Access list denying connection to outside vpn

[Scrye]

I have read many problems and solutions over the past few weeks and most of the problems are similar to mine but I have not come across any solutions that I have not already tried.

My problem is:

When connecting to a customer's VPN server I get the following message:

"Failed to get DNS & WINS configuration information through the Extranet Connection. Connection closed.

Usually this error indicates that a firewall is preventing IPSecurity packets from reaching the Extranet Switch."

I know it is the router access list that is the problem because when I turn the access list off I can connect. Although I am able to ping the VPN server with the access list on but cannot connect with Nortel VPN Client. The access list commands being used are:

access-list 100 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 100 permit tcp xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 100 permit udp xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

To my understanding this will allow all ports open to a specified ip address from a range of ip addresses.
The configuration is on a Cisco 1605 router.

Any help would be greatly appreciated.

 

[baddos]

Please post the whole config with the access list bound.

 

[Scrye]

Here is the config for my router. 1.2.3.4 is the outside ip for my machine and 5.6.7.8 is the starting ip for the network my customer's vpn is on. I know the router is the first ip and the vpn is the next. I have opened 32 ip address for access from their network for other reasons. My customer can get through to my machine with this access but I cannot get out.
The bolded section is the access for the vpn.

!
ip subnet-zero
no ip source-route
ip nat translation timeout 1800
ip nat pool router x.x.x.x x.x.x.x netmask 255.255.255.x
ip nat inside source list 1 pool router overload
ip nat inside source list 2 interface Serial0.1 overload
ip nat inside source static 172.16.0.0 1.2.3.4
ip name-server x.x.x.x
ip name-server x.x.x.x
ip inspect name sccfw ftp timeout 3600
ip inspect name sccfw smtp timeout 3600
ip inspect name sccfw tftp timeout 30
ip inspect name sccfw udp timeout 15
ip inspect name sccfw tcp timeout 3600
ip inspect name sccfw http timeout 3600
ip inspect name sccfw sqlnet timeout 3600
ip inspect name sccfw rcmd timeout 3600
!
interface Ethernet0
ip address 172.16.0.x 255.255.0.0
ip nat inside
ip inspect sccfw in
no logging event subif-link-status
no cdp enable
!
interface Ethernet1
no ip address
no logging event subif-link-status
shutdown
no cdp enable
!
interface Serial0
ip unnumbered Ethernet0
ip nat outside
encapsulation frame-relay IETF
no logging event subif-link-status
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address 1.2.3.4 255.255.255.255
ip nat outside
no arp frame-relay
no cdp enable
frame-relay interface-dlci 257
!
router rip
passive-interface Serial0
passive-interface Serial0.1
network 1.2.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
no logging trap
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any any eq 23
access-list 100 permit tcp any host 1.2.3.4 eq smtp
access-list 100 permit udp any host 1.2.3.4 eq 25
access-list 100 permit tcp any host 1.2.3.4 eq pop3
access-list 100 permit udp any host 1.2.3.4 eq 110
access-list 100 permit ip 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 permit tcp 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 permit udp 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 deny ip any any
no cdp run


If you need anything else let me know.

 

[baddos]

I don't see your access list bound to any interface. You can modifiy your access list to do this:

access-list 100 permit icmp any any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any any eq 23
access-list 100 permit tcp any host 1.2.3.4 eq smtp
access-list 100 permit udp any host 1.2.3.4 eq 25
access-list 100 permit tcp any host 1.2.3.4 eq pop3
access-list 100 permit udp any host 1.2.3.4 eq 110
access-list 100 permit ip 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 permit tcp 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 permit udp 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 deny ip any any log

Then do a show log to see if any packets are getting disguarded by the acl.

 

[KevinMcKloud]

"My customer can get through to my machine with this access but I cannot get out"

mmhh... Try this:

access-list 100 permit icmp any any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any any eq 23
access-list 100 permit tcp any host 1.2.3.4 eq smtp
access-list 100 permit udp any host 1.2.3.4 eq 25
access-list 100 permit tcp any host 1.2.3.4 eq pop3
access-list 100 permit udp any host 1.2.3.4 eq 110
access-list 100 permit ip 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 permit ip any any established
access-list 100 deny ip any any log

"permit ip any any established" should do the trick,
it will permit all the traffic initiated INSIDE..To Return.

Also
access-list 100 permit tpc 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 permit udp 5.6.7.8 0.0.0.31 host 1.2.3.4
are redundant, IP = ALL protocols (tcp and udp included)
you only need the one with "ip"

Kevin

 

[Scrye]

I have tried the "access-list 100 permit ip any any established" and I get "Invalid input detected" for established. If I use "?" to see the usable commands and established is not there. It will except established at the end of "access-list 100 permit tpc 5.6.7.8 0.0.0.31 host 1.2.3.4" only but this still does not let me connect to my customer's vpn. I still get the same error as above.

So now my access list config looks like:

access-list 100 permit icmp any any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any any eq 23
access-list 100 permit tcp any host 1.2.3.4 eq smtp
access-list 100 permit udp any host 1.2.3.4 eq 25
access-list 100 permit tcp any host 1.2.3.4 eq pop3
access-list 100 permit udp any host 1.2.3.4 eq 110
access-list 100 permit tcp 5.6.7.8 0.0.0.31 host 1.2.3.4 established
access-list 100 permit udp 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 deny ip any any log

Also, how do you view the log on "deny ip any any log"? Is it capturing actual data to a log file or is it just capturing counting information, i.e. number of hits?

Thank you!

 

[masmith22]

I have a CISCO 806 router connect to Comcast (ISP). I am not able to my company VPN. I receive an banner error.
Thanking you in advance for your help.
Below is my config:
ip subnet-zero
ip name-server 68.x.x.x
ip name-server 68.x.x.x
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 68.x.x.x 68.x.x.x
!
ip dhcp pool client
network 10.10.10.0 255.255.255.0
dns-server 68.x.x.x 68.x.x.x
domain-name comcast.net
default-router 10.10.10.1
lease infinite
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
partition flash 2 6 2
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
mac-address
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
no keepalive
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip http server
ip pim bidir-enable
!
!
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit ip 66.x.x.x 0.0.0.255 any
access-list 111 permit ip 162.x.x.x 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit udp any any eq isakmp
access-list 111 permit tcp any any eq telnet
access-list 111 permit tcp any any gt 1023 established
access-list 111 permit udp any any range 1718 1720
access-list 111 permit udp any range 1718 1720 any
access-list 111 permit tcp any any range 1718 1720
access-list 111 permit tcp any range 1718 1720 any
access-list 111 permit udp any range 54000 56000 any
access-list 111 permit udp any any range 54000 56000
access-list 111 permit udp any any eq 6257
access-list 111 permit tcp any any eq 6346 established
access-list 111 permit ahp any any
access-list 111 permit esp any any
no cdp run
!
line con 0
exec-timeout 120 0
password 7
logging synchronous
login
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7
login
length 0
!
scheduler max-task-time 5000
end

 

[Scrye]

masmith22 - I did get my connection working yesterday (finally after about 2 months of turning the router access list on and off). Your configuration is a little different than mine but I will let you know what I did to fix the problem.

Below is the original access list:

access-list 100 permit icmp any any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any any eq 23
access-list 100 permit tcp any host 1.2.3.4 eq smtp
access-list 100 permit udp any host 1.2.3.4 eq 25
access-list 100 permit tcp any host 1.2.3.4 eq pop3
access-list 100 permit udp any host 1.2.3.4 eq 110
access-list 100 permit ip 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 permit tcp 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 permit udp 5.6.7.8 0.0.0.31 host 1.2.3.4
access-list 100 deny ip any any

The following is what is working at this moment:

access-list 100 permit icmp any any
access-list 100 permit tcp any any eq telnet
access-list 100 permit udp any any eq 23
access-list 100 permit tcp any host 1.2.3.4 eq smtp
access-list 100 permit udp any host 1.2.3.4 eq 25
access-list 100 permit tcp any host 1.2.3.4 eq pop3
access-list 100 permit udp any host 1.2.3.4 eq 110
access-list 100 permit ip host 5.6.7.10 any
access-list 100 deny ip any any

I removed the tcp and udp lines plus changed the ip line. The bolded line is the ip of the VPN server I was trying to connect to. This is working with no connection problems, no IPSec problems, or banner display problems.

I hope this helps.

 

[Speaker]

I was told by comcast that they were blocking all vpn traffic on their switches, as they consider it business usage, and want me to pay $100/mo for a business account. My boss, however, who also has comcast, says he is able to vpn. I was told by comcast that they haven't gotten around to all of their switches yet.

I'm in Michigan, I don't know if it's the same elsewhere.