Announcement

Collapse
No announcement yet.

Terminating IPSec behind a Cisco 857

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Terminating IPSec behind a Cisco 857

    Hi,

    I.m pretty new to Cisco's. The Cisco 857 is used to setup an ADSL connection. Behind the Cisco we have a firewall. This firewall also terminates IPSec connections. I would like to setup IPSec connections from the outside through the Cisco to the firewall.

    When I try to setup a connection from a remote location and I monitor the firewall external interface with tcpdump I do not see any port 500 or port 4500 trafic. When I setup a telnet to the public IP on port 500 or on port 4500 I do see trafic on the firewalls interface.

    Should I make some additions to the Cisco ? Or can I define a host where ALL trafic is redirected to ?

    Hope someone has experience with this IPSec issue and can give me some advice>

    cheers

    Ivo

  • #2
    Re: Terminating IPSec behind a Cisco 857

    it may not work, but try the IP NAT INSIDE commands, to nat traffic from the public interface (Di0 for instance) to the relevant interface on the firewall inside the network.

    This example is how I would NAT port 80 from the public IP address on the router to the IP address of an internal server:

    ip nat inside source static tcp 80 80 209.85.227.147 192.168.10.15 dynamic

    (or at least it's something similar to that, I'm working off the top of my head here)

    What happens then is, the traffic hits port 80 on the router, which says "oh, you belong inside the network" and then forwards it to port 80 on the web server.
    You may need more configuration than I've actually specified here, again, I'm not in front of my example...

    You'd need to use the relevant ports to forward however, and the relevant protocols.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Terminating IPSec behind a Cisco 857

      Sounds like the inbound acl on the 857 is blocking that traffic. I would check that ACL and open ports as needed.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: Terminating IPSec behind a Cisco 857

        Originally posted by auglan View Post
        Sounds like the inbound acl on the 857 is blocking that traffic. I would check that ACL and open ports as needed.
        These is what's in my config

        no ip nat service sip tcp port 5060
        no ip nat service sip udp port 5060
        ip nat inside source list 101 interface Dialer1 overload
        ip nat inside source static esp 192.168.17.253 interface Dialer1
        ip nat inside source static tcp 192.168.17.253 22 212.121.102.108 22 extendable
        ip nat inside source static tcp 192.168.17.1 25 212.121.102.108 25 extendable
        ip nat inside source static tcp 192.168.17.253 443 212.121.102.108 443 extendable
        ip nat inside source static tcp 192.168.17.253 500 212.121.102.108 500 extendable
        ip nat inside source static udp 192.168.17.253 500 212.121.102.108 500 extendable
        ip nat inside source static tcp 192.168.17.253 1200 212.121.102.108 1200 extendable
        ip nat inside source static tcp 192.168.17.253 1300 212.121.102.108 1300 extendable
        ip nat inside source static tcp 192.168.17.1 1723 212.121.102.108 1723 extendable
        ip nat inside source static tcp 192.168.17.1 3389 212.121.102.108 3389 extendable
        ip nat inside source static tcp 192.168.17.253 4500 212.121.102.108 4500 extendable
        ip nat inside source static udp 192.168.17.253 4500 212.121.102.108 4500 extendable
        !
        access-list 23 remark TTY security
        access-list 23 permit 212.238.217.29
        access-list 23 permit 192.168.17.0 0.0.0.255
        access-list 23 permit 212.241.0.0 0.0.255.255
        access-list 23 permit 213.144.0.0 0.0.255.255
        access-list 23 permit 172.31.255.0 0.0.0.255
        access-list 101 permit ip 192.168.17.0 0.0.0.255 any
        access-list 101 permit esp any any
        access-list 101 permit udp any any
        dialer-list 1 protocol ip permit
        dialer-list 2 protocol ip permit

        Comment


        • #5
          Re: Terminating IPSec behind a Cisco 857

          Im assuming acl 101 is your inbound acl on the dialer interface. Can you post a

          sh run int dialer

          Also Im assuming the firewall is 192.168.17.253 ? Do you see the ipsec traffic coming into the router? You can debug your inbound acl to see if its being dropped. Just disable cef/fast switching on the router interfaces:

          int dialer 0
          no ip route-cache


          debug ip packet 101

          Depending on if you have a lot of traffic going through the router, you may want to log to the buffer etc.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Terminating IPSec behind a Cisco 857

            Originally posted by auglan View Post
            Im assuming acl 101 is your inbound acl on the dialer interface. Can you post a

            sh run int dialer

            Also Im assuming the firewall is 192.168.17.253 ? Do you see the ipsec traffic coming into the router? You can debug your inbound acl to see if its being dropped. Just disable cef/fast switching on the router interfaces:

            int dialer 0
            no ip route-cache


            debug ip packet 101

            Depending on if you have a lot of traffic going through the router, you may want to log to the buffer etc.

            The dialer is



            User Access Verification

            Username: admin
            Password:
            STE-RTR-254#sh run int dialer
            % Incomplete command.

            STE-RTR-254#sh run int dialer ?
            <0-255> Dialer interface number

            STE-RTR-254#sh run int dialer 1
            Building configuration...

            Current configuration : 327 bytes
            !
            interface Dialer1
            ip address negotiated
            no ip redirects
            no ip unreachables
            no ip proxy-arp
            ip nat outside
            ip virtual-reassembly
            encapsulation ppp
            ip route-cache flow
            dialer pool 1
            dialer-group 1
            no cdp enable
            ppp authentication pap callin
            ppp pap sent-username dslSTES5582jz password 7 05232B22176978383251
            end

            STE-RTR-254#

            the 192.168.17.253 is the firewall that terminated IPSec

            Comment


            • #7
              Re: Terminating IPSec behind a Cisco 857

              I dont see an inbound acl on the dialer interface. You can still debug that acl for traffic passing through the router. Try initiating a vpn connection from the outside and check the debug to see whats happening.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: Terminating IPSec behind a Cisco 857

                When I turn debug on I see nothing when starting the remote VPN. When telnet to port 500 I don't see debug info but see packages om the firewall come in.

                Comment


                • #9
                  Re: Terminating IPSec behind a Cisco 857

                  Make sure that cef/fast switching is disabled on the interfaces on the 857. The router can only debug process switched packets passing through the router.

                  no ip route-cache
                  no ip route-cache cef

                  If you still dont see anything then no traffic is transiting the router specified in that acl. You can do a generic acl and debug that.

                  access-list 100 permit ip any any

                  or

                  access-list 101 permit udp any any eq 500
                  Last edited by auglan; 16th June 2010, 17:56.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: Terminating IPSec behind a Cisco 857

                    Both no ip route-cache commands ar NOT available on the router

                    Comment


                    • #11
                      Re: Terminating IPSec behind a Cisco 857

                      Your are applying them under the interface right?
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment


                      • #12
                        Re: Terminating IPSec behind a Cisco 857

                        Yes I did but no response on screen.

                        Comment


                        • #13
                          Re: Terminating IPSec behind a Cisco 857

                          If you do a show run int " " do you see the command under the interface?
                          CCNA, CCNA-Security, CCNP
                          CCIE Security (In Progress)

                          Comment


                          • #14
                            Re: Terminating IPSec behind a Cisco 857

                            Isn't there a command to redirect ALL trafic to the firewall behind the Cisco ?

                            Comment


                            • #15
                              Re: Terminating IPSec behind a Cisco 857

                              You can add a static route on the 857 to push all traffic to the firewall but the issue is some traffic is reaching it and some is not, so that tells me routing is working and there must be something blocking that other traffic. If you can telnet to the firewall form the outside (which I dont recommend - if anything use ssh) then tcp traffic is routing correctly to the firewall and tcp traffic is permitted. If there is traffic being blocked you need to know where it is being dropped in the transit path so you can adjust to allow it.
                              CCNA, CCNA-Security, CCNP
                              CCIE Security (In Progress)

                              Comment

                              Working...
                              X