Tortured VPN (Cisco 2801)

M

Maxim2013-04-15 16:24:55

VPN

Maxim, 2013-04-15 16:24:55

Good afternoon, today I was busy all day, but I still couldn’t overcome the problem, I decided to turn to the community.
I hope to help, thanks in advance.

There is a router with the configured Remote Access VPN.
When connected to a VPN, all internal resources are available (Ping, SSH, https).
But when connecting via RDP, the connection fails (I connect at 192.168.20.1)
telnet 192.168.20.1 3389 also fails. Inside the network, RDP works without problems.
Having tracked the traffic on the network, I found out that the request reaches the server, but the server does not respond.
It is impossible to track traffic on the server, since Windows Server 2012 is installed there, and Wireshark is not installed on it. (Didn't dig deep).
The server is installed 2000 km from me, there is no physical access.
Access-lists are not used yet.
When setting up static nat, the server immediately becomes available via RDP from the outside.
Therefore, most likely, the problem is in the VPN configuration.
Below are the configs regarding the VPN tunnel.
Cisco 2801 router model.

aaa new-model
!
!
aaa authentication login default local enable
aaa authentication login userauthen local
aaa authorization exec default group tacacs+ local
aaa authorization network groupauthor local

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn_users
key XXXXXX
dnsXXXXXX
pool vpn_users
acl vpn_acl

!
!
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
!
crypto dynamic-map TEST 10
set transform-set TEST
!
!
crypto map vpn_users client authentication list userauthen
crypto map vpn_users isakmp authorization list groupauthor
crypto map vpn_users client configuration address respond
crypto map vpn_users 10 ipsec-isakmp dynamic TEST

interface FastEthernet0/0
crypto map vpn_users

ip local pool vpn_users 192.168.5.2 192.168.5.10

ip access-list extended vpn_acl
permit ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

interface FastEthernet0/0
ip address 85.236.XX 255.255.255.252
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no snmp trap link-status
no cdp enable
crypto map vpn_users
end

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Maxim, 2013-04-16
@Maxim_ka

All figured out. Thanks for the help)
That was the point. that the return packets went to NAT
Re-created the ACL for NATa, which prohibits the traffic that should go into the tunnel
After that, the problem was solved

J

JDima, 2013-04-15
@JDima

"But when connecting via RDP, the connection fails (I connect at 192.168.20.1)." Pings reach 192.168.20.1 and back, did I understand correctly?
“Having tracked the traffic on the network, I found out that the request reaches the server, but the server does not respond.” - how did you find out? ACL with permit or capture on the interface to the server? With what source IP packets fly to the server - from 192.168.5.0/24?
Is port 3389 specifically mentioned somewhere else in the router configuration?
"telnet 192.168.20.1 3389 also does not work" - breaks by RST or by timeout?
What about the local firewall on the server? Is there a 192.168.5.0/24 network there? Most likely, this is the point.

T

tgz, 2013-04-16
@tgz

Windows used to like to set df=1 for RDP, and such a packet, accordingly, will not get through to vpn because of the large MTU.