Simple access list question...help!

[f2b]

Hi

Help...Our small network uses an 8Meg ADSL link for our WAN acces. Can you please advise how I can block certain (P2P)ports on our Cisco 2811 using an access list.
The ports we want to block is Limewire, Kazaa etc. I have some of the port number ie, Kazaa I believe is 1214.

I already have an access list for NAT as all our IP a ddresses are internal 192.168.xx.xx

Thanks
F2b

 

[JOAMON]

That router has a feature available called SDM. If you have smartnet on it you can download and install it. It would be useful in helping you to set that up. It is a web based GUI designed to help you configure the router. See the following link

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_data_sheet0900aecd800fd118.html

 

[f2b]

Sounds cool. How can I find out if I have "smartnet" on it?

 

[JOAMON]

You actually do not need smartnet for this. Simply register at

http://www.cisco.com

as a guest and you can sign in and download the software.
See the download link on the lower right corner of the following page:

http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html

 

[f2b]

Nearly there! Have downloaded ok. Installed and it's asking for a username? I have the router password and Ip address.

 

[JOAMON]

when you telnet into the router there is a telnet password...this would be your username...the password would be the password you use for privelaged mode configuration tasks.

 

[JOAMON]

Did you download the readme file.....it has step by step instruction for installing this.

http://ftp-sj.cisco.com/pub/web/sdm/SDMr22.pdf

 

[JOAMON]

The following link may be useful:

http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_installation_guide09186a00803e4727.html

 

[f2b]

Joamon
Thank you. This looks great and hopefully I will be able to configure the NAT.

 

[f2b]

SDM looks great and has highlighted that our 2811 router does not have any VPN capability at all.
How can I get the VPN option? Is this upgradeable from Cisco or does it cost?
Thanks

 

[JOAMON]

It all depends on what feature set the router came with. Probably need to look into purchasing the Advanced Security Feature set at least. Would also suggest that you consider a smartnet contract for that router as this will give you access to IOS downloads when new releases come available. Remember that smartnet will allow access to downloads but you should only download those feature sets you have a purchase record for. They do monitor who is downloading what and have been known to perform audits. The cheapest way to get this would have been to purchase it in a bundle with the router.
Following are the feature sets available for your router:

ADVANCED ENTERPRISE SERVICES
ADVANCED ENTERPRISE SERVICES WITH SNA SWITCHING
ADVANCED IP SERVICES
ADVANCED SECURITY
AISK9-AESK9 FEAT SET FACTORY UPG FOR BUNDLES
ASK9-AESK9 FEAT SET FACTORY UPG FOR BUNDLES
ASK9-AISK9 FEAT SET FACTORY UPG FOR BUNDLES
ENTERPRISE BASE
ENTERPRISE BASE W/O CRYPTO
ENTERPRISE SERVICES
ENTERPRISE SERVICES W/O CRYPTO
INT VOICE/VIDEO GK, IPIP GW, TDMIP GW
INT VOICE/VIDEO GK, IPIPGW, TDMIP GW AES
INT VOICE/VIDEO, IPIP GW, TDMIP GW
INT VOICE/VIDEO, IPIPGW, TDMIP GW AES
IP BASE
IP BASE W/O CRYPTO
IP VOICE
IP VOICE W/O CRYPTO
SP SERVICES
SPSK9-AESK9 FEAT SET FACTORY UPG FOR BUNDLES
SPSK9-AISK9 FEAT SET FACTORY UPG FOR BUNDLES
SPSK9-ESK9 FEAT SET FACTORY UPG FOR BUNDLES


I am using the Advanced security and it does have VPN capabilities.

 

[f2b]

Thanks for the info.

Based on the lack of features, would I still be able to forward port 1723 (PPTP) for VPN and configure the cisco for PPTP passthrough? If so, then please tell me how to.

Thanks

 

[JOAMON]

Enter vpdn enable in config mode and see if it accepts that command. If so I do not believe you need to forward port 1723.

Following I think will help get you started.

vpdn enable

vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1

username vpdnpptpuser password XXXXXXXXXXXXXXXXXXX

interface Virtual-Template1
ip unnumbered FastEthernet0/0 (Inside interface)
no ip redirects
ip route-cache flow
peer default ip address pool vpdnpptp
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap

ip local pool vpdnpptp 192.168.50.1 192.168.50.50 (LAN IP Pool)

If you have a Radius server configured you can authenticate to that instead.

 

[f2b]

Thnks. Interesting... I am now getting Error 961 (Username/password. So the problem must be on the SonicWall gateway. Will double check user/gateway.

The "ppp encrypt mppe auto" does not exist

Thanks

 

[f2b]

JOAMON, IT WORKS!
Thanks for you time.

The Cisco is dealing with the VPN connection. I can ping/telnet remote devices and remote connect to the server. Only thing is I can't browse the network (devices on the lan). Should I be able to do this?

 

[JOAMON]

Possibly cannot browse due to the fact that you have not actually authenticated to the network. Authenticating to a Radius server that I mentioned earlier may solve that problem. I am not an expert on this but think that would do it for you.
Below is a copy of a PPTP using a radius server for authentication I found in another post. Before you go through the hassle of setting this up you might start a new thread under VPN and ask if this will solve that for you.

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
scheduler max-task-time 5000
!
no ip http server
no ip domain lookup
!
ip subnet-zero
ip classless
!
!
hostname 806-pptp
enable secret 5 $1$CD8.$mZPRQ4nMwOKjdksI4XKMz.
!
!
! Fall-back local auth parameters in case of RADIUS server failure
username keith password 0 LETMEIN
!
!
! Set up authentication to use RADIUS server as
! the primary and local (above) as a fall-back
aaa new-model
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
aaa session-id common
!
!
! Point to RADIUS server on private LAN for
! authentication of connecting users
radius-server host 172.17.1.20 auth-port 1645 acct-port 1646
radius-server key LETMEIN
radius-server authorization permit missing Service-Type
!
!
vpdn enable
!
! Default PPTP VPDN group
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
!
!
! This virtual interface is set up on the
! router for each connecting client PC
interface Virtual-Template1
ip unnumbered Ethernet0
ip mroute-cache
peer default ip address pool DIAL-IN
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
!
! Set up a pool of 11 addresses on the private LAN dynamially
! assigned to the DUN interfaces of connecting client PCs
ip local pool DIAL-IN 172.17.8.210 172.17.8.220
!
!
! DNS and WINS server values given to client PCs
! during client dynamic address assignments
async-bootp dns-server 172.17.1.26
async-bootp nbns-server 172.17.1.26
!
!
! 'Inside' interface with private LAN address
interface Ethernet0
ip address 172.17.8.200 255.255.0.0
hold-queue 100 out
!
! 'Outside' interface with public IP address [ficticous address]
interface Ethernet1
ip address 205.148.34.77 255.255.255.240
!
! Default route out to ISP [ficticous address]
ip route 0.0.0.0 0.0.0.0 205.148.34.65
!
!
line con 0
exec-timeout 30 0
stopbits 1
line vty 0 4
login
password LETMEIN
!
end

 

[f2b]

JOAMON, Unfortunately we don´t have a Radius server, but we do have a SonicWall TZ 170 VPN Gateway/Firewall. Is it possible to get the Cisco to forward all VPN connections to this. I have configured it and connected to the lan?

Thanks

 

[JOAMON]

Not familiar with sonicwall products. Suggest you start a new thread in the VPN forum for further assistance.

 

[f2b]

By doing a \\192.168.xx.xx (our server)I can see drives. So this is no longer an issue.

One last thing. VPN is working fine, but when I select "Require data encryption" under the Security tab the connection does not work.

Thanks