cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1682
Views
0
Helpful
12
Replies

Cisco 1811 VPN problems

zrob12ynyng
Level 1
Level 1

I have a basic firewall with default rules that is blocking VPN connections. I do not want to specifically configure VPN tunnels, I simply want to allow any and all VPN traffic to pass. Can someone tell me what rules I need to change to allow all VPN traffic to generally pass without creating tunnels for each VPN?

12 Replies 12

Hi,

Let's see if I understand.

To allow IPsec VPN traffic to pass through, your ACL should permit the following:

Protocol ESP (IP protocol 50)

UDP 500 (ISAKMP)

UDP 4500 (NAT-T)

If you allow the above, then all IPsec VPN will be permitted.

Is this what you're looking for?

Federico.

Could you tell me how to apply these rules? I've attached my config if that helps:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *************
!
boot-start-marker
boot system flash c181x-adventerprisek9-mz.124-24.T2.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 **************************
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-679109964
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-679109964
revocation-check none
rsakeypair TP-self-signed-679109964
!
crypto pki certificate chain TP-self-signed-679109964
certificate self-signed 01
  ***********************************************
   quit

dot11 syslog
no ip source-route
!
ip cef
no ip bootp server
ip domain name ****************
ip name-server 8.8.8.8
ip ips config location flash:/IPS/ retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
  category all
   retired true
  category ios_ips advanced
   retired false
!
no ipv6 cef
!
multilink bundle-name authenticated
!
username *********** privilege 15 secret 5 **********************
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
  key-string
   *********************************
  quit
!
archive
log config
  hidekeys
!
ip tcp synwait-time 10
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat--8
match access-group 109
class-map type inspect match-all sdm-nat--9
match access-group 110
class-map type inspect match-all sdm-nat--4
match access-group 105
class-map type inspect match-all sdm-nat--5
match access-group 106
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat--6
match access-group 107
class-map type inspect match-all sdm-nat--7
match access-group 108
class-map type inspect match-all sdm-nat--1
match access-group 102
class-map type inspect match-all sdm-nat--2
match access-group 103
class-map type inspect match-all sdm-nat--3
match access-group 104
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-all sdm-nat--10
match access-group 111
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat--1
  inspect
class type inspect sdm-nat--2
  inspect
class type inspect sdm-nat--3
  inspect
class type inspect sdm-nat--4
  inspect
class type inspect sdm-nat--5
  inspect
class type inspect sdm-nat--6
  inspect
class type inspect sdm-nat--7
  inspect
class type inspect sdm-nat--8
  inspect
class type inspect sdm-nat--9
  inspect
class type inspect sdm-nat--10
  inspect
class class-default
  drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop log
policy-map type inspect ccp-permit
class type inspect sdm-access
  inspect
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
speed auto
full-duplex
!
interface FastEthernet1
description $FW_OUTSIDE$
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
speed auto
full-duplex
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
ip address 172.16.1.1 255.240.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat translation timeout 43200
ip nat pool Pool_2 XXX.XXX.XXX.210 XXX.XXX.XXX.222 netmask 255.255.255.0
ip nat pool Pool_01 XXX.XXX.XXX.201 XXX.XXX.XXX.209 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static 172.16.4.124 XXX.XXX.XXX.124
ip nat inside source static 172.16.16.199 XXX.XXX.XXX.201
ip nat inside source static 172.16.12.89 XXX.XXX.XXX.202
ip nat inside source static 172.16.24.99 XXX.XXX.XXX.203
ip nat inside source static 172.16.12.220 XXX.XXX.XXX.204
ip nat inside source static 172.16.8.53 XXX.XXX.XXX.205
ip nat inside source static 172.16.20.210 XXX.XXX.XXX.206
ip nat inside source static 172.16.4.110 XXX.XXX.XXX.207
ip nat inside source static 172.16.24.224 XXX.XXX.XXX.208
ip nat inside source static 172.16.24.152 XXX.XXX.XXX.209
ip nat inside source static 172.16.8.66 XXX.XXX.XXX.218
!
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip XXX.XXX.XXX.XXX 0.0.0.3 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 172.16.4.124
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 172.16.12.211
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 172.16.12.212
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 172.16.24.99
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 172.16.12.210
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 172.16.8.53
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 172.16.20.210
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 172.16.4.110
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip any host 172.16.24.224
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip any host 172.16.24.152
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------

AUTHORIZED ACCESS ONLY!

All access attempts are monitored and logged.

-----------------------------------------------------------------------
^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler interval 500
ntp update-calendar
ntp server 207.46.232.182 source FastEthernet0
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

ip access-list extended VPN

    10 permit esp any any
    20 permit udp any eq isakmp any eq isakmp
    30 permit udp any eq non500-isakmp any eq non500-isakmp

class-map type inspect match-any VPN

match access-group VPN

policy-map type inspect ccp-permit

class type inspect VPN

     inspect

policy-map type inspect ccp-permit-icmpreply

class type inspect VPN

     inspect

i think this should it be it, hopefully didnt miss out anything

Correct me if I'm wrong - this allows IPSec. How do I also allow SSL and PPTP?

IPsec was allowed in the ACL mentioned.

To permit SSL and PPTP you must include TCP 443, TCP 1723 and GRE.

Federico.

Can you help with the code for SSL and PPTP?

Following the same ACL:

ip access-list extended VPN

    10 permit esp any any
    20 permit udp any eq isakmp any eq isakmp
    30 permit udp any eq non500-isakmp any eq non500-isakmp 

    40 permit tcp any any eq 443

    50 permit tcp any any eq 1723

    60 permit gre any any

Federico.

zack,

if  your query is answered please mark it as resolved for the benifit of other support community users

-JA

I made the configurations changes this morning. The only change is on the line "match access-group VPN" should be "match access-group name VPN". I'll test VPN this evening and report back.

surely, if it does not pass, enable the logging and give this command

ip inspect log drop-pkt

and see the logs it will tell you where it is dropping, if you have trouble finding out the reason you can paste the logs i will help you figure out the reason

Still have users reporting VPNs being blocked. I'll try logging and get back with you. Thanks for both of your help so far

Sorry for taking so long to get back on this, but I haven't yet fixed the issue. I have not enabled logging yet to see exactly where it is being blocked. I think the issue lies in the basic firewall I have setup. Do the above rules give permissions to pass through the firewall as well?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: