.45.32.1
4. Apply both ACLs to an interface on the router. I'd probably recommend you place it on the internet-facing interface. The gre ACL should be applied outbound and the pptp ACL should be applied inbound on that interface, as such:
ip access-group 100 out
ip access-group 101 in
5. Also check you are using the appropriate versions of software etc for what you are trying to achieve. I found the following link which outlines what's required at a minimum:
s
Hope this helps
Things I would check are:
1. Does the 3000 have a static NAT address defined. i.e. something like the following on the 2811:
ip nat inside source static 10.0.0.1 212.45.32.1
where 10.0.0.1 and 212.45.32.1 are the private and public addresses of the 3000 respectively.
2. I'd create an extended ACL on the 2811 such that it permits gre outbound (i.e. from the DMZ back to the internet) from the 3000's private address. Something like the following:
access-list 100 permit gre host 10.0.0.1 any
3. You also need to permit access to the 3000 for incoming pptp sessions (tcp port 1723). This access list will need to say the following for this to happen:
access-list 101 permit tcp any host 212.45.32.1
4. Apply both ACLs to an interface on the router. I'd probably recommend you place it on the internet-facing interface. The gre ACL should be applied outbound and the pptp ACL should be applied inbound on that interface, as such:
ip access-group 100 out
ip access-group 101 in
5. Also check you are using the appropriate versions of software etc for what you are trying to achieve. I found the following link which outlines what's required at a minimum:
s
Hope this helps
- Thread starter
- #4
Kisco Kid would you mind reviewing my ACL? Mybe you can see something on the DMZ side that I am missing for this IPSEC LAN-to-LAN VPN to work. We did not try NAT transparency yet on either side of the tunnel. 216.185.x.x is the publiccly NATTED address for the 3005 concentrator which is in the DMZ at 192.168.10.x
Extended IP access list SERIAL-IN
10 permit esp any host 216.185.x.x
15 permit ahp any host 216.185.x.x
20 permit udp any host 216.185.x.x eq isakmp
30 permit udp any host 216.185.x.x eq 10000
35 permit tcp any host 216.185.x.x eq 10000
40 permit gre any host 216.185.x.x
50 permit tcp any host 216.185.x.x eq 1723
60 permit tcp any host 216.185.x.x eq 443
70 permit tcp any host 216.185.x.x eq www
.....
290 deny ip 10.0.0.0 0.0.0.255 any (4 matches)
300 deny ip 10.0.0.0 0.255.255.255 any (504 matches)
310 deny ip 172.16.0.0 0.15.255.255 any (404 matches)
320 deny ip 192.168.0.0 0.0.255.255 any (578 matches)
330 deny ip 127.0.0.0 0.255.255.255 any (88 matches)
340 deny ip host 255.255.255.255 any
350 deny ip host 0.0.0.0 any
360 deny ip any any log (9212006 matches)
Extended IP access list SERIAL-OUT
10 permit icmp any any echo-reply
20 permit icmp any any time-exceeded
30 permit ip any any
Extended IP access list VPN-IN
10 permit icmp any any log
20 permit ip 192.168.10.0 0.0.0.7 any
25 permit esp 192.168.10.0 0.0.0.7 any
30 deny ip 216.185.161.28 0.0.0.3 any
40 deny ip 10.0.0.0 0.0.0.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip host 255.255.255.255 any
70 deny ip any any
Extended IP access list VPN-OUT
10 permit icmp any 192.168.10.0 0.0.0.7 echo
20 permit icmp any 192.168.10.0 0.0.0.7 echo-reply
30 permit icmp any 192.168.10.0 0.0.0.7 packet-too-big
40 permit icmp any 192.168.10.0 0.0.0.7 traceroute
50 permit icmp any 192.168.10.0 0.0.0.7 unreachable
60 permit icmp any 192.168.10.0 0.0.0.7 time-exceeded
Thank you for you time and your help.
Extended IP access list SERIAL-IN
10 permit esp any host 216.185.x.x
15 permit ahp any host 216.185.x.x
20 permit udp any host 216.185.x.x eq isakmp
30 permit udp any host 216.185.x.x eq 10000
35 permit tcp any host 216.185.x.x eq 10000
40 permit gre any host 216.185.x.x
50 permit tcp any host 216.185.x.x eq 1723
60 permit tcp any host 216.185.x.x eq 443
70 permit tcp any host 216.185.x.x eq www
.....
290 deny ip 10.0.0.0 0.0.0.255 any (4 matches)
300 deny ip 10.0.0.0 0.255.255.255 any (504 matches)
310 deny ip 172.16.0.0 0.15.255.255 any (404 matches)
320 deny ip 192.168.0.0 0.0.255.255 any (578 matches)
330 deny ip 127.0.0.0 0.255.255.255 any (88 matches)
340 deny ip host 255.255.255.255 any
350 deny ip host 0.0.0.0 any
360 deny ip any any log (9212006 matches)
Extended IP access list SERIAL-OUT
10 permit icmp any any echo-reply
20 permit icmp any any time-exceeded
30 permit ip any any
Extended IP access list VPN-IN
10 permit icmp any any log
20 permit ip 192.168.10.0 0.0.0.7 any
25 permit esp 192.168.10.0 0.0.0.7 any
30 deny ip 216.185.161.28 0.0.0.3 any
40 deny ip 10.0.0.0 0.0.0.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip host 255.255.255.255 any
70 deny ip any any
Extended IP access list VPN-OUT
10 permit icmp any 192.168.10.0 0.0.0.7 echo
20 permit icmp any 192.168.10.0 0.0.0.7 echo-reply
30 permit icmp any 192.168.10.0 0.0.0.7 packet-too-big
40 permit icmp any 192.168.10.0 0.0.0.7 traceroute
50 permit icmp any 192.168.10.0 0.0.0.7 unreachable
60 permit icmp any 192.168.10.0 0.0.0.7 time-exceeded
Thank you for you time and your help.
Hmm I need you to check something for me on the 3000.
These boxes can support IPSEC over TCP (also called NAT Traversal) or NAT transparent mode.
In case you're not sure how to check this, try the following:
For NAT Traversal:
On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec > NAT Transparency.
Is the IPSec over NAT-T and/or TCP box checked?
For NAT transparent mode:
On the VPN Concentrator, select Configuration > User Management > Groups.
To add a group, select Add. To modify an existing group, select it and click Modify.
Click the IPSec tab, is IPSec through NAT checked and, if so, what UDP port is it using? The default port for IPSec through NAT is 10000 (source and destination.
Depending which one you have enabled you must allow TCP 4500 (NAT Traversal) or UDP 10000 (Transparent NAT) in both directions between the 2 peers.
It could be they're all enabled and active and, if I recall correctly, NAT Traversal is preferred over NAT transparent mode.
Also on the client, you may need to enable the appropriate mode also.
These boxes can support IPSEC over TCP (also called NAT Traversal) or NAT transparent mode.
In case you're not sure how to check this, try the following:
For NAT Traversal:
On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec > NAT Transparency.
Is the IPSec over NAT-T and/or TCP box checked?
For NAT transparent mode:
On the VPN Concentrator, select Configuration > User Management > Groups.
To add a group, select Add. To modify an existing group, select it and click Modify.
Click the IPSec tab, is IPSec through NAT checked and, if so, what UDP port is it using? The default port for IPSec through NAT is 10000 (source and destination.
Depending which one you have enabled you must allow TCP 4500 (NAT Traversal) or UDP 10000 (Transparent NAT) in both directions between the 2 peers.
It could be they're all enabled and active and, if I recall correctly, NAT Traversal is preferred over NAT transparent mode.
Also on the client, you may need to enable the appropriate mode also.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
