Is it hard to tunnel thru a cisco router if you don't have access to the router. I want to be able to access my computer from home but theres a stupid firewall in the way. How would I make it so I could get thru it.:confused:
Printable View
Is it hard to tunnel thru a cisco router if you don't have access to the router. I want to be able to access my computer from home but theres a stupid firewall in the way. How would I make it so I could get thru it.:confused:
It's easy. You need something that does port forwarding (stunnel is best, if you can get it on your platform) to be run on the machine you're using, and the remote machine. So say you wanted to use Oracle's SQL*Net (port 66) from your work machine to your home machine, but the firewall only allowed outgoing connections on port 80 (http - WWW). You already have the server (Oracle listener) set up on your home machine, listening on port 66. You'd use stunnel to set up the tunnel like this:
(Note that you cannot run a web server on your home machine in this scenario, as stunnel is already running on port 80.)Code:+------------------------------------+
| Work |
| |
| SQL*Net--66--stunnel--80-----------+--+
+------------------------------------+ |
|
|
+----------+
| Firewall |
+----------+
|
|
+-----------------------------------+ |
| Home | |
| | |
| Oracle Listener--66--stunnel--80--+--+
+-----------------------------------+
All of the above is not specific to stunnel, you can use any port redirector you want. The below is specific to stunnel.
The commands you would run to set up the above tunnel are:
Enjoy!Code:home:# stunnel -c -d localhost:80 -r localhost:66
work:# stunnel -c -d localhost:66 -r home.example.com:80
j3r is right. There are also alot of other apps for remote desktoping and VPN. You can set most of them to use certain ports (ones that the router doesnt bock) and it works great, just google for some. I do it from college to my comp but I just use Microsofts stuff...
Hi All;
Since someone brought up VPN and tunnelling....
I have a VPN problem.....
My telco uses a nonroutable IP between me and
my ISP Example my computer - 192.168.113.5 - Router at my ISP
Problem.... If trying to use VPN to a remote computer via my ADSL
circuit...no go....
I can and do use port forewarding for my web/mail server here at my
shop and several other functions... no problem...
Even a Game Server will work....
But no VPN......
Ideas ???? Work arounds ????
And no... my Telco will not fix it and both my ISP and myself
have tried ....
I use a Linksys router and a Pairgain Modem to my ADSL circuit
My ISP uses a Cisco router on his sie of the link to the ADSL DSlam
We do not have control of that nonroutable IP address....
Thanks
I don't know much about VPN's yet, but I would think that they would have to configure there perimiter router to allow VPN passthrough and port forward it your IP.
Something which I think they wouldn't do. Now I might be wrong, but I think thats right.
cheyenne1212, you are, unfortunately, right. I believe some VPN solutions have noticed that this is a problem, and tunnel the VPN connection through port 80. (I think Cisco does this?)
One laughably complex solution might be to run a tunnel to a machine outside your ISP, and try to route the VPN traffic through there. That would, of course, require that your VPN software used vanilla TCP, which it probably doesn't.
If there is a firewall between you and your home PC, then how would stunnel help?
If the firewall is of any quality, then it will block all incoming connections that aren't associated with a connection that is made from the inside first. So unless you have access to that firewall to open those ports then you won't be able to do much.
Ports will need to be opened on the firewall of the side that you are connecting to. I guess if you had software that could connect to your remote machine from your house, then you would be all set.
I don't know..it's 12:15am, and I've slept maybe 5 hours in the last week, so maybe I'm misunderstanding the question. My apologies if I am.
Well creating a real vpn through a cisco does not depend on port ranges... The vpn is conf'ed in such a way that u mask the vpn ip addresses from the rest of the internet. This is usually done via the BGP routing protocol and a switch that supports the vlan function. Then wwhen all that is conf'ed u set up a few access lists and u have a vlan. This is secure and since nobody from the internet have access to your ip address you can't be hacked...
Instead of buying expensive software or hardware that can make a "vpn" on port 80(or whatever) you might aswell use a good remote pc program. They might call it vpn but it so far from it as can be especially if it runs on port 80, which it one of the first ports to be scanned by the most crappy of port sniffers.
In all cases ur a bit screwed if you dont have access to the firewall since you can forward any ports inc. port 80 to your internal ip address
+------------------------------------+
| Work |
| |
| SQL*Net--66--stunnel--80---+--+ outgoing will work fine
+------------------------------------+ |
|
v
+----------+
| Firewall |
+----------+
T
|
+-----------------------------------+ |
| Home | |
| Oracle | |
| Listener--66--stunnel--80--+--+ Incoming trafic will NOT be forwarded
+-----------------------------------+ unless the firewall is conf'ed
But then again it migt be that the home computer opens the connection and keeps it open, that u may connect to it remotely... But i wouldn't count it.
If you can get access to the firewall or have the firewall admin make the changes for you it would be easier.. But without the ability to forward ports nothing big will happe no matter what solution you decide to try out.
Quote:
Originally posted here by Highlander
Hi All;
Since someone brought up VPN and tunnelling....
I have a VPN problem.....
My telco uses a nonroutable IP between me and
my ISP Example my computer - 192.168.113.5 - Router at my ISP
Problem.... If trying to use VPN to a remote computer via my ADSL
circuit...no go....
I can and do use port forewarding for my web/mail server here at my
shop and several other functions... no problem...
Even a Game Server will work....
But no VPN......
Ideas ???? Work arounds ????
And no... my Telco will not fix it and both my ISP and myself
have tried ....
I use a Linksys router and a Pairgain Modem to my ADSL circuit
My ISP uses a Cisco router on his sie of the link to the ADSL DSlam
We do not have control of that nonroutable IP address....
Thanks
When you try the VPN you are encapsulating the packets twice. This will probably will not work unless you can figure out some way on the destination firewall to tell where the return packets should go.
Also make sure anything to do with IPSEC and/or PPTP passthru is turned on the local routers. Port forwarding has nothing to do with VPN because the packets are encrypted from the gateway (the device or your machine with the software loaded).
Please tell me you are talking about the VPN that Highlander posted about.Quote:
Originally posted here by cbo
..... The vpn is conf'ed in such a way that u mask the vpn ip addresses from the rest of the internet. This is usually done via the BGP routing protocol and a switch that supports the vlan function. Then wwhen all that is conf'ed u set up a few access lists and u have a vlan. This is secure and since nobody from the internet have access to your ip address you can't be hacked...
if not...you seriously need to put down that crack pipe.
A VPN does not need BGP or VLANs to make a successful connection. Can you do it? Yes. Is it required? No.
again...if you're talking about Highlanders VPN issue, then disregard this post.
With regard to the BGP &c., that only applies (AFAIK) to VPNs that terminate on the router. So, if one of your ISPs is friendly, they can help you out. Otherwise, that is not relevant to the current discussion. (Not that it isn't useful, mind you.)
One thing that I do not know about Highlander and embalmedlenin's situation is this: which endpoints are accessable to the internet, and do you control any other hosts that are on an open network? You're going to need at least one non-NAT'd box to route your communications. If it's one of the endpoints, then you establish the tunnel connection from the other box. If neither of the endpoints are directly accessible, you're going to need a 3rd, accessible host to maintain the tunnel. For instance:
If this is the case, then I withdraw my earlier claim of "easy". I mean, it's still technically pretty easy, but it's definitely a PITA.Code:+----------+ +-------------+ +----------+
endpoint1 -- 80 --|----------|->|<----------->|<-|----------|-- 443 -- endpoint2
| firewall | | 3rd machine | | firewall |
+----------+ +-------------+ +----------+
embalmedlenin dosn't have access to the router or the FW to config tunnels. he wants to break into his highschool network from home un-authorized and access his computer or the network in general. he's not an admin just a user on the network (maybe).
http://www.antionline.com/showthread...595#post681622
what your looking for is more like this:
Gaining an interactive shell through SSL tunneling
http://www.antionline.com/showthread...hreadid=250494
what you can accomplish with this is expulsion from school and possible jail time. im not judging you just warning you. if you want to learn this stuff do it on a home network. set up a lab. if you just go ahead and do it you may just stick out like a sore thumb and get caught like a fool.
If I may continue with this thought, any FW admin worth his salt will be watching for this. Hint, hint.Quote:
Gaining an interactive shell through SSL tunneling
Most FW admins are not worth their salt. :-/
you don't need BGP for any sort of VPN. BGP is an external routed protocol. It advertises routes to it's neighbors in the given AS number (Autonomous System). I don't understand how BGP would be needed. I've set up many router-to-router and firewall-to-router VPN's BGP wasn't used in any of the solutions, and some of them even crossed multiple carriers.
ISP's use BGP to advertise their routes to their upstream providers, other carriers and/or sometimes their customers (ie. someone wants to load balance two T-1 circuits.)
In short. Whatever host you are connecting to, the firewall needs to have ports opened for it.
any port forwarders or anything like that won't help, because the machine you are connecting to is LISTENING on some port. Unless it makes a outgoing connection first that you can ride in on or take control of, then it ain't happening. Most firewalls will drop connections initiated from the outside, unless the appropriate ports are opened and traffic is allowed.
tekno: I would not be surprised if some Cisco VPN solutions used BGP to open up various VLANs based on your VPN credentials.
That said, yeah, you're generally right.
I dont want to go beyond the scope of this thread, but technically, you could use BGP to distribute VPN routing information for a MPLS-VPN solution for example, but that includes work on your providers side, and I highly doubt they will do that just so one little customer can connect to some machine. Still you would have to configure both endpoints.
j3r: can you explain how BGP would be used to open VLANS based on your VPN credentials?
Basically what you said, I image internal routers get BGP info from the VPN server to determine what ports to open to what VLANs. I haven't actually seen this done, but imagine it might be done on a big korporate LAN.
VPN servers wouldn't hand out BGP routing updates. That would all happen on the routers which would be BGP neighbors.
What the best way to do it would be to but your VPN server in a DMZ and set your client sofware to connect to that IP address. If you were doing a router-to-router or firewall-to-firewall or even a router-to-firewall VPN, then both sides would have their crypto peers defined so it will know where to go. It would know where to go once it hits the router and the router looks up in it routing table where to send the packet. BGP or any routing protocol is transparent to the actual VPN connection itself.