cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
917
Views
0
Helpful
9
Replies

Lose telnet capability after crypto map

tony_8528
Level 1
Level 1

Hello,

I have 2 DSL routers setup with a VPN tunnel between them. The VPN works fine. Before setting up the tunnel, I had telnet/SSH access. However, when I apply the crypto map to the Dialer interface, I lose the ability to telnet/SSH to the router. If I remove the VPN setup, I regain the ability to telnet/SSH.

Any thoughts? I was wondering if the fact the Dialer interface is a logical interface is what is causing the problems?

Thanks.

Tony

1 Accepted Solution

Accepted Solutions

The first thing that stands out is:

interface Vlan1

ip access-group 100 in

interface Dialer0

ip access-group 100 in

You don't have an ACL 100 in your config. I would define an ACL for the inside interface based on security policy, and apply inspection on that interface to provision the return path (temporary dynamic holes in the firewall).

Likewise, configure an ACL for the external interface permitting the ISAKMP, ESP, and SSH connections initiated from that side, with inspection to provision the return path.

I think you should be more specific with your NAT ACL:

access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

View solution in original post

9 Replies 9

michael.leblanc
Level 4
Level 4

Telnet/SSH access to the far-side router's external interface, or internal hosts?

Might be helpful if you posted the crypto ACLs from both sides.

I can currently telnet/SSH to the 877/827 from the inside (private) LAN connection. I can not telnet/SSH to the routers from the outside (public) connection.

My current workaround is to RDP into a workstation on the LAN and then telnet from that box into the router.

I have setup many of VPN tunnels, both with routers and firewalls. I have never had an issue like this. Just wondering if this is a quirk with the DSL connection. Searching CCO did not give me an answer.

I will post the configs shortly.

Thanks.

Tony

Your statement - "I can not telnet/SSH to the routers from the outside (public) connection."

... isn't completely clear to me.

Are you trying to make these connections through the VPN tunnel (unsuccessfully), or are you talking about difficulties with non-tunneled connections?

I am not trying to telnet/SSH to the router through the tunnel. I am trying to telnet/SSH from another public IP address.

Tunnel from A to B works as expected. I am at location C, completely separate from A or B, trying to telnet/SSH to either A or B. As long as the crypto map is in place, I can not telnet/SSH to either router. If I remove the VPN setup from both A and B, I can then telnet/SSH to either A or B without any problems.

Are you using the "any" keyword in your crypto ACL(s)?

Here is the config. ACL 120 has permit ip any any but it is referenced by NAT not the Crypto. Crypto references ACL 130. I have seen it posted not to put any any in the Crypto ACLs, perhaps this applies to the NAT as well. I will try changing that one. Anyway, here is the config. Pretty straight-forward.

sh run

Building configuration...

Current configuration : 2927 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Ashtabula

!

boot-start-marker

boot-end-marker

!

enable secret 5

!

no aaa new-model

!

!

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.50

!

ip dhcp pool Ash-dhcp

network 192.168.1.0 255.255.255.0

dns-server 166.x.x.11 166.102.165.13

default-router 192.168.1.1

lease 7

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip domain lookup

ip domain name Ashtabula.local

ip name-server 166.102.165.11

ip name-server 166.102.165.13

!

vpdn enable

!

!

!

username

username

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxx address xx.xx.xx.xx no-xauth

!

!

crypto ipsec transform-set ToMead esp-3des esp-sha-hmac

!

crypto map Meadville 10 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set ToMead

match address 130

!

archive

log config

hidekeys

!

!

!

bridge irb

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 0/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Vlan1

description LAN

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

bridge-group 10

bridge-group 10 spanning-disabled

!

interface Dialer0

ip address yy.yy.yy.yy 255.255.255.252

ip access-group 100 in

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxxxxxx password 0 xxxxxxx

ppp ipcp dns request

ppp ipcp address accept

crypto map Meadville

!

interface Dialer1

no ip address

no cdp enable

!

interface BVI10

description Bridge to Internal Network

no ip address

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.1.0 255.255.255.0 Vlan1

!

ip http server

no ip http secure-server

ip nat inside source list 120 interface Dialer0 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 permit ip any any

access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

password xxxxxxxxxx

login local

!

scheduler max-task-time 5000

end

The first thing that stands out is:

interface Vlan1

ip access-group 100 in

interface Dialer0

ip access-group 100 in

You don't have an ACL 100 in your config. I would define an ACL for the inside interface based on security policy, and apply inspection on that interface to provision the return path (temporary dynamic holes in the firewall).

Likewise, configure an ACL for the external interface permitting the ISAKMP, ESP, and SSH connections initiated from that side, with inspection to provision the return path.

I think you should be more specific with your NAT ACL:

access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

Sorry for the delay in response. I've been a bit red-faced for 2 reasons. I posted without looking at the config, and it had been changed. There should not have an access-group 100. A bit of embarrassment there. Also done some chewing on someone for making changes without authorization.

Anyway, changing the ACL from any any to be specific to the subnet did solve the issue. Thanks for the help Michael.

Your welcome.

Perhaps you can checkmark the conversation to convey that it includes a reply that solved the issue.

Others experiencing a similar issue might be more prone to make use of the conversation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: