Port forwading

Unanswered Question
Dec 15th, 2009
User Badges:


We are  using dynamic ip in our site , with  the help of  dyndns we can use RDP , FTP, etc  , while doing the port forwarding to UC 500 ,we cannot connect using  cisco vpn dialer , but applications like telnet ,ssh will work properly , we created dmz zone and hosted UC 500 in dmz zone too ,but the vpn dialer is not terminating.

Any other ports must be forwarded to UC 500 ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suraj12345 Wed, 12/16/2009 - 09:56
User Badges:




Yes I want to configure EZVPN , we don’t have static ip , so we use DYNDNS , while portforwading which ports I need to port forward for  EZVPN.


I have enabled pass-through of IPSec ESP tunnels with port 50, Then forwarded UDP port 500, but the vpn tunnel is not establishing.

Which are ports, which need to be forwarded while enabling EZVPN?

John Platts Thu, 12/17/2009 - 08:42
User Badges:
  • Silver, 250 points or more

Yes, you do need to forward IPsec ESP traffic and IPsec UDP port 500 to the UC520, but you also need to forward UDP port 4500 to the UC520. UDP port 4500 is used for NAT traversal, and has to be forwarded for Easy VPN to work. The UC520 unit can deal with NAT traversal if the IPsec ESP, UDP port 500, and UDP port 4500 traffic is all forwarded to the UC520 unit, even if the UC520 is configured with a private IP address instead of a public IP address. However, the CCA multisite manager currently requires you to have either the UC520 configured with a public IP address, or the UC520 placed behind a SR520-T1 with a public IP address. Be sure that you use the public IP address or DDNS hostname of the other VPN endpoint instead of the private IP address of the other VPN endpoint when configuring any site to site VPN tunnels. Hope this helps.

suraj12345 Sat, 12/19/2009 - 10:17
User Badges:



HI  John Platt

  Now the vpn client is terminating using the DYNDNS host name , but I cannot access my internal network , what is next for accessing my internal network?

My Internal address starts with 192.168.1.0/24.


Thanks

John Platts Sat, 12/19/2009 - 14:48
User Badges:
  • Silver, 250 points or more

Could you send me the output of the show run command from the UC520 please?


Are you able to ping the UC520? Another way to check to see if the Easy VPN is working is to log into the CUE Web GUI, provided that the CUE subnet is added to the Easy VPN ACL. The factory default CUE IP address is 10.1.10.1, and the CUE web GUI can be accessed at http://10.1.10.1 if the CUE address has not been overridden in CLI.

John Platts Sun, 12/20/2009 - 08:37
User Badges:
  • Silver, 250 points or more

I have looked over the configuration of your UC520. I have noticed these lines in your UC520 configuration, and these lines should not be there on the UC520 because the VPNs are being terminated on the UC520 unit:

ip nat inside source static tcp 192.168.1.1 4500 interface FastEthernet0/0 4500
ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/0 4500
ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500
ip nat inside source static tcp 192.168.1.1 500 interface FastEthernet0/0 500


In addition, it appears that the FastEthernet0/0 interface has a public IP address. Port forwarding should only be configured if the UC520 FastEthernet0/0 interface is configured with a private IP address, and it should only be configured on the other router that is connected to the UC520 WAN port, and not on the UC520 unit itself.


IPsec VPNs use UDP port 4500 and UDP port 500, but not TCP port 4500 and TCP port 500.


Here are the other port forwarding entries that you have on your UC520:

ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.1.1 50 interface FastEthernet0/0 50
ip nat inside source static udp 192.168.1.1 50 interface FastEthernet0/0 50
ip nat inside source static tcp 192.168.1.1 7 interface FastEthernet0/0 7
ip nat inside source static udp 192.168.1.1 7 interface FastEthernet0/0 7


I do not know any reason why TCP port 50, UDP port 50, TCP port 7, or UDP port 7 should ever be port forwarded. You should leave the port 22 access control entry, since you might need to SSH into the UC500 unit to make changes remotely.


Here are the commands to remove the incorrect access control entries in configuration mode:

no ip nat inside source static tcp 192.168.1.1 4500 interface FastEthernet0/0 4500
no ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/0 4500
no ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500
no ip nat inside source static tcp 192.168.1.1 500 interface FastEthernet0/0 500

no ip nat inside source static tcp 192.168.1.1 50 interface FastEthernet0/0 50
no ip nat inside source static udp 192.168.1.1 50 interface FastEthernet0/0 50
no ip nat inside source static tcp 192.168.1.1 7 interface FastEthernet0/0 7
no ip nat inside source static udp 192.168.1.1 7 interface FastEthernet0/0 7


I have looked over your WAN access list, which looks like the following:

access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_28##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 165.1.1.3 eq echo log
access-list 104 permit tcp any host 165.1.1.3 eq echo log
access-list 104 permit tcp any host 165.1.1.3 eq 500 log
access-list 104 permit udp any host 165.1.1.3 eq isakmp log
access-list 104 permit udp any host 165.1.1.3 eq non500-isakmp log
access-list 104 permit tcp any host 165.1.1.3 eq 4500 log
access-list 104 permit udp any host 165.1.1.3 eq 50 log
access-list 104 permit tcp any host 165.1.1.3 eq 50 log
access-list 104 permit tcp any host 165.1.1.3 eq 22 log
access-list 104 permit esp any host 165.1.1.3
access-list 104 permit ahp any host 165.1.1.3
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp host 195.229.241.222 eq domain any
access-list 104 permit udp host 213.42.20.20 eq domain any
access-list 104 permit icmp any host 165.1.1.3 echo-reply
access-list 104 permit icmp any host 165.1.1.3 time-exceeded
access-list 104 permit icmp any host 165.1.1.3 unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log


Here is how to edit that access list, which controls inbound traffic into the WAN interface:

  • Execute conf t to enter configuration mode
  • Type ip access-list resequence 104 10 10 to resequence ip access-list 104
  • Press CTRL+C to exit configuration mode
  • Execute show ip access-list extended 104, and the output should look like the following:

Extended IP access list 104
10 permit udp any host 165.1.1.3 eq echo log
20 permit tcp any host 165.1.1.3 eq echo log
30 permit tcp any host 165.1.1.3 eq 500 log
40 permit udp any host 165.1.1.3 eq isakmp log
50 permit udp any host 165.1.1.3 eq non500-isakmp log
60 permit tcp any host 165.1.1.3 eq 4500 log
70 permit udp any host 165.1.1.3 eq 50 log
80 permit tcp any host 165.1.1.3 eq 50 log
90 permit tcp any host 165.1.1.3 eq 22 log
100 permit esp any host 165.1.1.3
110 permit ahp any host 165.1.1.3
120 deny   ip 10.1.10.0 0.0.0.3 any
130 deny   ip 192.168.1.0 0.0.0.255 any
140 deny   ip 10.1.1.0 0.0.0.255 any
150 permit udp host 195.229.241.222 eq domain any
160 permit udp host 213.42.20.20 eq domain any
170 permit icmp any host 165.1.1.3 echo-reply
180 permit icmp any host 165.1.1.3 time-exceeded
190 permit icmp any host 165.1.1.3 unreachable
200 deny   ip 10.0.0.0 0.255.255.255 any
210 deny   ip 172.16.0.0 0.15.255.255 any
220 deny   ip 192.168.0.0 0.0.255.255 any
230 deny   ip 127.0.0.0 0.255.255.255 any
240 deny   ip host 255.255.255.255 any
250 deny   ip host 0.0.0.0 any
260 deny   ip any any log

  • To delete the access control entries for the incorrectly forwarded traffic, execute conf t to get back into configuration mode, and then execute the following commands in configuration mode:
    • ip access-list extended 104 (enters access list configuration mode, and modifies ip access-list 104)
    • no 10 (removes access control entry #10 in ip access-list 104, which is permit udp any host 165.1.1.3 eq echo log)
    • no 20 (removes access control entry #20 in ip access-list 104, which is permit tcp any host 165.1.1.3 eq echo log)
    • no 30 (removes access control entry #30 in ip access-list 104, which is permit tcp any host 165.1.1.3 eq 500 log)
    • no 60 (removes access control entry #60 in ip access-list 104, which is permit tcp any host 165.1.1.3 eq 4500 log)
    • no 70 (removes access control entry #70 in ip access-list 104, which is permit udp any host 165.1.1.3 eq 50 log)
    • no 80 (removes access control entry #80 in ip access-list 104, which is permit tcp any host 165.1.1.3 eq 50 log)
  • To allow the UC520 to be pingable from the outside, execute conf t to get back into configuration mode, and then execute the following commands in configuration mode:
    • ip access-list extended 104 (enters access list configuration mode, and modifies ip access-list 104)
    • 169 permit icmp any host 165.1.1.3 echo (enables the UC520 to be pingable from the outside, and adds the permit icmp any host 165.1.1.3 echo entry before access control entry #170, permit icmp any host 165.1.1.3 echo)
  • The access control list entry numbers and the actual access control list numbers can be different on other UC520 units. Be careful, as you do not want to remove needed access control entries, or add additional access control entries in the wrong location in the access list.


The firewall configuration features of CCA have not seen any major improvements since CCA 1.0, at least for the UC500 series, but improvements to firewall and access control list configuration are planned to be made in future CCA releases.

suraj12345 Sun, 12/20/2009 - 09:05
User Badges:



Thanks Jhon

  The changes applied successfully.

 

I can get the ICMP REPLY from Reply from 165.1.1.3: bytes=32 time=331ms TTL=235

However, still I cannot ping the internal interface 192.168.1.1, then acess cue  http://10.1.10.1 , can you help in resolving this.

John Platts Sun, 12/20/2009 - 09:37
User Badges:
  • Silver, 250 points or more

I have also found an problem with the Easy VPN Access Control List. This access control list controls what traffic will be carried over the VPN tunnel.


Here is the access list controlling what traffic will be carried over the VPN tunnel, as it currently appears in your configuration:

access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 0.0.0.0 0.0.0.255 any


Here is the corrected version of that access control list:

access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.1.1 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.10.0 0.0.0.3 any


Here is what you need to do to correct your Easy VPN access control list:

  • Go into configuration mode by executing conf t
  • Execute the ip access-list resequence 105 10 10 command in configuration mode
  • Pressing Ctrl+C to exit out of configuration mode
  • Executing the show ip access-list extended 105 command. You should get output that looks like this:

Extended IP access list 105
    10 permit ip 0.0.0.0 0.0.0.255 any

  • Re-entering configuration mode by executing conf t, followed by the commands below:
    • ip access-list extended 105 (this enters IP access list configuration mode, and modifies IP access list 105)
    • 20 permit ip 192.168.1.1 0.0.0.255 any (allows traffic to the 192.168.1.0/24 subnet through the Easy VPN tunnel)
    • 30 permit ip 10.1.1.0 0.0.0.255 any (allows traffic to the 10.1.1.0/24 subnet through the Easy VPN tunnel)
    • 40 permit ip 10.1.10.0 0.0.0.3 any (allows traffic to the 10.1.10.0/30 subnet through the Easy VPN tunnel)
    • no 10 (removes the incorrect permit ip 0.0.0.0 0.0.0.255 any entry from IP access list 105)
  • Be sure that once you have the ACL correctly configured, exit out of configuration mode, and then do a wr mem to save your configuration. This ensures that your configuration stays intact after a reboot, and also ensures that CCA correctly recognizes the UC520 configuration.


You should now be able to connect to the UC520 through the VPN client, and access machines on your local network through the VPN connection.

suraj12345 Sun, 12/20/2009 - 10:04
User Badges:



Thanks a Lot Jhon, I hade added the following entry ,

50 permit access-list 105 permit ip 10.1.10.0 0.0.0.255 any

Now I can access CUE through Http

Actions

This Discussion