16 Replies Latest reply on Nov 24, 2015 10:49 AM by jayh

    Can I have an IPSEC tunnel and also port forward IPSEC to internal server

    curtc New Member

      Cant seem to wrap my head around this one but I'm new to Adtran... 

      I have an IPSEC tunnel to another site:

      ==========================================================================================================

      interface eth 0/1

        ip address 74.xx.xx.226 255.255.255.240

        ip access-policy Public

        crypto map VPN

        no shutdown

       

      crypto ike policy 100

        initiate main

        respond main

        local-id address 74.xx.xx.226

        peer 216.xx.xx.xx

        attribute 1

        encryption 3des

        authentication pre-share

        group 2

      !

      crypto ike remote-id address 216.xx.xx.xx preshared-key 1234567890 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      =============================================================================================================

      Tunnel works fine.

       

      Question 1:

      There is a VPN server on the inside that they want for people on the road.  It's a MAC server.  They are asking to forward the same ports I know IKE/IPSEC uses.

      Couldn't I just ignore that there is an existing tunnel and add a secondary IP address on the eth 0/1 interface and do the port forwarding as usual on the secondary IP?  Any detail would help.

       

      Question 2:

      Will that "crypto map VPN" on the physical interface mess with the secondary IP address on that interface?

      Kind of confused.

      Thank you!

      -Curt

        • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
          jayh Hall_of_Fame

          I see two potential problems. The first is that the Adtran is acting as the VPN termination endpoint for IPSec. The second is that port-forward implies NAT and IPSec and NAT between the outside tunnel endpoints don't usually play well together.

           

          I haven't tested this but you might be able to use a carefully crafted access-list or route-map to get around the first issue. On the port-forward list, deny the IP of the lan-to-lan tunnel endpoint that terminates on the Adtran itself, in your example the 216.xx.xx.xx address.

           

          A better solution would be a separate public IP routed to the MAC for the remote access VPN users. I see your eth 0/1 is a /28 so presumably an unused one of those IPs could be used for the remote access VPN endpoint.

            • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
              curtc New Member

              Thank you for the reply.  Not sure what you mean in the 2nd paragraph, "lan-to-lan tunnel endpoint".  However, your 3rd paragraph sounds like more of what I'd like to do, like this:

              ==========================================================================================

              interface eth 0/1

                ip address 74.xx.xx.226 255.255.255.240

                ip address 74.xx.xx.228 255.255.255.240 secondary

                ip access-policy Public

                crypto map VPN

                no shutdown

               

              ip access-list extended PortForwardForInternalVPNServer

              permit tcp any host 74.xx.xx.228 eq <whatEverPortsTheyWant>

              permit udp any host 74.xx.xx.228 eq <whatEverPortsTheyWant>

               

              ip policy-class Public

                nat destination list PortForwardForInternalVPNServer address 192.168.100.4

              ================================================================================


              Would that work?


              Or can you give me an example on this:  "A better solution would be a separate public IP routed to the MAC for the remote access VPN users."

               

              Thank you.

                • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                  jayh Hall_of_Fame

                  The lan-to-lan tunnel endpoint is the IP address of the static peer you have configured, in your example 216.xx.xx.xx.

                   

                  Your example should work, but I would not configure the secondary address on interface eth 0/1. You don't want the local crypto map interacting with the VPN passing through to the remote access VPN server.

                   

                  Alternatively, you could insert a small switch on the public side ahead of the 2000 and connect both the Adtran 2000 and the remote access VPN server to it using different public IPs. This would negate any QoS settings you have on the 2000 as both devices would contend for bandwidth on the public side.

                    • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                      curtc New Member

                      Of course!  You are a genius!  Thank you! I love this forum.  Use another interface.

                      You mean like this:

                       

                      interface eth 0/1

                        ip address 74.xx.xx.226 255.255.255.240

                        ip access-policy Public

                        crypto map VPN

                        no shutdown

                       

                      interface vlan 66

                      ip address 74.xx.xx.228 255.255.255.240

                      ip access-policy Public-MAC-VPN-Server

                      no shutdown

                       

                      interface switchport 0/2

                        description MAC-VPC-Server-Plugged-Into-TimeWarner-CableModem

                        no shutdown

                        switchport access vlan 66

                       

                      ip access-list extended PortForwardForInternalVPNServer

                      permit tcp any host 74.xx.xx.228 eq <whatEverPortsTheyWant>

                      permit udp any host 74.xx.xx.228 eq <whatEverPortsTheyWant>

                       

                      ip policy-class Public-MAC-VPN-Server

                        nat destination list PortForwardForInternalVPNServer address 192.168.100.4

                        • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                          curtc New Member

                          Wait a second...  I think I'm rushed from the weekend and not thinking about this clearly.

                           

                          Wont that solve the inbound traffic, but the return traffic will still come from 74.xx.xx.226.  Will that work?

                           

                          Thanks!

                          • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                            jayh Hall_of_Fame

                            curtc wrote:

                             

                            Of course!  You are a genius!  Thank you! I love this forum.  Use another interface.

                            You mean like this:

                             

                            interface eth 0/1

                              ip address 74.xx.xx.226 255.255.255.240

                              ip access-policy Public

                              crypto map VPN

                              no shutdown

                             

                            interface vlan 66

                            ip address 74.xx.xx.228 255.255.255.240

                            ip access-policy Public-MAC-VPN-Server

                            no shutdown

                             

                            interface switchport 0/2

                              description MAC-VPC-Server-Plugged-Into-TimeWarner-CableModem

                              no shutdown

                              switchport access vlan 66

                            Not exactly. You have a /28 (255.255.255.240) coming from the cable modem. You want to use one of those IPs for your lan-to-lan VPN, the IP ending in .226. You want another public IP from the same subnet to feed the remote access VPN server, ending in .228. So put two switchports in a VLAN. Connect one to the cable modem and another to the MAC server for the client tunnels. Use the VLAN interface as your router IP. No port forwarding needed as the MAC server outside will be directly on the public Internet. The two switchports and your VLAN interface are all just bridged at layer 2. If the MAC server only has one physical interface you'll need a trunk for it to connect both inside and outside on one wire. So something like:

                             

                            interface eth 0/1

                              no ip address

                              shutdown

                            (or use it for something else, like the private side LAN)

                             

                            interface switchport 0/1

                              description Connection to TimeWarner-CableModem

                              no shutdown

                              switchport access vlan 99

                             

                            interface switchport 0/2

                              description MAC-VPC-Server

                              no shutdown

                              switchport access vlan 99

                             

                            interface vlan 99

                              ip address 74.xx.xx.226 255.255.255.240

                              ip access-policy Public

                              crypto map VPN

                              no shutdown

                             

                            Assign the MAC VPC server the address of 74.xx.xx.228 255.255.255.240 with a gateway of the cable modem's IP, probably 74.xx.xx.225

                              • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                                curtc New Member

                                Going that route, why wouldn't I just leave the switch and the router as is, and patch the MAC directly into one of the 4 ports on the cable modem and assign that interface 74.xx.xx.228?  I think I'll suggest that.

                                  • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                                    jayh Hall_of_Fame

                                    Absolutely, if the cable modem includes a built-in 4-port switch that's a much cleaner way to go.

                                      • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                                        mick Visitor

                                        But that exposes the MAC server to the public Internet.  I thought the principle of this exercise was to keep the server protected by the Netvanta and only access it via the tunnel?

                                          • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                                            jayh Hall_of_Fame

                                            If the MAC server is expected to negotiate remote access VPNs from any random IP where the users happen to roam, it will need to accept connections from the public Internet. Its internal firewall should be set to only accept the ports and protocols you need. The inside of the encrypted tunnel negotiated between the MAC VPN server and its remote access users should go to the private side of the LAN, but the outside of the tunnel will need to accept connections from anywhere. Any remote access VPN server worth using should have sufficient internal security designed in to handle the expectation that its outside interface will be connected directly to the public Internet.

                                              • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                                                mick Visitor

                                                Thank you jayh, I read the OP again and realised that the connection to the MAC server is meant to terminate a VPN tunnel from roadwarriors, irrespective of the VPN site-to-site tunnel to the Netvanta.  I had misread the requirement and assumed that a LAN connection to the MAC server from a VPN tunnel terminating at the Netvanta would be acceptable.  Sorry for the noise.

                                                 

                                                In this case, I can think of a couple of solutions.  One is as you suggested, to use a different public IP address and set up the MAC server to listen to it (directly, or in a DMZ, or by just forwarding ports 500,4500).  The Netvanta can manage the DMZ, or port forwarding, on a secondary public IP address, if this is desired.

                                                 

                                                Alternatively, the MAC VPN and clients can be configured on the same primary IP address as the Netvanta, but using different ports, e.g XX500, X4500, which would be forwarded to the MAC's VPN server.  This assumes that the clients/MAC can be configured to use different to the default ports for VPN.

                                                  • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                                                    jayh Hall_of_Fame

                                                    mick wrote:

                                                     

                                                    In this case, I can think of a couple of solutions.  One is as you suggested, to use a different public IP address and set up the MAC server to listen to it (directly, or in a DMZ, or by just forwarding ports 500,4500).  The Netvanta can manage the DMZ, or port forwarding, on a secondary public IP address, if this is desired.

                                                    Directly through the Adtran would be a problem as the interface would be in the same subnet. You would need a layer-2 bridge, hence the idea of simply using a port on the cable modem. To have it go through the Adtran you could ask the cable company to set up a /30 link to the Adtran and then route the /28 LAN block to you. Most cable companies are difficult to work with in that regard but you might have success.

                                                     

                                                    Port-forwarding also gets messy as that involves NAT which tends to make the IPSec crypto configuration troublesome.

                                                     

                                                    Alternatively, the MAC VPN and clients can be configured on the same primary IP address as the Netvanta, but using different ports, e.g XX500, X4500, which would be forwarded to the MAC's VPN server.  This assumes that the clients/MAC can be configured to use different to the default ports for VPN.

                                                     

                                                    This will almost certainly fail. ARP will be unable to resolve the IP to a single layer 2 MAC (MAC address, not Macintosh) in the cable modem.

                                                     

                                                    If the remote access VPN server is designed to accept connections from anywhere on the Internet, the simplest solution is to let it do so by connecting it to the cable modem, ensuring that its internal firewall is adequate for the task and locking down management as appropriate.

                                              • Re: Can I have an IPSEC tunnel and also port forward IPSEC to internal server
                                                curtc New Member

                                                Facepalm..  It's a MAC mini with no 2nd NIC.

                                                Can the Adtran do the site to site VPN AND also do road warrior VPN's at the same time?