Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
0
Helpful
1
Replies

How to allow VPN passthrough with an 871?

thefleshrocket
Level 1
Level 1

‎04-10-2006 12:10 PM

I have a doctor's office client who is using a recently-deployed Cisco 871W router. One doctor makes a VPN connection to a remote VPN server. Initially, with the default Cisco firewall enabled, the VPN client would not connect at all; it would time out during the connection process. I reviewed the built-in Cisco Help files and found the following:

[quote]How Do I Configure NAT Passthrough for a VPN?

If you are using NAT to translate addresses from networks outside your own and if you are also connecting to a specific site outside your network via a VPN, you must configure NAT passthrough for your VPN connection, so that network address translation does not take place on the VPN traffic. If you have already configured NAT on your router and are now configuring a new VPN connection using SDM, you will receive a warning message informing you that SDM will configure NAT so that it does not translate VPN traffic. You must accept the message so that SDM will create the necessary ACLs to protect your VPN traffic from translation.

If you are configuring NAT using SDM and you have already configured a VPN connection, perform the following procedure to create ACLs.

From the left frame, select Additional Tasks/ACL Editor.

In the Rules tree, choose Access Rules.

Click Add.

The Add a Rule dialog box appears.

In the Name/Number field, enter a unique name or number for the new rule.

From the Type field, choose Extended Rule.

In the Description field, enter a short description of the new rule.

Click Add.

The Add a Standard Rule Entry dialog box appears.

In the Action field, choose Permit.

In the Source Host/Network group, from the Type field, select A Network.

In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN source peer.

In the Destination Host/Network group, from the Type field, select A Network.

In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN destination peer.

In the Description field, enter a short description of the network or host.

Click OK.

The new rule now appears in the Access Rules table.

[/quote]

I tried this, entering the IP address that the VPN client connects to, but I still could not connect to the VPN server.

Labels:
0 Helpful
1 Reply 1

thefleshrocket
Level 1
Level 1

‎04-10-2006 12:11 PM

I kept looking and then found this:

[quote]How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator?

In order to permit traffic through your firewall to a VPN concentrator, you must create or modify access rules that permit the VPN traffic. To create these rules:

From the left frame, select Additional Tasks.

In the Rules tree, select ACL Editor and then Access Rules.

Click Add.

The Add a Rule dialog box appears.

In the Name/Number field, enter a unique name or number for this rule.

In the Description field, enter a description of the rule, such as "VPN Concentrator Traffic."

Click Add.

The Add an Extended Rule Entry dialog box appears.

In the Source Host/Network group, from the Type field, select A Network.

In the IP Address and Wildcard Mask fields, enter the IP address and network mask of the VPN source peer.

In the Destination Host/Network group, from the Type field, select A Network.

In the IP Address and Wildcard Mask fields, enter the IP address and network mask of the VPN destination peer.

In the Protocol and Service group, select TCP.

In the Source port fields, select =, and enter the port number 1023.

In the Destination port fields, select =, and enter the port number 1723.

Click OK.

The new rule entry appears in the Rule Entry list.

Repeat Step 7 through Step 15, creating rule entries for the following protocols and, where required, port numbers:

Protocol IP, IP protocol GRE

Protocol UDP, Source Port 500, Destination Port 500

Protocol IP, IP Protocol ESP

Protocol UDP, Source Port 10000, Destination Port 10000

Click OK.

[/quote]

I initially configured this exactly as described here, but I still could not connect.

[img]http://www.thefleshrocket.com/images/misc/cisco_acl.jpg[/img]

So I went into the firewall ACL settings and directly added the same rules to the originating and returning connections.

[img]http://www.thefleshrocket.com/images/misc/cisco_outgoing.jpg[/img]

[img]http://www.thefleshrocket.com/images/misc/cisco_returning.jpg[/img]

After doing so, the VPN client could successfully connect, but trying to run programs (such as Outlook) resulted in the programs either bogging down terribly, or hanging up completely. I hooked the doctor's computer directly to the DSL, bypassing the router entirely, and was able to connect using the VPN. I noticed that the amount of bytes sent and received was more or less the same. I then switched back to going through the router, and noticed that the amount of bytes received was significantly less than the amount of bytes sent. I disabled the firewall completely but that did not help. It appeared that NAT was filtering out many of the returning packets.

I did some research on enabling IPSec over NAT and apparently it's really easy on cheapy routers--usually there's just a checkbox for it somewhere in the config. Other routers don't even require that--VPN clients will "just work". Yet that's not the case with this Cisco.

So I'm hoping you guys might be able to point me in the right direction here. I've been learning this Cisco stuff as needed as I go along, and this part has me pretty much stumped. Thanks!

0 Helpful
Customers Also Viewed These Support Documents