Announcement

Collapse
No announcement yet.

problem with mis-applied access-list on second peer-to-peer VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • problem with mis-applied access-list on second peer-to-peer VPN

    Hello all:

    I'm having a problem in setting up a second peer-to-peer VPN
    on my Cisco 2811 router. The IOS Version is 12.4(3e). The
    first VPN was set up going to 199.94.56.187. (all addresses listed
    in this posting have been modified for security reasons) That one
    is working w/o a problem. But this VPN was set up by a CNA that
    no longer works for us and I've been charged with the task of setting
    up a second peer-to-peer VPN to a new business partner. Their peer is
    at 165.71.7.129. Being an old Unix Systems Admin, I only used
    the command line - no GUIs for me on cisco gear.

    Anyway, once I got the initial configuration completed, I checked with
    the VPN administrator on the other peer and we tested our SAs.
    They worked; I got an "UP-ACTIVE" when I entered the command
    'show crypto session detail'. However, what is baffling is that
    he wasn't able to ping one of my interior servers from his
    location even though my access lists should have allowed it.
    At the end of my text is the germane portion of the 'show run'
    command on my cisco 2811. Notice that the new VPN uses
    access list 112 for it's incoming traffic which allows all traffic to my
    interior server that he tried to ping. This is also the same access list
    that the first VPN uses but I've seen no errors indicating this is an
    improper configuration so I left it in place. So, after the remote
    peer at 165.71.7.129 started it's crypto engine, I captured the
    screen output from the various 'debug crypto 'statements. When I
    examined that output, I found the following line just below:

    Feb 11 17:27:50.721: %SEC-6-IPACCESSLOGDP: list 111 denied icmp 165.71.7.130 North-VPN-realtime-crypto0 -> 295.399.771.170
    (8/0), 1 packet

    As you can see, access list 111 appears to be in use for incoing traffic
    on this VPN and it denys all ICMP traffic to my interior server. What
    is baffling is that access list 111 is only used for our remote-access
    VPN. I never applied it to the new peer-to-peer VPN and have no idea
    as to how it managed to block the traffic on this VPN.

    Does anyone have any advice for me?

    Thanks in advance.

    K. Olson.
    -----------------------------------------------------------------------------------------------------

    crypto logging session
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key 6 a\bUVfB^HcRN`HaR^Ec\RENULKbJ\OBZNIAHB`eYf]LLC address 199.94.56.187 no-xauth
    crypto isakmp key 6 OCiCPcERLXOCQ\`NFaaQFTAMePMeacChJNBdILNBZQcKe address 165.71.7.129 no-xauth
    crypto isakmp xauth timeout 15

    !
    crypto isakmp client configuration group FDCI
    key 6 I[RHITPgiPBBBI`dge[gLfQfNDJFEHZZCee`FZfQEcdgX
    dns 295.399.71.170 295.399.771.165
    wins 295.399.771.170 295.399.771.165
    domain xyz-incorporated.com
    pool SDM_POOL_1
    acl 101
    include-local-lan
    split-dns xyz-incorporated.com
    split-dns ABC-widgets.com
    max-users 6
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set ip access-group 111 in
    set security-association lifetime seconds 13500
    set security-association idle-time 3600
    set transform-set ESP-3DES-SHA
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to ABC-widgets
    set peer 199.94.56.187
    set ip access-group 112 in
    set transform-set ESP-3DES-SHA
    match address 100
    crypto map SDM_CMAP_1 2 ipsec-isakmp
    description Tunnel to our new business partner's network
    set peer 165.71.7.129
    set ip access-group 112 in
    set transform-set ESP-3DES-SHA
    match address 110
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    !
    interface FastEthernet0/0
    description Outside Firewall Interface
    ip address 295.399.771.6 255.255.255.252
    ip access-group 102 in
    ---------------------------------------------------------------end of post.

  • #2
    Re: problem with mis-applied access-list on second peer-to-peer VPN

    And how does your ACL looks like?
    At first glance I would review if ICMP is allowed...
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: problem with mis-applied access-list on second peer-to-peer VPN

      Marcel:

      I've included the contents of my access-list 111 (below). I've changed the values of the first 3 octets for security purposes. The last set of octets (151 thru 156) are accurate. They are assigned by DHCP running on the router (cisco 2811) to home computers from our remote users on our remote-access VPN. The network engineer who set this up (no longer works here now) told me that this access-list allows all of the addresses allowed below to access all addresses in our network and go over the existing peer-to-peer VPN to ABC-widgets. This part does indeed work correctly. I test from home yesterday and was able to connect. That peer-to-peer VPN uses access-list 100 for it's interesting traffic list (see below) and also uses access-list 112 to decrypt traffic from ABC-widgets. Then, that decrypted traffic is checked against our main access-list 102, also listed below.

      What is baffling is why access-list 111 is even being used when I try to test traffic coming in from the new business partner VPN. I tried it again today and it's still being consulted which results in traffic from the new peer-to-peer VPN getting blocked. I got the lines below in my debug output. You can see their peer VPN router (165.71.7.12) is permited by access-list 102 (the security SAs seem to set up just fine) but then the desktop PC (138.83.144.120) in their internal netowrk is denied by our access-list 111. But access 111 isn't even assigned to this VPN so I'm confused as to why it's showing up in my debug outputo when the desktop PC 138.83.144.120 enters from this new VPN. I've set up my configuration on the new VPN to use access lists 112 and 110 but those lists don't appear to be seen by the new VPN connection: instead the IOS is consulting access list 111 and I dont' know
      why.

      It seems as though I've got a bad configuration, but where?

      Feb 15 15:50:46.938: %SEC-6-IPACCESSLOGP: list 102 permitted udp 165.71.7.129 -> 295.399.771.6(500), 4 packets
      Feb 15 15:50:46.938: %SEC-6-IPACCESSLOGDP: list 111 denied icmp 138.83.144.120 -> 295.399.771.170 (0/0), 51 packets
      Feb 15 15:51:05.275: ISAKMP (0:134217734): received packet from 165.71.7.129 dport 500 sport 500 Global (R) QM_IDLE
      Feb 15 15:51:05.275: ISAKMP: set new node -892414134 to QM_IDLE
      Feb 15 15:51:05.275: CryptoEngine0: generate hmac context for conn id 6f




      Thank you for your help.

      -K. Olson.

      --------------------------------------------------------------------------------------------------



      fdcr2#show access-list 111
      Extended IP access list 111 (Compiled)
      10 permit ip host 295.399.771.151 any log (234 matches)
      20 permit ip host 295.399.771.152 any log (2912 matches)
      30 permit ip host 295.399.771.153 any log (117 matches)
      40 permit ip host 295.399.771.154 any log
      50 permit ip host 295.399.771.155 any log
      60 permit ip host 295.399.771.156 any log
      70 deny ip any any log (74 matches)
      fdcr2#


      fdcr2#show access-list 100
      Extended IP access list 100 (Compiled)
      10 permit ip 295.399.771.0 0.0.0.255 host 138.83.17.152 (258 matches)
      20 permit ip 295.399.771.0 0.0.0.255 host 138.83.17.153 (232 matches)
      30 permit ip 295.399.771.0 0.0.0.255 host 138.83.17.154 (194 matches)
      40 permit ip 295.399.771.0 0.0.0.255 host 138.83.17.155 (194 matches)
      50 permit ip 295.399.771.0 0.0.0.255 host 138.83.17.156 (203 matches)
      60 permit ip 295.399.771.0 0.0.0.255 host 138.83.133.53
      70 permit ip 295.399.771.0 0.0.0.255 host 138.83.139.10 (7 matches)
      80 permit ip 295.399.771.0 0.0.0.255 host 138.83.139.87 (5 matches)
      90 permit ip 295.399.771.0 0.0.0.255 host 138.83.168.25 (26 matches)
      100 permit ip 295.399.771.0 0.0.0.255 host 138.83.168.84 (7 matches)
      110 permit ip 295.399.771.0 0.0.0.255 host 138.83.176.1 (4 matches)
      120 permit ip 295.399.771.0 0.0.0.255 host 138.83.179.131 (7 matches)
      130 permit ip 295.399.771.0 0.0.0.255 host 148.131.27.31 (7 matches)
      140 permit ip 295.399.771.0 0.0.0.255 host 148.131.27.33 (7 matches)
      150 permit ip 295.399.771.0 0.0.0.255 host 148.132.96.170 (7 matches)
      160 deny ip host 295.399.771.84 host 159.161.33.58 log
      170 permit ip 295.399.771.0 0.0.0.255 159.161.33.0 0.0.0.255 (1582127 matches)
      180 permit ip 295.399.771.0 0.0.0.255 host 138.83.144.129 (7 matches)
      190 permit ip 295.399.771.0 0.0.0.255 host 138.83.144.147 (7 matches)
      200 permit ip 295.399.771.0 0.0.0.255 host 138.83.144.165 (7 matches)
      fdcr2#




      fdcr2#show access-list 102
      Extended IP access list 102
      10 permit icmp 295.399.771.4 0.0.0.3 295.399.771.0 0.0.0.255 (27 matches)
      20 deny ip 295.399.771.0 0.0.0.255 any log
      30 deny ip host 0.0.0.0 any log
      40 deny ip 127.0.0.0 0.255.255.255 any log
      50 deny ip 192.0.2.0 0.0.0.255 any log
      60 deny ip 224.0.0.0 31.255.255.255 any log
      70 deny ip 10.0.0.0 0.255.255.255 any log (31 matches)
      80 deny ip 172.16.0.0 0.15.255.255 any log
      90 deny ip 192.168.0.0 0.0.255.255 any log
      100 deny ip host 63.251.178.10 any log
      110 deny ip host 63.251.178.14 any log
      120 deny ip host 63.251.178.18 any log
      130 deny ip host 63.251.178.26 any log
      140 deny ip host 63.251.178.30 any log
      150 deny ip host 206.253.195.6 any log
      160 deny ip host 206.253.195.10 any log
      170 deny ip host 206.253.195.14 any log
      180 deny ip host 206.253.195.22 any log
      190 deny ip host 206.253.195.26 any log
      200 deny ip 41.0.0.0 0.255.255.255 any log (754 matches)
      210 deny ip 154.0.0.0 0.255.255.255 any log (1 match)
      220 deny ip 196.0.0.0 0.255.255.255 any log (320 matches)
      230 deny ip 197.0.0.0 0.255.255.255 any log
      240 deny ip 186.0.0.0 0.255.255.255 any log (397 matches)
      250 deny ip 187.0.0.0 0.255.255.255 any log (885 matches)
      260 deny ip 189.0.0.0 0.255.255.255 any log (1397 matches)
      270 deny ip 190.0.0.0 0.255.255.255 any log (2974 matches)
      280 deny ip 200.0.0.0 0.255.255.255 any log (1755 matches)
      290 deny ip 201.0.0.0 0.255.255.255 any log (1687 matches)
      300 deny ip 113.62.0.0 0.1.255.255 any log
      310 deny ip 113.64.0.0 0.63.255.255 any log (21 matches)
      1030 deny ip 61.128.0.0 0.31.255.255 any (348 matches)
      1050 deny ip 217.224.0.0 0.7.255.255 any (69 matches)
      1060 deny ip 201.128.0.0 0.63.255.255 any
      1080 deny ip 61.72.0.0 0.7.255.255 any (21 matches)
      1090 deny ip 61.80.0.0 0.3.255.255 any
      1100 deny ip 61.84.0.0 0.1.255.255 any (25 matches)
      1110 deny ip 222.64.0.0 0.15.255.255 any (28 matches)
      1120 deny ip 222.16.0.0 0.15.255.255 any
      1130 deny ip 222.32.0.0 0.31.255.255 any (104 matches)
      1140 deny ip 222.64.0.0 0.31.255.255 any (3 matches)
      1330 deny ip 86.107.0.0 0.0.255.255 any (18 matches)
      1340 deny ip 124.112.0.0 0.7.255.255 any (1322 matches)
      1350 deny ip 59.0.0.0 0.31.255.255 any (193 matches)
      1410 deny ip 61.48.0.0 0.7.255.255 any (36 matches)
      1420 deny ip 203.224.0.0 0.31.255.255 any (153 matches)
      1430 deny ip 221.0.0.0 0.7.255.255 any (25 matches)
      1460 deny ip 221.12.128.0 0.0.63.255 any
      1470 permit esp host 192.76.84.199 host 295.399.771.6 (819869 matches)
      1480 permit udp host 192.76.84.199 host 295.399.771.6 eq isakmp (651 matches)
      1490 permit tcp any host 295.399.771.169 eq www (318 matches)
      1500 permit tcp any host 295.399.771.170 eq domain (824 matches)
      1510 permit udp any host 295.399.771.170 eq domain (21106 matches)
      1520 permit tcp any host 295.399.771.170 eq smtp (45270 matches)
      1530 permit tcp any host 295.399.771.177 eq smtp (111401 matches)
      1540 permit tcp any host 295.399.771.177 eq www (3787 matches)
      1550 permit tcp any host 295.399.771.184 eq www (3 matches)
      1560 permit tcp any host 295.399.771.184 eq 443
      1570 permit tcp any host 295.399.771.169 range ftp-data ftp log (2 matches)
      1580 permit tcp any host 295.399.771.174 eq www (141054 matches)
      1590 permit tcp any host 295.399.771.174 eq 443 (8302 matches)
      1600 permit tcp any host 295.399.771.174 range ftp-data ftp log (514 matches)
      1610 permit tcp any host 295.399.771.180 eq www (68 matches)
      1620 permit tcp any host 295.399.771.180 eq 443 (12 matches)
      1630 permit tcp any host 295.399.771.180 range ftp-data ftp log (13384 matches)
      1640 permit tcp any host 295.399.771.181 eq www (28 matches)
      1650 permit tcp any host 295.399.771.181 eq 443 (26 matches)
      1660 permit tcp any host 295.399.771.181 range ftp-data ftp log (7 matches)
      1670 permit tcp any host 295.399.771.6 eq 1723 log
      1680 permit udp any host 295.399.771.6 eq isakmp log (133 matches)
      1690 permit esp any host 295.399.771.6 (11396 matches)
      1700 permit tcp any host 295.399.771.165 eq domain
      1710 permit udp any host 295.399.771.165 eq domain (802 matches)
      1720 permit udp any host 295.399.771.165 eq syslog
      1730 permit icmp any 295.399.771.4 0.0.0.3 (2554 matches)
      1740 permit icmp any 295.399.771.64 0.0.0.63 (67 matches)
      1750 permit icmp any 295.399.771.128 0.0.0.31
      1760 permit icmp any 295.399.771.160 0.0.0.31 (1616 matches)
      1770 permit udp host 204.34.198.40 any eq ntp (2070 matches)
      1780 permit udp host 204.34.198.41 any eq ntp (2061 matches)
      1790 permit udp host 128.138.140.44 any eq ntp
      1800 permit udp host 128.138.188.172 any eq ntp
      1810 permit udp host 132.163.4.103 any eq ntp
      1820 permit tcp any host 295.399.771.6 eq telnet log (8410 matches)
      1830 permit tcp any host 295.399.771.175 eq telnet log (28 matches)
      1840 deny ip any 295.399.771.0 0.0.0.255 log (13620 matches)
      1850 deny ip any any log
      fdcr2#

      Comment

      Working...
      X