[VPN Series 10] on how to deal with the mixed environment of PPTP-VPN traffic thinking and Disposal

VPN Series 10] on how to deal with the mixed environment of PPTP-VPN traffic thinking and Disposal

 

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0IF4I02-0.jpg "/>

 

 

 

It mainly involves two points:

1.How does the two vrouters perform nat translation for pptp traffic and other traffic to ensure normal communication?

2.The ZFW configured on the two vrouters allow the traffic after conversion between pptp and other communications to ensure normal communication.

Bytes ----------------------------------------------------------------------------------------

Bytes -----------------------------------------------------------------------------------------

Before configuring nat, the remote IP address configured when the pptp client is dialing is 172.18.10.1pptp server's real IP address), but after configuring it as nat, you need to change it to the Internet port IP address of the center router, that is, 200.0.30.2; otherwise, the pptp dialing link is invalid.

Key commands:

Ip nat inside source static tcp 172.18.10.1 1723 interface S1./0 1723

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0IF46203-1.jpg "/>

To change it to the Internet port address of 200.0.10.2center router)

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0IF454K-2.jpg "/>

 

Dial successful:

Center. router # show ip nat translations Pro Inside global Inside local Outside global Tcp 200.0.10.2: 1723 172.18.10.1: 1723 172.18.101.3: 50126 172.18.101.3: 50126 Tcp 200.0.10.2: 1723 172.18.10.1: 1723 172.18.101.3: 50131 172.18.101.3: 50131 Tcp 200.0.10.2: 1723 172.18.10.1: 1723 ------ Gre 200.0.10.2: 3399 172.18.10.1: 3399 172.18.101.3: 3399 172.18.101.3: 3399 Gre 200.0.10.2: 64527 172.18.10.1: 64527 172.18.101.3: 64527 172.18.101.3: 64527 Udp 200.0.10.2: 50824 172.18.100.102: 50824 221.228.255.1: 53 221.228.255.1: 53

Pptp. server # show vpdn % No active L2TP tunnels PPTP Tunnel and Session Information Total tunnels 1 sessions 1 LocID Remote Name State Remote Address Port Sessions VPDN Group 21945 estabd 172.18.101.3 50131 1 1 LocID RemID TunID Intf Username State Last Chg Uniq ID 3399 64527 21945 Vi2.1 xuchen estabd 00:00:16 3

Spoke. router # show ip nat translations Pro Inside global Inside local Outside global Gre 200.0.30.2: 21210 172.18.101.3: 21210 200.0.10.2: 21210 200.0.10.2: 21210 Gre 200.0.30.2: 26907 172.18.101.3: 26907 200.0.10.2: 26907 200.0.10.2: 26907 Tcp 200.0.30.2: 50134 172.18.101.3: 50134 200.0.10.2: 1723 200.0.10.2: 1723 Udp 200.0.30.2: 55197 172.18.101.3: 55197 221.228.255.1: 53 221.228.255.1: 53

We can see that nat converts the TCP port 1723 related to pptp to the GRE traffic, so pptp can communicate normally.

How does the firewall allow traffic? In fact, it is a similar process. As long as the traffic associated with the pptp process is released, the configuration is successful.

The key is TCP port 1723 and GRE traffic.

Ip access-list extended pptp Permit gre any Permit tcp any eq 1723.

Class-map type inspect match-any in. out. class Match protocol icmp Match access-group name pptp. gre Match protocol tcp Match protocol udp Class-map type inspect match-all out. in. class Match access-group name pptp

Policy-map type inspect in. out. po Class type inspect in. out. class Pass Class-default Drop Policy-map type inspect out. in. po Class type inspect out. in. class Pass Class-default Drop

After the traffic passes through the firewall, the following results are returned:

Center. router # show policy-map ty inspect zone-pair se Policy exists on zp out. in. pair Zone-pair: out. in. pair Service-policy inspect: out. in. po Class-map: all. traffic. class (match-any) Match: protocol icmp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol tcp 1 packets, 32 bytes 30 second rate 0 bps Match: protocol udp 0 packets, 0 bytes 30 second rate 0 bps Inspect Number of Established Sessions = 1 Established Sessions Session 68A43F20 (200.0.30.2: 50352) => (172.18.10.1: 1723) tcp SIS_OPEN/TCP_ESTAB Created 00:02:09 and Last heard 00:00:08 Bytes sent (initiator: responder) [408: 224] Class-map: pptp. class (match-all) Match: access-group name pptp Pass 176 packets, 13735 bytes   Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes Policy exists on zp in. out. pair Zone-pair: in. out. pair Service-policy inspect: in. out. po Class-map: all. traffic. class (match-any) Match: protocol icmp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol tcp 3 packets, 600 bytes 30 second rate 0 bps Match: protocol udp 0 packets, 0 bytes 30 second rate 0 bps Inspect Class-map: pptp. class (match-all) Match: access-group name pptp Pass 37 packets, 1977 bytes Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes Policy exists on zp out. self. pair Zone-pair: out. self. pair Service-policy inspect: out. self. po Class-map: out. access. class (match-all) Match: access-group name out. access Pass 72 packets, 1592 bytes Class-map: pptp. class (match-all) Match: access-group name pptp Pass 0 packets, 0 bytes   Class-map: class-default (match-any) Match: any Drop 5 packets, 400 bytes

 

The above shows the link information created after the pptp client is successfully dialing. The key of zfw firewall configuration lies in three directions:

1. inside router inbound traffic

2. outbound traffic of the outside router

3. self Router Traffic

When configuring class-map), you need to consider which traffic should be allowed in the corresponding direction.

When configuring policy-map), you must consider which traffic actions should be performed, such as inspect, pass, and drop ).

Conclusion:

Basically, the above is complete. The traffic conversion process from the pptp server to the client is mainly to allow tcp1723 and GRE traffic. In addition, zfw is a port-based firewall technology. The most important thing is to select the zone port to confirm which port belongs to which zone, and multiple ports can belong to the same zone; ports in the same zone can communicate with each other without Configuring policies. Ports in different zones use deny to allow traffic; the port does not belong to the zone and the traffic is not affected. Therefore, zfw is a port-based firewall policy, so this step is very important.

 

This article is from the "server & security" blog, please be sure to keep this source http://ciscoart.blog.51cto.com/1066670/866354