×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN with public addresses

Unanswered Question
Mar 26th, 2009
User Badges:

From my router conf:




crypto map CRYPTO 20 ipsec-isakmp

set peer 194.48.130.35

set transform-set TELCOM

set pfs group2

match address 102



access list consist of only one command:




access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63






Now what is a bit unusual is that this access list contains only public addresses instead of private addresses. 62.100.68.171 is the server public address located in my network. 194.48.129.192 0.0.0.63 is on my client side.




I could not find any info which is similar to my access list with public addresses on the internet. My client - telecom provider does not have any communication with me.




The problem is that I need to limit access to my server, and my intention is to allow only VPN access from my client site to my server, which is to be moved behind router-firewall).




So I have to nat my server public address:




ip nat inside source static 192.168.100.24 62.100.68.171




Therefore I have problem how to design acl list to do that:


Relating to NAT order I might have to put the following instructions in my outbound acl on the inside interface of the router:




access-list 123 permit ip host 194.48.130.35 host 192.168.100.24

access-list 123 deny ip any host 192.168.100.24

I have done that but it have caused VPN communication to stop. I do not know what I have done wrong?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Thu, 03/26/2009 - 03:32
User Badges:
  • Silver, 250 points or more

Hi, can you share network disgram for your setup.

And in the new setup did u configure it in tunnel mode or transport mode?

hoffenheim Thu, 03/26/2009 - 04:27
User Badges:

Ok,


I have to make VPN connection several months ago and I have established VPN connection with them. That works fine, but the relating security issue is not OK.


http://www.vpnc.org/InteropProfiles/cisco-ios.txt


However, I have access list which contains only public addresses, which is not the same case as you can read from the paper above, which I tried to follow.


They did not want to know about the private adddress of my server. They asked for the public address of my server, as they stipulated that was the way they work.

Even their network subnet is of public addresses.


I have realised that I have to put server behind my central router, which includes nat operation together with ACL to add in order to limit access to the server.


Their gateway is firewall netscreen.

hoffenheim Thu, 03/26/2009 - 04:34
User Badges:

Here is an excerpt from my conf file of Cisco 2801 router-firewall.

....


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto iskamp clip

crypto isakmp clip

crypto isakmp clip

!

!

crypto ipsec transform-set MOBTEL esp-3des esp-md5-hmac

crypto ipsec transform-set TELCOM esp-3des esp-sha-hmac

!

crypto map CRYPTO 10 ipsec-isakmp

set peer clip

set transform-set MOBTEL

match address 151

crypto map CRYPTO 20 ipsec-isakmp

set peer clip

set transform-set TELCOM

set pfs group2

match address 102

crypto map CRYPTO 30 ipsec-isakmp

set peer clip

set transform-set TELCOM

match address 133


....


hoffenheim Thu, 03/26/2009 - 05:40
User Badges:

On the second thought your question is good. The client gateway is Natscreen firewall.


But “transport mode is used when both peers are hosts. It may also be used when one peer is host and the other is gateway if that gateway is acting as a host. Transport mode has an advantage of adding only a few bytes to the header of each packet. “


There is no:

Mode transport

After


crypto ipsec transform-set MOBTEL esp-3des esp-md5-hmac


In fact it is configured as tunnel mode, but I have doubt whether something is missing or not. I see that my router has an established tunnel with their firewall, and from there communication is decrypted. Then as decrypted communication it reaches over my server, which is not behind firewall (I have to route to make it going).


Jon Marshall Thu, 03/26/2009 - 05:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Do you have an acl on your outside interface ie. the interface that the VPN terminates on ?


If so add this to your acl


access-list permit ip host 194.48.130.35 host 62.100.68.171

access-list deny ip any host 62.100.68.171


Note i have used host 194.48.130.35 because that is what you used in your acl but there is some confusion in your acls ie.


194.48.129.192 0.0.0.63 = 194.48.129.192 - 255 which does not cover 194.48.130.35 ??


Jon

hoffenheim Thu, 03/26/2009 - 06:19
User Badges:

No, I do not have.

Regarding the hosts, it is correct that address of gateway is not in the same subnets as the hosts which are allowed to be accessed by my server 62.100.68.171. It seems logical to me?

Jon Marshall Thu, 03/26/2009 - 06:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"It seems logical to me?"


Not to me :-)


Where i am confused is this. Your VPN crypto map access-list says -


access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63


and the VPN peer is -


194.48.130.35


Now your inside acl says -


access-list 123 permit ip host 194.48.130.35 host 192.168.100.24

access-list 123 deny ip any host 192.168.100.24


So either


1) your inside acl should say -


access-list 123 permit ip 194.48.129.192 0.0.0.63 host 192.168.100.24


because the source addresses of the incoming packets are from 194.48.129.192 -> 194.48.129.254


OR


2) the source addresses are being Natted at the other end and hidden behind the peer IP address of 194.48.130.35 in which case your acl 123 is correct but your crypto map acl should read -


access-list 102 permit ip host 62.100.68.171 host 194.48.130.35


Now as the VPN was already working i'm assuming the problem is 1) rather than 2).


Does this make sense ?


Jon

hoffenheim Thu, 03/26/2009 - 07:36
User Badges:

I believe, it is 1. It makes sense. Thus, I have to try it next week. It seems not to be 2, because the access-list 102 are being given by them. The company is west european telecom provider operating in eastern europe, and I believe that is not mistake.



Actions

This Discussion