05-23-2008 06:42 AM - edited 03-09-2019 08:46 PM
Hello,
I have 2 DSL routers setup with a VPN tunnel between them. The VPN works fine. Before setting up the tunnel, I had telnet/SSH access. However, when I apply the crypto map to the Dialer interface, I lose the ability to telnet/SSH to the router. If I remove the VPN setup, I regain the ability to telnet/SSH.
Any thoughts? I was wondering if the fact the Dialer interface is a logical interface is what is causing the problems?
Thanks.
Tony
Solved! Go to Solution.
05-28-2008 08:23 AM
The first thing that stands out is:
interface Vlan1
ip access-group 100 in
interface Dialer0
ip access-group 100 in
You don't have an ACL 100 in your config. I would define an ACL for the inside interface based on security policy, and apply inspection on that interface to provision the return path (temporary dynamic holes in the firewall).
Likewise, configure an ACL for the external interface permitting the ISAKMP, ESP, and SSH connections initiated from that side, with inspection to provision the return path.
I think you should be more specific with your NAT ACL:
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
05-23-2008 05:01 PM
Telnet/SSH access to the far-side router's external interface, or internal hosts?
Might be helpful if you posted the crypto ACLs from both sides.
05-27-2008 05:24 AM
I can currently telnet/SSH to the 877/827 from the inside (private) LAN connection. I can not telnet/SSH to the routers from the outside (public) connection.
My current workaround is to RDP into a workstation on the LAN and then telnet from that box into the router.
I have setup many of VPN tunnels, both with routers and firewalls. I have never had an issue like this. Just wondering if this is a quirk with the DSL connection. Searching CCO did not give me an answer.
I will post the configs shortly.
Thanks.
Tony
05-27-2008 07:05 AM
Your statement - "I can not telnet/SSH to the routers from the outside (public) connection."
... isn't completely clear to me.
Are you trying to make these connections through the VPN tunnel (unsuccessfully), or are you talking about difficulties with non-tunneled connections?
05-27-2008 07:13 AM
I am not trying to telnet/SSH to the router through the tunnel. I am trying to telnet/SSH from another public IP address.
Tunnel from A to B works as expected. I am at location C, completely separate from A or B, trying to telnet/SSH to either A or B. As long as the crypto map is in place, I can not telnet/SSH to either router. If I remove the VPN setup from both A and B, I can then telnet/SSH to either A or B without any problems.
05-27-2008 07:38 AM
Are you using the "any" keyword in your crypto ACL(s)?
05-28-2008 06:49 AM
Here is the config. ACL 120 has permit ip any any but it is referenced by NAT not the Crypto. Crypto references ACL 130. I have seen it posted not to put any any in the Crypto ACLs, perhaps this applies to the NAT as well. I will try changing that one. Anyway, here is the config. Pretty straight-forward.
sh run
Building configuration...
Current configuration : 2927 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Ashtabula
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool Ash-dhcp
network 192.168.1.0 255.255.255.0
dns-server 166.x.x.11 166.102.165.13
default-router 192.168.1.1
lease 7
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name Ashtabula.local
ip name-server 166.102.165.11
ip name-server 166.102.165.13
!
vpdn enable
!
!
!
username
username
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx no-xauth
!
!
crypto ipsec transform-set ToMead esp-3des esp-sha-hmac
!
crypto map Meadville 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ToMead
match address 130
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Dialer0
ip address yy.yy.yy.yy 255.255.255.252
ip access-group 100 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 0 xxxxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map Meadville
!
interface Dialer1
no ip address
no cdp enable
!
interface BVI10
description Bridge to Internal Network
no ip address
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan1
!
ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxx
login local
!
scheduler max-task-time 5000
end
05-28-2008 08:23 AM
The first thing that stands out is:
interface Vlan1
ip access-group 100 in
interface Dialer0
ip access-group 100 in
You don't have an ACL 100 in your config. I would define an ACL for the inside interface based on security policy, and apply inspection on that interface to provision the return path (temporary dynamic holes in the firewall).
Likewise, configure an ACL for the external interface permitting the ISAKMP, ESP, and SSH connections initiated from that side, with inspection to provision the return path.
I think you should be more specific with your NAT ACL:
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
06-06-2008 09:09 AM
Sorry for the delay in response. I've been a bit red-faced for 2 reasons. I posted without looking at the config, and it had been changed. There should not have an access-group 100. A bit of embarrassment there. Also done some chewing on someone for making changes without authorization.
Anyway, changing the ACL from any any to be specific to the subnet did solve the issue. Thanks for the help Michael.
06-06-2008 10:59 AM
Your welcome.
Perhaps you can checkmark the conversation to convey that it includes a reply that solved the issue.
Others experiencing a similar issue might be more prone to make use of the conversation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: