Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Sep 2011
    Posts
    5

    Default IPSec combined with portforwarding

    I have a up and running IPSec tunnel between a Cisco 870 and an untangle machine in Routing mode.

    I Also have 2 PortForward Rules for http and https. However it seems that HTTP and HTTPS traffic from the other end is also going through these portforward rules instead of going through the tunnel. All other traffic is OK. Is there anything I can do about this? Perhaps I have tried adding the source interface to the portforward rules but this doesn't matter, i have also tried unchecking the "Only NAT Wan Traffic" option. Also I have RDP Portforwarded, we also cannot RDP from the other end through the tunnel.

    It works from our end to the other end because NAT and Tunnel traffic is properly seperated on the cisco.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    You are saying that traffic coming out of a tunnel is also subject to port forward or not subject to port forwarding?
    It should be subject to port forwarding just like any other traffic. (In other words, any traffic coming out of a tunnel should be port forwarded if it matches)

    If that isn't what you want you need to change your port forward to only match the traffic you want forwarded.

    welcome to the forums.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,384

    Default

    if your tunnel is up and functioning properly, we'd love to see your settings so we can put them on the wiki =)

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,517

    Default

    Quote Originally Posted by hlarsen View Post
    if your tunnel is up and functioning properly, we'd love to see your settings so we can put them on the wiki =)
    Call Jim? He had IPSec working against an ASA back in beta.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Sep 2011
    Posts
    5

    Default

    I'll explain the situation a bit more.

    We have 1 untangle machine in routed mode it has the internet routable IP on it's external interface. I have setup 3 port forwards to forward all http https and RDP traffic to an internal IP.

    Next to that I have setup a site to site ipsec link:

    Uncheck the NAT Traversal in the IPSEC Options

    Connection Type: Tunnel
    Auto Mode: Start
    Interface: External
    External IP: (The external IP address of this server)
    Remote IP: (The public IP address of the remote IPsec gateway)
    Local Network: (The private network attached to the local side of the tunnel)
    Local IP: (The IP address of this server on the local private network)
    Remote Network: (The private network attached to the remote side of the tunnel)
    Perfect Forward Secrecy (PFS) : unchecked
    Shared Secret : thisismysharedsecret

    On the other end I have a cisco 870 series router set as follows:

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key thisismysharedsecret address [[UntangleExternalWanIP]]
    crypto isakmp keepalive 10 periodic
    crypto isakmp nat keepalive 10
    !
    !
    crypto ipsec transform-set MyTransFormSetName esp-3des esp-sha-hmac
    !
    crypto ipsec profile MyIPSECProfileName
    set transform-set MyTransFormSetName
    !
    !
    crypto map MyCRMapName 1 ipsec-isakmp
    description Tunnel To Untangle
    set peer [[UntangleExternalWanIP]]
    set security-association lifetime seconds 28800
    set transform-set MyTransFormSetName
    match address 118
    !
    interface FastEthernet4
    description MyCiscoWANIP
    ip address [[CiscoExternalWANIP]] [[Subnet]]
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map MyCRMapName
    !
    interface Vlan1
    description CiscoLAN
    ip address [[CiscoLAN]] [[subnet]]
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    access-list 118 permit ip [[CiscoLAN]] [[subnet]] [[UntangleLAN]] [[subnet]]

    I'm unsure about the IPSEC Profile bit in the config i don't think you need it.
    Also I had to reboot the untangle machine before the link came up.

    Now back to the problem:

    All http https and rdp traffic is portforwarded just fine when connecting to the external interface.
    However all users on the other side of the IPSec link that go through the tunnel are also being portforwarded, but they connect for instance to an IP on our internal network via RDP or http or https which should only go through the tunnel and not be affected by portforwarding rules on the external interface. This is strange behaviour. Traffic through the tunnel shouldn't be portforwarded, portforwarding should only be applicable on traffic when it hits the external interface. With Cisco you can use routemaps to avoid this behaviour.
    Last edited by djoey1982; 09-19-2011 at 11:36 PM.

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by djoey1982 View Post
    All http https and rdp traffic is portforwarded just fine when connecting to the external interface.
    However all users on the other side of the IPSec link that go through the tunnel are also being portforwarded, but they connect for instance to an IP on our internal network via RDP or http or https. This is strange behaviour. Traffic through the tunnel shouldn't be portforwarded, portforwarding should only be applicable on traffic when it hits the external interface. With Cisco you can use routemaps to avoid this behaviour.
    This is Untangle not Cisco.
    Port forwards apply to all traffic that match the port forward rule.
    You should configure your rule such that it matches only the traffic you want to port forward.

    read my post above for more information.
    Last edited by dmorris; 09-19-2011 at 11:42 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Sep 2011
    Posts
    5

    Default

    I'm sorry I must have overread your reply I have it up and running now.
    I changed the portforwarding rules to advanced mode and added a destination address with the wan IP, this way connects through the tunnel on internal IP's are not subject to the forward.

    Thanks for showing me the way..

    btw if you want to use my config for the wiki it is okay.
    It should work on all Cisco Routers which have the advance ip services and at least a 12.4 version. This is the version I have used:

    Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T3
    RELEASE SOFTWARE (fc2)
    Last edited by djoey1982; 09-20-2011 at 03:26 AM.

  8. #8
    Untangler
    Join Date
    Jul 2009
    Posts
    64

    Default

    im having a similar issue untangle forwards all https (default port) to it self

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,517

    Default

    Untangle's remote admin operates on any IP address on the Untangle server. This means it owns that port, and forwards won't work as expected. This behavior can be modified in config -> networking -> advanced -> general -> Untangle Administration overrides port forwarding.

    However, I don't recommend changing that setting unless you're very careful. It's possible to configure Untangle in such a way that you cannot access admin even from the local console if you make a mistake.

    Your better option is to move the remote admin port off TCP 443 if you need to redirect it elsewhere.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler
    Join Date
    Jul 2009
    Posts
    64

    Default

    Quote Originally Posted by sky-knight View Post
    Untangle's remote admin operates on any IP address on the Untangle server. This means it owns that port, and forwards won't work as expected. This behavior can be modified in config -> networking -> advanced -> general -> Untangle Administration overrides port forwarding.

    However, I don't recommend changing that setting unless you're very careful. It's possible to configure Untangle in such a way that you cannot access admin even from the local console if you make a mistake.

    Your better option is to move the remote admin port off TCP 443 if you need to redirect it elsewhere.
    thanks i change it to 25443

    i have appliances that uses https and now i can connect !!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2