877 Router VPN

[colinT23]

Hi guys,

I'm new to Cisco Routers. I can configure a PIX VPN but I'm struggling with an 877 Router. I've used the SDM to configure the firewall and VPN access (the router is setup as an Easy VPN Server). All appears well, I've got internet connetcivity, port scans show no obvious vulnerabilities, but I'm struggling to get the VPN to work correctly. Using the Cisco VPN Client (4.8) I can establish a VPN. I get the XAuth prompts etc and the VPN comes up. My problem is that although I can ping PC's on the remote network, I can't access them either by name or IP address. Funnily enough, from the remote LAN, the PC's can connect to the machine connected by vpn client but not the other way around ! So I'm thinking that the solution can't be far away but I've drawn a blank. Any ideas ? Many thanks.

Regards Colin.

 

[Supergrrover]

If they can get to your box and you can ping theirs, I will bet it is a firewall issue on the remote PCs. For you to get them buy name, you will need to use a remote DNS server, a hosts file on your PC, or use iphelper for netbios.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[colinT23]

Hi Brent,

That's what I thought at first so I turned their Windows Firewall off temporarily. The only other firewal is the 877 itself which was configured using the SDM wizards. Still no joy ! There's no DNS server at the site, only a peer to peer network of 5 XP Pro boxes. All I want is for the guys to have access to their 'server' while working from home and a support guy for their database needs (ideally) Remote Desktop access. I was wondering if the problem might lie with the firewall on the 877 ? It's really annoying because I had a similar problem with a PIX/VPN Client combo a couple of years ago but can't for the life of me remember how I cured it.

Regards Colin.

 

[Supergrrover]

If they can connect to you, then it might be an ACL issue (inbound or outbound on an interface) or possibly a NAT/no_NAT issue.
I am good at PIX but I am OK at best for IOS VPNs but post it anyway and we'll take a look.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[colinT23]

Hi Brent,

This is my first Cisco router and I have no knowledge of the CLI - all commands were issued with the SDM. If I connect via the console, what info do you want - which commands shall I enter ? Incidentally, I've just setup a remote access VPN on my pix 501 and I've got exactly the same problem. I originally thought that this was remedied with a 'isakmp nat-t' command but I've issued that and still no data transfer across the vpn. Thanks for your help.

Regards Colin.

 

[Supergrrover]

You get into exec mode and type
sho run
That will give you the config on both.

The nat-transversal is for VPN clients inside your network connecting out to another site.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[colinT23]

Hi Brent,

yourname>enable
yourname#sho run
Building configuration...

Current configuration : 10522 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepaliv
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author loc
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.16 10.10.10.254
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.0.0.0
default-router 10.10.10.1
dns-server 62.31.140.44
lease 0 2
!
!
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 62.31.140.44
ip name-server 62.31.140.45
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling actio
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-440292402
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-440292402
revocation-check none
rsakeypair TP-self-signed-440292402
!
!
crypto pki certificate chain TP-self-signed-440292402
certificate self-signed 01
632CF176 62 blah blah blah
quit
username colin privilege 15 secret 5 $1$S4oL$KnsAgZGvwvf2CWJoXo6lF.
username David secret 5 $1$.sMa$nzNHnxQA2dnoB6HGdcMjN/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnpusers
key 123456
dns 62.31.140.44 62.31.140.45
pool SDM_POOL_1
include-local-lan
max-users 4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-s
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 1200
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-c
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.0.0.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 100.100.100.100 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_HIGH out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname test
ppp chap password 7 0010161510
ppp pap sent-username test password 7 13111201
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.100.1 192.168.100.5
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip any host 192.168.100.1
access-list 100 deny ip any host 192.168.100.2
access-list 100 deny ip any host 192.168.100.3
access-list 100 deny ip any host 192.168.100.4
access-list 100 deny ip any host 192.168.100.5
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 100.100.100.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 62.31.140.45 eq domain host 100.100.100.100
access-list 102 permit udp host 62.31.140.44 eq domain host 100.100.100.100
access-list 102 permit ip host 192.168.100.1 any
access-list 102 permit ip host 192.168.100.2 any
access-list 102 permit ip host 192.168.100.3 any
access-list 102 permit ip host 192.168.100.4 any
access-list 102 permit ip host 192.168.100.5 any
access-list 102 permit ahp any host 100.100.100.100
access-list 102 permit esp any host 100.100.100.100
access-list 102 permit udp any host 100.100.100.100 eq isakmp
access-list 102 permit udp any host 100.100.100.100 eq non500-isakmp
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 permit icmp any host 100.100.100.100 echo-reply
access-list 102 permit icmp any host 100.100.100.100 time-exceeded
access-list 102 permit icmp any host 100.100.100.100 unreachable
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------


^C
!
line con 0
login authentication local_authen
no modem enable
line aux 0
login authentication local_authen
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

yourname#

I've substituted real IP's - does this config make any sense to you ? This was created using the SDM and like I said before, all works OK except for the VPN access in the 1 direction.

Regards Colin

 

[Supergrrover]

Wow, router configs are so odd.
What are you trying to accomplish with these lines (is it to exclude NAT?)
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip any host 192.168.100.1
access-list 100 deny ip any host 192.168.100.2
access-list 100 deny ip any host 192.168.100.3
access-list 100 deny ip any host 192.168.100.4
access-list 100 deny ip any host 192.168.100.5
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
route-map SDM_RMAP_1 permit 1
match ip address 100


It looks good from what I can see.
Check this out and look anything I might have missed

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800a393b.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[colinT23]

Hi Brent,

I've no idea ! As I said, I've configured this with the SDM and I've now solved the problem. I changed the VPN ip pool to a full range - 192.168.x.1 to 192.168.x.254. Previously, trying to limit the number of IP addresses forced a 255.255.255.248 mask which somehow caused a conflict. I've no idea why changing the subnet mask has fixed the problem but it has and the VPN is now working fine. Many thanks for your help on this.

Regards Colin.

 

[colinT23]

Hi again,

One thing I forgot to ask - has anyone any experience on theses 870 'all in one solutions', ie, how good is the firewall compared to a PIX etc ? I must say that I like the ability to block P2P and Messenger crap and the anti virus integration looks useful. My only real concern is the lack of Intrusion Prevention (although my client is using a consumer grade firewall/router at present so the 877 should be a serious improvement)- you need to buy an upgrade for this. Pity Cisco don't mention this in their sales jargon. Any comments welcome.

Regards Colin.

 

[boymarty24]

I have installed a couple of 871 and 1811 and i am very satisfied. The firewall/ips is good enough. I have replace my pix501 and 506 with these products. But now when cisco releases the asa 5505 i probably will go with them ( i get my 5505 in 3 weeks, yippii )

In my opinion these products are better then the pix. But if you compare it to ASA i would chose ASA´´n

I understand your concern about the IPS. But if you really need a box with good IPS features your money should be spent on bigger boxes ( asa etc )

 

[colinT23]

Hi boymarty24,

Yeah, I have to agree the 870's are good. The VPN's connect flawlessly and the throughput is ample for my client's needs. I've just started looking at the ASA's but need to do a bit more research as I believe there are different 'editions' ? Any chance you could post your findings on the 5505 on this or the pix site ? Thanks.

Regards Colin.

 

[boymarty24]

Colin,

I strongly recommend the 5505. Its a wonderful box. Good security and performance, and its easier to configure then the ios routers.

 

[thaboloko]

Could anyone tell me, where can I find the Cisco VPN Client? I can't download it from cisco.com, should I buy it? Hopefully not, any alternative? Thanks. Gustavo.

 

[boymarty24]

You get the client with purchased products. Otherwise you need a smartnet contract to access downloads.