IPSEC VPN *** CANT OPEN HTTP or RDP TO REMOTE OFFICE HARDWARE

[Wizard07]

Hi

We have implemeted and IPSEC over VPN to our office in canada. Now we are using a Cisco 871 router in CANADA and Cisco Hardware on our end.

We can map printers view the c$ admin share on machines on the remote network ping, telnet but when it comes to opening and RDP session or a HTTP session to a printer or computer etc they are unsuccessful.

When we open a RDP or HTTP session from CANADA office to a machine on our network here (Ausralia) they are successfull to all the machines etc.

Any IDEAS ??? Firewall -- looks fine

 

[burtsbees]

Post a config of the 871 in Canada...

Burt

 

[Wizard07]

172.16.0.0 - Asutralia Range
192.168.99.0 - Canada Range


ip subnet-zero
no ip source-route
no ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name *****
ip name-server
ip name-server
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
description Tunnel to**********
set peer **********
set transform-set ***********
match address 102
!

!
interface Vlan1
ip address 192.168.99.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 172.16.0.0 255.255.0.0 FastEthernet4 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet4 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.99.1 3389 interface FastEthernet4 3389
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
access-list 101 permit ip 192.168.99.0 0.0.0.255 172.16.0.0 0.0.255.255 log
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255 log
access-list 101 permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 101 permit udp host ***** any eq non500-isakmp
access-list 101 permit udp host ***** any eq isakmp
access-list 101 permit esp host ***** any
access-list 101 permit ahp host ****** any
access-list 101 permit udp host ****** eq domain any
access-list 101 permit udp host ****eq domain any
access-list 101 permit tcp any any eq 3389 log
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.99.0 0.0.0.255 any log
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.99.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 102 permit ip 172.16.0.0 0.0.255.255 192.168.99.0 0.0.0.255
access-list 102 permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.99.0 0.0.0.255 172.16.0.0 0.0.255.255 log
access-list 103 permit ip 192.168.99.0 0.0.0.255 any
no cdp run

 

[burtsbees]

looks like part of the config is missing...like the route map that NAT/PAT is associated with, and what acl may be on the outgoing interface (fa4).
Shot in the dark without knowing anything else...what happens if you remove the static nat entry for tcp 3389?

Burt

 

[Wizard07]

Looks like heaps is missing i will repost the config shortly. After i removed the static entry i lost all conectivity to the router there. Thanks for your help

 

[burtsbees]

All connectivity? By removing it altogether? No ping??? Yes---post the entire config...

Burt

 

[Wizard07]

Building configuration...

Current configuration : 7595 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length
logging buffered 51200 debugging
logging console critical
enable secret
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
no ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name dns.org
ip name-server 154.9.12.63
ip name-server 154.9.12.631
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-3283
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3283
revocation-check none
rsakeypair TP-self-signed-3283
!
!
crypto pki certificate chain TP-self-signed-3283
certificate self-signed 01
FA44CA77 60A4AAB9 CBEEA1E5 583D243D 9F70D132 DE716FB1 A786D7A8 7C93C9AB
31383634 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
551D1104 1A301882 16736365 6E696374 6F757273 2E64796E 646E732E 6F726730
FA44CA77 60A4AAB9 CBEEA1E5 583D243D 9F70D132 DE716FB1 A786D7A8 7C93C9AB
7C1877BC 1342CBB9 80860291 23DE2059 B9A163B0 1F249823 CEAACC16 1C8A1AEE
34D70203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 16736365 6E696374 6F757273 2E64796E 646E732E 6F726730
1F060355 1D230418 30168014 C5B4665C 44B0AEC3 2C2E5B8C 8087B9BD 93D018DB
301D0603 551D0E04 160414C5 B4665C44 B0AEC32C 2E5B8C80 87B9BD93 D018DB30
FA44CA77 60A4AAB9 CBEEA1E5 583D243D 9F70D132 DE716FB1 A786D7A8 7C93C9AB
551D1104 1A301882 16736365 6E696374 6F757273 2E64796E 646E732E 6F726730
FA44CA77 60A4AAB9 CBEEA1E5 583D243D 9F70D132 DE716FB1 A786D7A8 7C93C9AB
quit
username Administrator privilege
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication
group 2
crypto isakmp key address 184.135.265.159
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to184.135.265.159
set peer 184.135.265.159
set transform-set ESP-3DES-MD5
match address 102
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.99.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 172.16.0.0 255.255.0.0 FastEthernet4 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet4 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.99.1 3389 interface FastEthernet4 3389
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
access-list 101 permit ip 192.168.99.0 0.0.0.255 172.16.0.0 0.0.255.255 log
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255 log
access-list 101 permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 101 permit udp host 184.135.265.159 any eq non500-isakmp
access-list 101 permit udp host 184.135.265.159 any eq isakmp
access-list 101 permit esp host 184.135.265.159 any
access-list 101 permit ahp host 184.135.265.159 any
access-list 101 permit udp host 154.9.12.631 eq domain any
access-list 101 permit udp host 154.9.12.63 eq domain any
access-list 101 remark Remote Desktop Protocol
access-list 101 permit tcp any any eq 3389 log
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.99.0 0.0.0.255 any log
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.99.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 102 permit ip 172.16.0.0 0.0.255.255 192.168.99.0 0.0.0.255
access-list 102 permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.99.0 0.0.0.255 172.16.0.0 0.0.255.255 log
access-list 103 permit ip 192.168.99.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[burtsbees]

Try this
router#sh access-list
You will see acl 101 listed numerically...change the 3389 line to permit tcp any any eq 3389, without the "log" keyword...
Let's say that particular line is 130...
router#conf t
router(config)#ip access-list 101 extended
no 130
130 permit tcp any any eq 3389
See if that at least lets you RDP...I'm just looking at this quickly, and trying a quick suggestion. I will have more time hopefully tomorrow, or perhaps someone else can chime in...

Burt

 

[Wizard07]

Still no luck... This one has got me stumped everything seems to point back to the router.... maybe MTU size but than again i have no idea.... any other suggestions???

 

[brianinms]

I would say you are missing some routes, along with a default route.

 

[Wizard07]

OK SO FAR ---

We have a DC is Canada Site -(2003) -- all replication (DNS AD, Sites and Services are fine (ping , telnet, admin shares everything is ok)--- to and from Australia .... One thing i notice the traffic which requires authentication eg.( A pc in the canada site comes to our local intranet site here in AUS hosted on a win2003 SRVR the website is found but times out (if i turn enable windows Authentication off in the web browser works fine) .. but in the case of outlook web access it doesnt it prompts for credentials and when entered they get rejected keep getting prompted... its like any packets that are authentication based get dropped ??? if that even makes sense..

Now if i try a RDP connection to the server on the network (canada -192.168.99.0/24 ) from the (australia 172.16.0.0/16 )no connection is made...if i try to connect to a client XP machine it gets the first blue screen then the login screen never loads and times out so it drops the connection....

THis problem is killing me and susspect its all to do with the config of the canada router.... i just cant see what could be the issue..

Thanks everyone for the suggestions

 

[brianinms]

Post the config from both devices at the end of the VPN tunnel.