Impossibile effettuare qualunque connessione PPTP out

[maggiore81]

Buondi.
ho un problema curioso in due siti differenti:

Nel sito 1 ho un C2611 e la LAN tramite un nat overload esce tramite la ETH0/0

Nel sito 2 ho un C2650, che fa nat in una /28 DMZ, e uno degli ip della /28 è un 3620 che fa nat per la private lan.

Da qualunque host della LAN, sia nel sito 1 che nel sito 2 non reisco a fare piu vpn in uscita pptp, errore 619 sempre.

Da un altro server con ip pubblico sulla eth diretto, faccio tranquillamente vpn.

In uscita non ho acl che bloccano traffico, il traffico GRE è permesso in entrata, ma ho provato anche con ACL IN che permettono ip any any

Ho provato a disattivare anche il IP INSPECT ma senza esito.

Ora andiamo ad analizzare la configurazione di questo router (secondo me se risolvo qui, risolvo anche nell'altro).

C2650 32F/128D IOS 12.4(18) ADVSEC
ho attivo ip inspect, ip ips (v4) con il file da 128mb

Ho un server in DMZ (ip 172.16.0.x/28) e nemmeno da li reisco a collegarmi. Come hardware client per le vpn uso un 3com secure router, e li imposto la connessione pptp da fare, ed è sempre andato (in passato)



Questa è la conf:


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
no service dhcp
!
hostname 89-186-68-6.dcpool.ip
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 notifications
no logging console
enable password 7 xxxxxxxxxxxx
!
no aaa new-model
clock timezone CET 1
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip ips sdf location flash:128mb.sdf
ip ips signature 2004 0 disable
ip ips signature 2001 0 disable
ip ips name AUDIT
no ip bootp server
ip domain round-robin
no ip domain lookup
ip domain name kpnqwest.it
ip name-server 217.97.32.2
ip name-server 217.97.32.7
ip multicast-routing
login block-for 120 attempts 5 within 60
login on-failure log
!
!
!
!
username xxxxxxxxxxxxxxxx
!
!
ip tcp selective-ack
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh version 2
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
description KPNQWest ADSL 2048/512
no ip address
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly max-fragments 16 max-reassemblies 64
no ip mroute-cache
atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0/0.1 point-to-point
description Point to Point Uplink
bandwidth 2048
ip address 89.186.68.6 255.255.255.252
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly max-fragments 16 max-reassemblies 64
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
ip address 172.16.0.12 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
hold-queue 100 in
hold-queue 100 out
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 89.186.68.5
!
no ip http server
no ip http secure-server
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
ip nat inside source list 102 interface ATM0/0.1 overload
ip nat inside source static tcp 172.16.0.1 25 89.186.68.6 25 extendable
ip nat inside source static tcp 172.16.0.1 80 89.186.68.6 80 extendable
ip nat inside source static tcp 172.16.0.1 110 89.186.68.6 110 extendable
ip nat inside source static tcp 172.16.0.1 443 89.186.68.6 443 extendable
ip nat inside source static tcp 172.16.0.1 465 89.186.68.6 465 extendable
ip nat inside source static tcp 172.16.0.1 995 89.186.68.6 995 extendable
ip nat inside source static tcp 172.16.0.1 3389 89.186.68.6 3389 extendable
ip nat inside source static tcp 172.16.0.10 33389 89.186.68.6 33389 extendable
!
!
access-list 100 permit ip any any
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
snmp-server community public RO
snmp-server ifindex persist
snmp-server contact [email protected]
no cdp run
!
!
control-plane
!
!
!
banner login ^C
You are connected to $(hostname).$(domain) on line $(line).
If you are not authorized to access this system, disconnect now.

THIS IS FOR AUTHORIZED USE ONLY

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and consent
to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this warning.

Network Administrator: [email protected]
^C
!
line con 0
login local
transport output telnet
stopbits 1
line aux 0
login local
transport preferred none
transport output telnet
stopbits 1
line vty 0 4
login local
transport preferred none
transport input ssh
transport output all
flowcontrol software
!
scheduler max-task-time 5000
ntp server 192.43.244.18
ntp server 193.204.114.105
!
end






HO anche rimosso la parte relativa a ip inspect per fare una prova:

ip inspect log drop-pkt
ip inspect audit-trail
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect tcp max-incomplete host 300 block-time 0

nella configurazione postata ho anche rimosso IP IPS senza esito

[maggiore81]

Forse ho trovato il bako:

mi viene droppato il pacchetto dal IP FRW "due to SYN inside current window"

come posso risolvere?

[maggiore81]

Questa è la configurazione finale sul C2650, ho alzato lievemente i tempi dell'ip inspect ma senza esito.
Ogni aiuto è gradito perchè sono bloccato con le VPN. Qualsiasi, e dico qualsiasi VPN PPTP non funziona. verifica username/password, e stop.
Errore 691.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
no service dhcp
!
hostname 89-186-68-6.dcpool.ip
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 notifications
no logging console
no logging monitor
enable password 7 xxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone CET 1
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect udp idle-time 20
ip inspect tcp idle-time 60
ip inspect tcp synwait-time 45
ip inspect tcp max-incomplete host 300 block-time 0
ip inspect name OUT-IN esmtp
ip inspect name OUT-IN pop3
ip inspect name OUT-IN pop3s
ip inspect name OUT-IN http
ip inspect name OUT-IN https
ip inspect name OUT-IN imap
ip inspect name OUT-IN imaps
ip inspect name OUT-IN ftp
ip inspect name OUT-IN ftps
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip ips sdf location flash:128mb.sdf
ip ips signature 2004 0 disable
ip ips signature 2001 0 disable
ip ips name AUDIT
no ip bootp server
ip domain round-robin
ip domain name kpnqwest.it
ip name-server 217.97.32.2
ip name-server 217.97.32.7
ip multicast-routing
login block-for 120 attempts 5 within 60
login on-failure log
!
!
!
!
username xxxxxxxxxxx
!
!
ip tcp selective-ack
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh version 2
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
description KPNQWest ADSL 2048/512
no ip address
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip mroute-cache
atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0/0.1 point-to-point
description Point to Point Uplink
bandwidth 2048
ip address 89.186.68.6 255.255.255.252
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip inspect OUT-IN in
ip ips AUDIT in
ip nat outside
ip virtual-reassembly
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
ip address 172.16.0.12 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
hold-queue 100 in
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 89.186.68.5
!
no ip http server
no ip http secure-server
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
ip nat inside source list 102 interface ATM0/0.1 overload
ip nat inside source static tcp 172.16.0.1 25 89.186.68.6 25 extendable
ip nat inside source static tcp 172.16.0.1 80 89.186.68.6 80 extendable
ip nat inside source static tcp 172.16.0.1 110 89.186.68.6 110 extendable
ip nat inside source static tcp 172.16.0.1 443 89.186.68.6 443 extendable
ip nat inside source static tcp 172.16.0.1 465 89.186.68.6 465 extendable
ip nat inside source static tcp 172.16.0.1 995 89.186.68.6 995 extendable
ip nat inside source static tcp 172.16.0.1 3389 89.186.68.6 3389 extendable
ip nat inside source static tcp 172.16.0.10 33389 89.186.68.6 33389 extendable
!
!
no logging trap
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 89.186.68.6 any
access-list 100 permit udp host 77.93.230.26 eq isakmp host 89.186.68.6
access-list 100 permit esp host 77.93.230.26 host 89.186.68.6
access-list 100 permit udp host 77.93.230.26 host 89.186.68.6 range snmp snmptrap
access-list 100 permit udp 77.93.229.208 0.0.0.7 host 89.186.68.6 range snmp snmptrap
access-list 100 deny tcp any lt 1023 any lt 1023
access-list 100 permit udp any eq ntp any
access-list 100 permit udp any eq domain any
access-list 100 deny udp any lt 1023 any lt 1023
access-list 100 permit ip any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 deny icmp any any
access-list 100 deny udp any any eq echo
access-list 100 deny udp any any range 33400 34400
access-list 100 permit tcp any any range ftp-data ftp
access-list 100 permit tcp host 77.93.230.26 host 89.186.68.6 eq 22
access-list 100 permit tcp 77.93.229.208 0.0.0.7 host 89.186.68.6 eq 22
access-list 100 deny tcp any any eq 22
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq 465
access-list 100 deny udp any any range snmp snmptrap
access-list 100 permit tcp any any eq 990
access-list 100 permit tcp any any eq 995
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit 41 any any
access-list 100 deny ip any any
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
snmp-server community public RO
snmp-server ifindex persist
snmp-server contact [email protected]
no cdp run
!
!
control-plane
!
!
!
banner login ^C
You are connected to $(hostname).$(domain) on line $(line).
If you are not authorized to access this system, disconnect now.

THIS IS FOR AUTHORIZED USE ONLY

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and consent
to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this warning.

Network Administrator: [email protected]
^C
!
line con 0
login local
transport output telnet
stopbits 1
line aux 0
login local
transport preferred none
transport output telnet
stopbits 1
line vty 0 4
login local
transport preferred none
transport input ssh
transport output all
flowcontrol software
!
scheduler max-task-time 5000
ntp server 192.43.244.18
ntp server 193.204.114.105
!
end

[maggiore81]

Ho levato un inutile (per errore sicuramete) ip nat outside sulla ATM0/0

oggi preso dal delirio (sono 12h che cerco di risolvere il problema)
ho montato un C2610XM (16F/64D) con uno IOS 12.2(9)T
ho fatto il copia e incolla della config (le features mancanti venivano ignorate ovviamente)

MIRACOLO, FUNZIONA!

allora ho preso pari pari la config del 2610xm (la config molto alleggerita) e ho rimosso gradualmente le cose anche nella config "grossa" MA SENZA ESITOOOOOOO

come posso fare aiuto, help, hilfe, salvare, augh io essere nella cacca.

[maggiore81]

I miei test di questi 2 giorni sono i seguenti:
QUALUNQUE 12.4, anche la IP base non funziona.

se metto la 12.3(25) ADV SEC funziona
12.2(9)T funziona
12.3(14)T7 funziona

la configurazione rimane la medesima, cambio solo la IOS e al reboot il router "scarta" le configurazioni non riconosciute.

Con una qualunque 12.4 non funziona. Come posso fare? Possibile che il problema lo abbia solo io?

In pratica il router fa NAT Overload e io da dentro la LAN devo connettermi in VPN fuori...

niente, non va con la 12.4.

L'ho fatta funzionare in un mio altro sito dove ho si la 12.4(18) ADV SEC, ma ho un range /29 e la connessione l'ho fatta partire da un server che ha sulla eth direttamente l'ip pubblico.

come posso fare?

[Wizard]

Ciao, allora:

Codice: Seleziona tutto

ip inspect name FW-IN tcp
ip inspect name FW-IN udp
ip inspect name FW-IN pptp

int FastEthernet0/0
ip inspect FW-IN in

no access-list 100
access-list 100 permit tcp any any eq 1723
access-list 100 permit gre any any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 89.186.68.6 any
access-list 100 permit udp host 77.93.230.26 eq isakmp host 89.186.68.6
access-list 100 permit esp host 77.93.230.26 host 89.186.68.6
access-list 100 permit udp host 77.93.230.26 host 89.186.68.6 range snmp snmptrap
access-list 100 permit udp 77.93.229.208 0.0.0.7 host 89.186.68.6 range snmp snmptrap
access-list 100 deny tcp any lt 1023 any lt 1023
access-list 100 permit udp any eq ntp any
access-list 100 permit udp any eq domain any
access-list 100 deny udp any lt 1023 any lt 1023
access-list 100 permit ip any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 deny icmp any any
access-list 100 deny udp any any eq echo
access-list 100 deny udp any any range 33400 34400
access-list 100 permit tcp any any range ftp-data ftp
access-list 100 permit tcp host 77.93.230.26 host 89.186.68.6 eq 22
access-list 100 permit tcp 77.93.229.208 0.0.0.7 host 89.186.68.6 eq 22
access-list 100 deny tcp any any eq 22
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq 465
access-list 100 deny udp any any range snmp snmptrap
access-list 100 permit tcp any any eq 990
access-list 100 permit tcp any any eq 995
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit 41 any any
access-list 100 deny ip any any 

[maggiore81]

Ciao

se io devo far partire una connessione PPTP in uscita, da un pc della mia LAN verso fuori, nonho bisogno di aprire la 1723 in entrata, ma solo il GRE in arrivo.

Comunque ho finalmente risolto.
A parità di configurazione, qualsiasi IOS 12.4(18) non funziona.
La 12.4(17a) e inferiori funzionano. Temo sia un baco della IOS.