[c-nsp] Getting a VPN to work through a Cisco firewall

Rick Kunkel kunkel at w-link.net
Wed Jan 11 14:43:56 EST 2006 

Hello all,

I'm relatively new to the list.  I've been configuring Cisco devices in a
relatively simple fashions for years now.  However, we've got a customer
who bought a Cisco 1841 with the Firewall Feature set, and there are some
new commands and features I'm not used to.  Primary I do backbone or
distribution layer configs, not ones on the end so the VPN stuff is new do
me as well...

Anyhow, this problem here lies in the firewall blocking VPN traffic.  
Right now, as a lab, I've got the WAN port of the router set up with a
xxx.xxx.xxx.158 255.255.255.252 IP address, and the LAN as a
xxx.xxx.xxx.161 255.255.255.224 IP address.

When someone from the outside makes a VPN connection to the router's WAN
IP address, it grabs an address from the pool, and work fine as long as
the firewall is not in place.

Once the firewall is there, the traffic can't make it back in, despite the 
fact that the inspect CBAC is suppose to open holes in the firewall.  I 
get log entires like:

-- Nameserver not able to get it's traffic back:
Jan 11 19:37:45.927: %SEC-6-IPACCESSLOGP: list 101 denied udp
xxx.xxx.xxx.10(53) -> xxx.xxx.xxx.182(3758), 1 packet

-- Hitting Yahoo by IP in browser.  Traffic not making it back:
Jan 11 19:37:55.875: %SEC-6-IPACCESSLOGP: list 101 denied tcp
66.94.230.34(80) -> xxx.xxx.xxx.182(3759), 1 packet

Note that the "xxx.xxx.xxx.182" IP is the IP that was handed to the VPN 
client, but that is ACTUALLY out on the Internet.

I have the feeling that I'm missing something dumb, but I just don't know.  
I usually feel pretty adept at these things.

For your inspection, here are the relevant portions of the config.  Also 
worth noting is that I've let the Cisco SDM write the access list parts of 
this.  I've also tried it by hand, with no success.

ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive

interface FastEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address xxx.xxx.xxx.158 255.255.255.252
 ip access-group 101 in
 ip inspect DEFAULT100 out
 crypto map SDM_CMAP_1

interface FastEthernet0/1
 description $ETH-LAN$$FW_INSIDE$
 ip address xxx.xxx.xxx.161 255.255.255.224
 ip access-group 100 in

ip local pool SDM_POOL_1 xxx.xxx.xxx.176 xxx.xxx.xxx.183

access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip xxx.xxx.xxx.156 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 207.244.144.10 eq domain host 
xxx.xxx.xxx.158
access-list 101 permit udp host 207.244.153.11 eq domain host 
xxx.xxx.xxx.158
access-list 101 permit ip xxx.xxx.xxx.176 0.0.0.7 any
access-list 101 remark Auto generated by SDM for NTP (123) 72.36.170.170
access-list 101 permit udp host 72.36.170.170 eq ntp host xxx.xxx.xxx.158 
eq ntp
access-list 101 permit ahp any host xxx.xxx.xxx.158
access-list 101 permit esp any host xxx.xxx.xxx.158
access-list 101 permit udp any host xxx.xxx.xxx.158 eq isakmp
access-list 101 permit udp any host xxx.xxx.xxx.158 eq non500-isakmp
access-list 101 deny   ip xxx.xxx.xxx.160 0.0.0.31 any
access-list 101 permit icmp any host xxx.xxx.xxx.158 echo-reply
access-list 101 permit icmp any host xxx.xxx.xxx.158 time-exceeded
access-list 101 permit icmp any host xxx.xxx.xxx.158 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log

I thank anyone for anyinput they've got.  Hopefully this message is not 
out of line for this mailling list.

Thanks much!

Rick Kunkel

More information about the cisco-nsp mailing list