Hi Folks,
Through a fair amount of googling, usenet trawling and blind hacking i've managed to get a Cisco 837 connected to the net. I'm now able to browse the net 100% and the router has several port forwards setup to expose a webserver along with RDP and Windows VPN services from a Win2k3 server. Now.. while all of those work, just having windows VPN and RDP ports exposed to the world at large isn't that secure. I'd prefer to use the 837's VPN capabilities to access internal LAN resources securely from anywhere on the net when i'm in the office or away travelling.
My ISP (Nildram in the UK) allocates the router a static IP address by DHCP. The LAN IP range is 192.168.16.1 255.255.255.0 with the router on
192.168.16.1. The Win2k3 server that I need to access is 192.168.16.250 and a LAN connected laptop has a static dhcp allocation (from the Win2k3 server) of 192.168.16.10. I'm testing remote access with the Cisco v4.6.00 (0045) VPN client for Macintosh by dialing the internet on another laptop that's not connected to the internal LAN.With my current running configuration I can connect from anywhere on the web and authenticate as a local user with the 837. Once auth'd the VPN client is allocated an IP from the vpn pool. From the VPN connected laptop I can ping any address on the LAN and any other machine on the LAN can ping the IP the VPN client has been allocated. However I cannot access resources via all protocols on all machines. This part appears inconcsistent and is what has me thoroughly baffled. e.g. from the VPN client I can mount SMB shares on 192.168.16.250 but cannot see the webserver (:80) on the same IP. From the LAN laptop I can see the webserver on the VPN client (192.168.17.x:80). However the VPN client can't see the webserver on the LAN laptop (192.168.16.10:80).
This is my first ever contact with Cisco gear and my first experience with a real router. I have a suspicion that the answer is somehow related to nat forwarding and the access-lists, but this being my first encounter with them, my brain's glazed over. Can anyone spot the problem?
sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH4
Config (security edited) is cut/pasted below:
! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xxxx ! logging queue-limit 100 no logging buffered enable secret 5 xxxx ! username xxxx password 7 xxxx username xxxx password 7 xxxx username xxxx password 7 xxxx aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero ! ! ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group xxxx key 0 xxxx dns 192.168.16.250 wins 192.168.16.250 pool vpnpool acl 106 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0 ip address 192.168.16.1 255.255.255.0 ip access-group 102 in ip nat inside no ip mroute-cache crypto map clientmap hold-queue 100 out ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface Dialer1 ip address negotiated ip access-group 101 in ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname snipped-for-privacy@xxxx.co.uk ppp chap password 7 xxxx ppp pap sent-username snipped-for-privacy@xxxx.co.uk password 7 xxxx ppp ipcp dns request ppp ipcp wins request crypto map clientmap hold-queue 224 in ! ip local pool vpnpool 192.168.17.1 192.168.17.10 ip nat inside source list 105 interface Dialer1 overload ip nat inside source static tcp 192.168.16.250 3389 interface Dialer1 3389 ip nat inside source static tcp 192.168.16.250 80 interface Dialer1 80 ip nat inside source static tcp 192.168.16.250 1723 interface Dialer1 1723 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! access-list 1 remark The local LAN access-list 1 permit 192.168.16.0 0.0.0.255 access-list 2 remark Where management can be done from access-list 2 permit 192.168.16.0 0.0.0.255 access-list 2 permit 192.168.17.0 0.0.0.255 access-list 101 remark Traffic allowed to enter router from Internet access-list 101 permit ip any any access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.16.0 0.0.0.255 access-list 101 permit ip 192.168.17.0 0.0.0.255 192.168.17.0 0.0.0.255 access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 3389 access-list 101 permit tcp any any eq 1723 access-list 101 permit udp any any eq isakmp access-list 101 permit tcp any any eq 10000 access-list 101 permit gre any any access-list 101 deny ip any any access-list 102 remark Traffic allowed to enter router from Ethernet access-list 102 permit ip any any access-list 105 remark Traffic to NAT access-list 105 deny ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255 access-list 105 deny ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255 access-list 105 permit ip 192.168.16.0 0.0.0.255 any access-list 105 permit ip 192.168.17.0 0.0.0.255 any access-list 106 remark User to Site VPN clients access-list 106 permit ip 192.168.16.0 0.0.0.255 any access-list 106 permit ip 192.168.17.0 0.0.0.255 any dialer-list 1 protocol ip permit ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class 2 in exec-timeout 120 0 length 0 ! scheduler max-task-time 5000 ! end
Obviously if there's any other screwups i've made (things that are in that should be out and vice versa) i'd be more than happy to have them pointed out!
-- Christian