IPSec combined with portforwarding

[djoey1982]

I have a up and running IPSec tunnel between a Cisco 870 and an untangle machine in Routing mode.

I Also have 2 PortForward Rules for http and https. However it seems that HTTP and HTTPS traffic from the other end is also going through these portforward rules instead of going through the tunnel. All other traffic is OK. Is there anything I can do about this? Perhaps I have tried adding the source interface to the portforward rules but this doesn't matter, i have also tried unchecking the "Only NAT Wan Traffic" option. Also I have RDP Portforwarded, we also cannot RDP from the other end through the tunnel.

It works from our end to the other end because NAT and Tunnel traffic is properly seperated on the cisco.

[dmorris]

You are saying that traffic coming out of a tunnel is also subject to port forward or not subject to port forwarding?
It should be subject to port forwarding just like any other traffic. (In other words, any traffic coming out of a tunnel should be port forwarded if it matches)

If that isn't what you want you need to change your port forward to only match the traffic you want forwarded.

welcome to the forums.

[hlarsen]

if your tunnel is up and functioning properly, we'd love to see your settings so we can put them on the wiki =)

[sky-knight]

if your tunnel is up and functioning properly, we'd love to see your settings so we can put them on the wiki =)

Call Jim? He had IPSec working against an ASA back in beta.

[djoey1982]

I'll explain the situation a bit more.

We have 1 untangle machine in routed mode it has the internet routable IP on it's external interface. I have setup 3 port forwards to forward all http https and RDP traffic to an internal IP.

Next to that I have setup a site to site ipsec link:

Uncheck the NAT Traversal in the IPSEC Options

Connection Type: Tunnel
Auto Mode: Start
Interface: External
External IP: (The external IP address of this server)
Remote IP: (The public IP address of the remote IPsec gateway)
Local Network: (The private network attached to the local side of the tunnel)
Local IP: (The IP address of this server on the local private network)
Remote Network: (The private network attached to the remote side of the tunnel)
Perfect Forward Secrecy (PFS) : unchecked
Shared Secret : thisismysharedsecret

On the other end I have a cisco 870 series router set as follows:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key thisismysharedsecret address [[UntangleExternalWanIP]]
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set MyTransFormSetName esp-3des esp-sha-hmac
!
crypto ipsec profile MyIPSECProfileName
set transform-set MyTransFormSetName
!
!
crypto map MyCRMapName 1 ipsec-isakmp
description Tunnel To Untangle
set peer [[UntangleExternalWanIP]]
set security-association lifetime seconds 28800
set transform-set MyTransFormSetName
match address 118
!
interface FastEthernet4
description MyCiscoWANIP
ip address [[CiscoExternalWANIP]] [[Subnet]]
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MyCRMapName
!
interface Vlan1
description CiscoLAN
ip address [[CiscoLAN]] [[subnet]]
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
access-list 118 permit ip [[CiscoLAN]] [[subnet]] [[UntangleLAN]] [[subnet]]

I'm unsure about the IPSEC Profile bit in the config i don't think you need it.
Also I had to reboot the untangle machine before the link came up.

Now back to the problem:

All http https and rdp traffic is portforwarded just fine when connecting to the external interface.
However all users on the other side of the IPSec link that go through the tunnel are also being portforwarded, but they connect for instance to an IP on our internal network via RDP or http or https which should only go through the tunnel and not be affected by portforwarding rules on the external interface. This is strange behaviour. Traffic through the tunnel shouldn't be portforwarded, portforwarding should only be applicable on traffic when it hits the external interface. With Cisco you can use routemaps to avoid this behaviour.

[dmorris]

All http https and rdp traffic is portforwarded just fine when connecting to the external interface.
However all users on the other side of the IPSec link that go through the tunnel are also being portforwarded, but they connect for instance to an IP on our internal network via RDP or http or https. This is strange behaviour. Traffic through the tunnel shouldn't be portforwarded, portforwarding should only be applicable on traffic when it hits the external interface. With Cisco you can use routemaps to avoid this behaviour.

This is Untangle not Cisco.
Port forwards apply to all traffic that match the port forward rule.
You should configure your rule such that it matches only the traffic you want to port forward.

read my post above for more information.

[djoey1982]

I'm sorry I must have overread your reply I have it up and running now.
I changed the portforwarding rules to advanced mode and added a destination address with the wan IP, this way connects through the tunnel on internal IP's are not subject to the forward.

Thanks for showing me the way..

btw if you want to use my config for the wiki it is okay.
It should work on all Cisco Routers which have the advance ip services and at least a 12.4 version. This is the version I have used:

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T3
RELEASE SOFTWARE (fc2)

[Fogozito]

im having a similar issue untangle forwards all https (default port) to it self

[sky-knight]

Untangle's remote admin operates on any IP address on the Untangle server. This means it owns that port, and forwards won't work as expected. This behavior can be modified in config -> networking -> advanced -> general -> Untangle Administration overrides port forwarding.

However, I don't recommend changing that setting unless you're very careful. It's possible to configure Untangle in such a way that you cannot access admin even from the local console if you make a mistake.

Your better option is to move the remote admin port off TCP 443 if you need to redirect it elsewhere.

[Fogozito]

Untangle's remote admin operates on any IP address on the Untangle server. This means it owns that port, and forwards won't work as expected. This behavior can be modified in config -> networking -> advanced -> general -> Untangle Administration overrides port forwarding.

However, I don't recommend changing that setting unless you're very careful. It's possible to configure Untangle in such a way that you cannot access admin even from the local console if you make a mistake.

Your better option is to move the remote admin port off TCP 443 if you need to redirect it elsewhere.

thanks i change it to 25443

i have appliances that uses https and now i can connect !!