1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco 1720 help with IPSec passthrough

Discussion in 'Other Cisco Equipment' started by prorules, Apr 9, 2008.

  1. prorules

    prorules Addicted to LI Member

    I would really appreciate any help in configuring a Quick VPN clients to work with the combination of a Cisco 1720 and a Linksys WRV200. I am pretty well-versed with the Linksys configurations, but I do not know anything about the 1720 and the IOS. In my case, I essentially want the WRV200 to handle the VPN traffic and have the Cisco 1720 just pass it through. I do not want to have the 1720 do any VPN work. My configuration is as follows:

    T1 internet connection to Cisco 1720
    Cisco 1720 NAT to local 192.168.100.175
    WRV200 NAT to local 192.168.23.100

    First, I wanted to make sure that Quick VPN worked with the WRV200 when it did not go through the Cisco. I tested the WRV200 configuration with Quick VPN by configuring it directly to a different DSL line, and I have proved that it works in that configuration. I originally thought that it might work with the Cisco 1720 by just configuring the 1720 to do port forwarding (in my case, forward port 60443 to 192.168.100.175). QuickVPN log.txt gives the following (my substitution of xxx):

    2008/04/09 10:08:12 [STATUS]OS Version: Windows XP
    2008/04/09 10:08:12 [STATUS]Windows Firewall is OFF
    2008/04/09 10:08:12 [STATUS]One network interface detected with IP address 192.168.1.102
    2008/04/09 10:08:12 [STATUS]Connecting...
    2008/04/09 10:08:12 [STATUS]trying to connect to remote gateway with IP address: xxx.xxx.xxx.xxx
    2008/04/09 10:08:17 [STATUS]remote gateway was reached...
    2008/04/09 10:08:17 [WARING]remote gateway not reachable...
    2008/04/09 10:08:17 [STATUS]Fail to connect!

    Like I said, I do not know anything about the Cisco 1720, and the person that configures it for use by our shared offices only knows enough to do the NAT translation to several local networks. He works with an ISP to do any configuration changes. So I am several parties removed from being able to directly configure it. However, they said that if I could determine what they needed to do, they could get it done. I did a little research on the Cisco support website, and have determined that I need to configure the 1720 to pass iPsec traffic throught the router to my 192.168.100.175 network, but despite many hours of searching and reading, I cant figure out how. I know the essential issue is that I dont really understand the 1720 or IOS. So if there is anyone that can help with this, I would be very grateful.
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    How are you doing your port forwarding? It should look like this for starters:

    ip nat inside source static udp 192.168.1.175 500 int Ethernet0 500 (For ISAKMP)
    ip nat inside source static tcp 192.168.1.175 443 int Ethernet0 443 (Https)
    ip nat inside source static tcp 192.168.1.175 60443 int Ethernet0 60443 (Https)

    When double nat'ing (as you are doing) I could put my WRV54G behind my SMCBR18VPN router and gain access to my network with quickvpn from any outside connection. Essentially, what I had was this:

    internet cafe---internet---modem---smcbr18vpn---wrv54g---HOME_Lan (172.16.30.x)

    Quickvpn worked great. Now, I will say that using quickvpn through a Cisco router "might" require a few a few additional steps. I'll have to look through the pages because there was a user who did list how to configure a PIX to allow quickvpn access because the PIX blocked certain communications and I can't remember if this pertained to using quickvpn with IOS also...
     
  3. prorules

    prorules Addicted to LI Member

    Cisco 1720

    Yes, if I could do with a 1720 what you have done with the smcbr18vpn, I would be in good shape. I reviewed a lot of the Cisco support forums, and they are hard to follow if you dont really know IOS. I saw through the support forum that some commands like "permit ipsec" were being used. I dont know exactly what that does. What is hard to unravel is that many of the forums involve using a 1720 or 1721 to handle the VPN client itself, not pass through the ipsec traffic.

    I am trying to get the exact syntax we are using for the nat and port forwarding. I was in front of another workstation screen when it was configured, but I do not have a copy of it. I am working with a one-person ISP, so it is a bit tricky with some confidential information. But I should post this today.

    I am forwarding a couple of other TCP ports through the 1720, and they are working great. I have a web service set up on my local lan, and that is available to the cloud, without the vpn. I only have port 60443 forwarded to my LAN, not 443. I just chose that port for quickvpn so that other ports (like 443) could be used by other users if necessary.

    So the question is, is the 1720 blocking ipsec traffic and not forwarding to 192.168.1.175 60443? Is there some special command to allow this? I will post the nat commands when I can get them. Thanks again for your help.
     
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

  5. prorules

    prorules Addicted to LI Member

    ip inspect

    So, it appears that you need an ip inspect name <policyname> <protocol> defined somewhere that you apply to your interface. So assumedly there is a policy, because I am using ftp with no problem, just need to add ipsec perhaps. Is there a difference between ipsec-msft and any other ipsec? Does this need to be applied on the T1 interface, or just the local segment? Also, is this dependant on any certain version of IOS? The 1720 is a fairly old device.
     
  6. prorules

    prorules Addicted to LI Member

    IOS Settings

    Here are the current IOS settings for the Cisco 1720 for my segment, 192.168.100.175. What we attempted to do was port forward from Serial0 (T1 to cloud) 9090 and 60443.

    !
    ip nat inside source list 102 interface Serial0 overload
    ip nat inside source static tcp 192.168.100.175 60443 interface Serial0 60443
    ip nat inside source static tcp 192.168.100.175 9090 interface Serial0 9090
    ip classless ip route 0.0.0.0 0.0.0.0 299.99.999.57 no ip http server !


    Not much detail on interface Serial0. I think we can assume that there is no ip inspect for ipsec, nor a permit ipsec of any kind.

    So the questions I have at this point are still pretty basic.

    1) Do you have to change the definition of WAN interface Serial0 to permit ipsec? Or do you change the inside source to permit ipsec? Or both perhaps?

    2) What command should you use to permit ipsec for the Quick VPN client? "ip inspect Serial0 general ipsec-msft" is a guess on my part if you need to permit it through the WAN interface.
     
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    Apologies...

    Been out for a bit...

    Let me ask Eric (Stewart) for a better perspective because I'm not really following you (I'm known to miss the obvious sometimes) :)
     
  8. prorules

    prorules Addicted to LI Member

    Clarification

    Sorry I havent been very clear. Let me summarize what I think I know and what questions I still have:

    1) I want to use a quick VPN client to access a WRV200 that is inside of a Cisco 1720 network:
    T1 internet connection to Cisco 1720
    Cisco 1720 NAT to local 192.168.100.175
    WRV200 NAT to local 192.168.23.100

    2) I know I need to allow ipsec to passthrough the 1720. You indicated that this requires an ip inspect IOS command. I am not familiar with exactly how ip inspect commands work and if they need to be applied to both the WAN and the local interface.

    3) I think that the ip inspect protocol I am looking to pass through is "ipsec-msft". I dont know if there is any other form of ipsec that quick vpn would require.

    4) I think Serial0 is my WAN interface based on the IOS commands in this thread.

    5) Can you supply IOS command string(s) I could try to apply the required passthrough?
     
  9. datdamnmachine

    datdamnmachine LI Guru Member


    You probably have an access-list on the interfaces that faces outside your network, i.e. internet connection interface. What are the lines currently configured on that interface. If you want to pass vpn traffic through that interface to another vpn gateway device on the internal network you will need to have the following commnads in place:

    permit esp any host <ip address of WRV200>
    permit udp any host <ip address of WRV200> eq isakmp
    permit udp any host <ip address of WRV200> eq 4500
    permit ahp any host <ip address of WRV200>

    The first line allows the esp protocol from any source ip to the ip address of the WRV200 hosting VPN functions

    The second line allows udp port 500 which ipsec uses for communication

    The third line allows udp port 4500 for ipsec NAT-T (nat traversal for clients connecting behind a nat device)

    The fourth line allows authentication header protocol in case your VPN connection uses it.

    ***Note*** Depending on how the access-lists are set up on this machine, you may have to write the access-list a certain way. Also, even if you do the port fowarding method as you suggested in a previous post, the access-list rules still need to be applied. Your best bet is to provide the entire configuration minus any sensitive information such as passwords and the last two octecs of the ip addresses. I hope this helps.

    Also, ports 60443 and 9090, I take it those are used by QuickVPN??? If so, are they using tcp or udp?

    The information I provided above is for a Cisco router to support VPN passthrough to another device providing VPN connectivity using the standard ipsec ports of udp 500, protocol esp and ahp, and udp port 4500 (NAT-T). If the QuickVPN is using non-standard ports (or you have it configured to do such) then the above configuration will require tweaking.
     
  10. datdamnmachine

    datdamnmachine LI Guru Member


    You probably have an access-list on the interfaces that faces outside your network, i.e. internet connection interface. What are the lines currently configured on that interface. If you want to pass vpn traffic through that interface to another vpn gateway device on the internal network you will need to have the following commnads in place:

    permit esp any host <ip address of WRV200>
    permit udp any host <ip address of WRV200> eq isakmp
    permit udp any host <ip address of WRV200> eq 4500
    permit ahp any host <ip address of WRV200>

    The first line allows the esp protocol from any source ip to the ip address of the WRV200 hosting VPN functions

    The second line allows udp port 500 which ipsec uses for communication

    The third line allows udp port 4500 for ipsec NAT-T (nat traversal for clients connecting behind a nat device)

    The fourth line allows authentication header protocol in case your VPN connection uses it.

    ***Note*** Depending on how the access-lists are set up on this machine, you may have to write the access-list a certain way. Also, even if you do the port fowarding method as you suggested in a previous post, the access-list rules still need to be applied. Your best bet is to provide the entire configuration minus any sensitive information such as passwords and the last two octecs of the ip addresses. I hope this helps.

    Also, ports 60443 and 9090, I take it those are used by QuickVPN??? If so, are they using tcp or udp?

    The information I provided above is for a Cisco router to support VPN passthrough to another device providing VPN connectivity using the standard ipsec ports of udp 500, protocol esp and ahp, and udp port 4500 (NAT-T). If the QuickVPN is using non-standard ports (or you have it configured to do such) then the above configuration will require tweaking.
     
  11. ifican

    ifican Network Guru Member

    ok so many variables to try to remember here.

    Since you are sourcing your traffic from the outside you do not need "ip inspect". This command was coded into newer ios code and is simply used to make your router act like a stateful firewall. The biggest question at hand is how does the quickvpn client actually work? That is one i have never personally figured out and i have played with it alot. If the client is actually using protocol 50 "esp" to communicate the only way to make it work the way you want is to create a single one-to-one nat mapping that tells the 1720 to send everything it receives on its external interface to your wrv200. If you have the capability to make this happen it will work, if not then dont waste anymore time (assuming quickvpn uses esp).

    The reason:

    ESP = protocol 50, not port 50. There is no port associated with protocol 50 so you cannot forward this and was the basis for creating nat-t for clients connectiing from behind a nat router. What happens is the esp traffic hits the external cisco interface and the router does not know where to send it so it drops it. You can verify this in your wrv logs if you have all other ports forwarded correctly, because you will see your wrv negotiate its SA and then communication will stop.
     

Share This Page