Cisco Systems *some* return traffic not going through vpn tunnel (although not all)
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
*some* return traffic not going through vpn tunnel (although not all) b0rez 12-20-05
Posted by on December 20, 2005, 10:17 am
Please log in for more thread options
Very strange problem, my guess is a configuration error. Clients
connecting to an 1841 with a VPN tunnel endpoint on its Dialer0
interface (ADSL WIC on an ISDN line) have no trouble accessing LAN
resources (file shares, Exchange mailboxes via a MAPI client, ping,
etc.). However, when configuring an IMAP connection on a remote VPN
client, outgoing email would not send. The strange thing is that the
port 143 traffic between the client and IMAP server flows properly.

It turns out that port 25 traffic correctly flows from the client to
the SMTP server, but that return traffic from the server to the client
does not flow back through the VPN tunnel. Instead it routes back out
through the public IP address. Can anyone offer a suggestion? (And
please feel free to comment on the config in general, i.e. unnecessary
ACL entries, etc.)

The VPN address pool is 10.10.10.0/24. The LAN subnet is 10.0.0.0/24.
Host 10.0.0.209 is the SMTP server. xxx.xxx.xxx.xxx is the public IP
address on Dialer0. The packet trace and startup-config follow:

<snort trace>
12/16-07:14:47.757578 10.10.10.17:3753 -> 10.0.0.209:25
TCP TTL:128 TOS:0x0 ID:10758 IpLen:20 DgmLen:48 DF
******S* Seq: 0x65389798 Ack: 0x0 Win: 0x8000 TcpLen: 28
TCP Options (4) => MSS: 1260 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/16-07:14:47.845437 xxx.xxx.xxx.xxx:25 -> 10.10.10.17:3753
TCP TTL:127 TOS:0x0 ID:23397 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x4AE8EFC0 Ack: 0x65389799 Win: 0x44E8 TcpLen: 28
TCP Options (4) => MSS: 1452 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

</snort trace>

version 12.3
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
sntp server yyy.yyy.yyy.yyy
clock timezone WET +1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret *****
username admin privilege 15 password *****
!
!
! <nat config>
! <addresses>
ip nat inside source list 110 interface dialer0 overload
!
! <port forwarding> incoming session-initiating packets
ip nat inside source static tcp 10.0.0.209 25 interface dialer0
25 ! exchange smtp virtual server
ip nat inside source static tcp 10.0.0.209 80 interface dialer0
80 ! exchange owa access
ip nat inside source static tcp 10.0.0.209 443 interface dialer0
443 ! exchange owa access - ssl
ip nat inside source route-map SDM_RMAP_1 interface Dialer0
overload ! crypto
!
! <ip - miscellaneous>
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip subnet-zero
ip local pool myvpnippool 10.10.10.1 10.10.10.255
ip name-server zzz.zzz.zzz.10 zzz.zzz.zzz.253
ip domain-lookup
ip domain-name corp.*******.org
ip tftp source-interface Dialer0
no ip finger
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
no ip source-route
ip cef
ip tcp synwait-time 10
ip ips po max-events 100
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ftp-server write-enable
logging trap debugging
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 110
!
aaa new-model
aaa authentication login aaa-authenticated local
aaa authorization network aaa-authorized local
!
! <internet security association and key management protocol - isakmp>
! <policy for vpn client phase I negotiations>
crypto isakmp policy 1
encryption aes 256
hash md5
authentication pre-share
group 2
lifetime 14400
crypto isakmp policy 2
encryption 3des
hash md5
authentication pre-share
group 2
lifetime 14400
! <isakmp nat keepalives every 18 seconds>
crypto isakmp nat keepalive 18
!
! <vpn client group>
crypto isakmp client configuration group vpn-client-group
key *****
dns 10.0.0.208 10.0.0.209
domain corp.*******.org
pool myvpnippool
acl 100
!
! <phase II policy - actual data encryption>
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
! <dynamic crypto map with associated transform>
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set myset
reverse-route
!
! <actual crypto map>
crypto map SDM_CMAP_1 client authentication list aaa-authenticated
crypto map SDM_CMAP_1 isakmp authorization list aaa-authorized
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
! <access control lists>
! <100 - vpn ip address list - referenced by the isakmp client config>
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.10.10.0
0.0.0.255
!
! <110 - nat addresses - interface e1>
access-list 110 deny ip 10.0.0.0 0.0.0.255 10.10.10.0
0.0.0.255 ! no nat for vpn
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
!
! <120 - inbound extended acl - interface Dialer0 (ingress filter)>
! <vpn>
access-list 120 permit udp any any eq isakmp
log ! port 500
access-list 120 permit udp any any eq
non500-isakmp log ! port 4500 nat-t
access-list 120 permit esp any any ! protocol
50
access-list 120 permit ahp any any ! protocol
51
access-list 120 permit ip 10.10.10.0 0.0.0.255 any ! vpn
address pool
! <the standard "unlikely's">
! <deny packets without ip addresses>
access-list 120 deny ip host         0.0.0.0 any
log
! <deny rfc 1918 addresses - private networks>
access-list 120 deny ip 172.16.0.0 0.15.255.255 any
log
access-list 120 deny ip 192.168.0.0 0.0.255.255 any
log
! <deny rfc 1112 addresses - multicast (engineer) network>
access-list 120 deny ip 224.0.0.0 15.255.255.255 any
log
! <broadcast (engineer) network>
access-list 120 deny ip 255.0.0.0 0.255.255.255 any
log
! <localhost - loopback address>
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
log
! <ports and ip protocols permitted>
! <dns forwarders>
access-list 120 permit udp host zzz.zzz.zzz.10 eq 53 any ! dns
access-list 120 permit udp host zzz.zzz.zzz.253 eq 53 any !
dns2
! <smtp>
access-list 120 permit tcp any any eq 25
! <anti-spoofing - client internal addresses - rfc 1918 addresses -
private networks>
access-list 120 deny ip 10.0.0.0 0.255.255.255 any log
! <https>
access-list 120 permit tcp any any eq 443
! <icmp specifics, !ping request + !ping echo>
access-list 120 permit icmp any any 3 0 log
!net-unreachable
access-list 120 permit icmp any any 3 1 log
!host-unreachable
access-list 120 permit icmp any any 3 3 log
!port-unreachable
access-list 120 permit icmp any any 3 4 log
!packet-too-big
access-list 120 permit icmp any any 3 13 log
!administratively-prohibited
access-list 120 permit icmp any any 4
!source-quench
access-list 120 permit icmp any any 11 0 log
!ttl-exceeded
access-list 120 permit icmp any any
echo-reply
access-list 120 permit icmp any any echo
access-list 120 deny icmp any any
! <sntp>
access-list 120 permit udp host yyy.yyy.yyy.yyy eq 123 any eq
123
! <telnet>
access-list 120 deny tcp any any eq 23
access-list 120 deny udp any any eq 23
! <only ack'd packets>
access-list 120 permit tcp any any gt 1023
established
! <deny all other traffic>
access-list 120 deny ip any any
log
!
! <130 - inbound extended acl - interface FastEthernet0/0 (egress
filter)>
access-list 130 permit ip any
10.10.10.0 0.0.0.255 !myvpnpool
access-list 130 permit 50 any
10.10.10.0 0.0.0.255 !myvpnpool
access-list 130 permit 51 any
10.10.10.0 0.0.0.255 !myvpnpool
access-list 130 permit ip 10.0.0.0 0.0.0.255
any
!<icmp filtering>
access-list 130 deny icmp any any parameter-problem
log-input
access-list 130 deny icmp any any reassembly-timeout
log-input
access-list 130 deny icmp any any port-unreachable
log-input
access-list 130 permit icmp any
any
!<deny all other traffic>
access-list 130 deny ip any any
log-input
!
! <outbound cbac commands - interface Dialer0>
ip inspect name my-out-rules cuseeme alert on timeout 3600
ip inspect name my-out-rules ftp alert on timeout 3600
ip inspect name my-out-rules rcmd alert on timeout 3600
ip inspect name my-out-rules realaudio alert on timeout 3600
ip inspect name my-out-rules smtp alert on timeout 3600
ip inspect name my-out-rules tftp alert on timeout 30
ip inspect name my-out-rules udp alert on timeout 15
ip inspect name my-out-rules tcp alert on timeout 3600
ip inspect name my-out-rules h323 alert on timeout 3600
ip inspect name my-out-rules fragment max 100 timeout 4
!
! <cbac commands - not bound to any particular interface>
ip inspect dns-timeout 31
ip inspect tcp finwait-time 6
ip inspect tcp synwait-time 31
!
interface FastEthernet0/0
description - secure network
ip address 10.0.0.250 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
hold-queue 32 in
hold-queue 100 out
ip access-group 130 in
no shutdown
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface ATM0/0/0
description adsl interface - bound by the dialer interface
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
interface Dialer0
description - internet
ip address negotiated
ip access-group 120 in
ip mtu 1492
ip nat outside
ip inspect my-out-rules out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****@****.***
ppp chap password *****
ppp pap sent-username ****@****.*** password *****
crypto map SDM_CMAP_1
!
line con 0
login authentication aaa-authenticated
exec-timeout 120 0
stopbits 1
line aux 0
line vty 0 4
login authentication aaa-authenticated
exec-timeout 120 0
length 0
!
! <syslog server>
logging 10.0.0.180
logging sss.sss.sss.sss
logging facility local1
!
scheduler max-task-time 5000
end


Similar ThreadsPosted
*some* return traffic not going through vpn tunnel (although not all) December 20, 2005, 10:17 am
solution to "*some* return traffic not going through vpn tunnel (although not all)" January 31, 2006, 12:47 pm
trouble with return HTTP traffic February 23, 2006, 10:41 pm
Site-to-site tunnel w/NAT, return packets decap but not routed? December 13, 2006, 7:52 pm
PIX 7.0.4 tunnel all traffic. November 3, 2005, 12:27 pm
PIX 501 S2S VPN - Tunnel Up - No Traffic April 15, 2006, 11:44 am
PIX lan-to-lan IPSEC comes up...no traffic passes tunnel November 2, 2005, 6:28 pm
WAN, Routing and Switching: Route some IP traffic over tunnel January 15, 2007, 6:16 am
ASA5510 with Cisco VPN client. No traffic over VPN tunnel May 15, 2008, 4:53 am
Using an ASA's AIP SSM module to inspect traffic going into and coming out of a VPN tunnel. January 22, 2009, 12:14 pm
How-to restrict traffic exiting VPN tunnel to certain hosts / ports ?? June 30, 2009, 4:48 pm
Cisco 5505 - routing traffic to outside interface, if VPN tunnel is down September 30, 2009, 12:49 pm
Cannot recover password PIX 501 - TFTP Failed (return:-10 arg:0x1) October 19, 2006, 6:26 pm
Cisco 2811 to Windows 2003 IpSec tunnel - SAs fine but no traffic... March 3, 2006, 4:10 pm
GRE Tunnel up/up Cannot ping tunnel interface March 6, 2006, 3:55 pm
Residential Cabling Guide

Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Learn More