[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

Can someone help me with my vpn and access list.

I setup a site to site vpn and all works well but for some reason when I apply my access list 111 I am able to ping both sides of the internal network for about 5 minutes, then I lose connectivity to the internet on both sides (RouterA and on RouterB).
--------------
ROUTER A |
--------------
:
CARC1.CR1.1#sh run
Building configuration...

Current configuration : 5280 bytes
!
! Last configuration change at 21:26:56 PST Wed Feb 11 2009
! NVRAM config last updated at 00:09:26 PST Wed Feb 11 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CARC1.CR1.1
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******************
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.100.50.1 10.100.50.99
ip dhcp excluded-address 10.100.51.1 10.100.51.99
ip dhcp excluded-address 10.100.10.1 10.100.10.99
ip dhcp excluded-address 10.100.20.1 10.100.20.99
ip dhcp excluded-address 10.100.21.1 10.100.21.99
ip dhcp excluded-address 10.100.11.1 10.100.11.99
!
ip dhcp pool VoIP
   network 10.100.50.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 10.100.50.1
   option 150 ip 10.100.50.2
!
ip dhcp pool Vonage
   network 10.100.51.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 10.100.51.1
!
ip dhcp pool Wireless
   network 10.100.20.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 10.100.20.1
!
ip dhcp pool Guest_Wireless
   network 10.100.21.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 10.100.21.1
!
ip dhcp pool Servers
   network 10.100.10.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 10.100.10.1
!
ip dhcp pool Workstations
   network 10.100.11.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 10.100.11.1
!
!
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall http
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!        
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ****************** address 69.231.46.244
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
crypto map HSNC 10 ipsec-isakmp
 ! Incomplete
 set peer 69.231.46.244
 set transform-set HSNC
 set pfs group2
 match address 111
!
!
!
!
interface FastEthernet0/0
 description Connection to AT&T
 ip address dhcp
 ip nat outside
 ip inspect Firewall out
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map HSNC
!
interface FastEthernet1/0
 description VoIP Ports
 switchport access vlan 50
 spanning-tree portfast
!
interface FastEthernet1/1
 description VoIP Ports
 switchport access vlan 50
 spanning-tree portfast
!
interface FastEthernet1/2
 description VoIP Ports
 switchport access vlan 50
 spanning-tree portfast
!
interface FastEthernet1/3
 description VoIP Ports
 switchport access vlan 50
 spanning-tree portfast
!
interface FastEthernet1/4
 description VoIP Ports
 switchport access vlan 50
 spanning-tree portfast
!
interface FastEthernet1/5
 description VoIP Ports
 switchport access vlan 50
 spanning-tree portfast
!
interface FastEthernet1/6
 description VoIP Ports
 switchport access vlan 50
 spanning-tree portfast
!
interface FastEthernet1/7
 description VoIP Ports
 switchport access vlan 50
 spanning-tree portfast
!
interface FastEthernet1/8
 description Uplink to SW1
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet1/9
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet1/10
 description Vonage Port
 switchport access vlan 51
 spanning-tree portfast
!
interface FastEthernet1/11
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet1/12
 spanning-tree portfast
!
interface FastEthernet1/13
 spanning-tree portfast
!
interface FastEthernet1/14
 spanning-tree portfast
!
interface FastEthernet1/15
 switchport access vlan 11
 spanning-tree portfast
!
interface Vlan1
 description Private Lan
 ip address 10.100.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan10
 description IPTV Vlan
 ip address 10.100.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan11
 description VM Vlan
 ip address 10.100.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan20
 description Wireless Vlan
 ip address 10.100.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan21
 description Guest Wireless
 ip address 10.100.21.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 rate-limit input 2048000 375000 375000 conform-action transmit exceed-action drop
 rate-limit output 2048000 375000 375000 conform-action transmit exceed-action drop
!
interface Vlan50
 description VoIP Vlan
 ip address 10.100.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan51
 description Vonage Vlan
 ip address 10.100.51.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!        
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.100.10.254 21 99.176.59.238 21 extendable
ip nat inside source static tcp 10.100.50.2 80 99.176.59.238 80 extendable
!
access-list 100 permit ip 10.100.0.0 0.0.255.255 any
access-list 111 permit ip 99.176.59.238 255.255.255.255 69.231.46.244 255.255.255.255
snmp-server community public RO
snmp-server host 10.100.11.253 public
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 ******************
 login
line vty 5 15
 password 7 ******************
 login
!
ntp clock-period 17179762
ntp server 64.125.78.85
!
end
---------------
ROUTER B: |
---------------

2600_Home#sh run
Building configuration...

Current configuration : 2387 bytes
!
! Last configuration change at 09:53:09 PST Wed Feb 11 2009
! NVRAM config last updated at 09:53:12 PST Wed Feb 11 2009
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2600_Home
!
boot-start-marker
boot system flash:c2600-ik9s-mz.123-26.bin
boot-end-marker
!
enable secret 5 ***************
enable password 7 ***************
!
clock timezone PST -8
clock summer-time PDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.10.200.1 172.10.200.99
ip dhcp excluded-address 172.10.1.1 172.10.1.99
!
ip dhcp pool vlan200
   network 172.10.200.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 172.10.200.1
!
ip dhcp pool vlan1
   network 172.10.1.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 172.10.1.1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key *************** address 99.176.59.238
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
!
crypto map HSNC 10 ipsec-isakmp
 ! Incomplete
 set peer 99.176.59.238
 set transform-set HSNC
 set pfs group2
 match address 111
!
!
!
!        
interface FastEthernet0/0
 description Connection to AT&T
 ip address dhcp
 ip nat outside
 speed 100
 full-duplex
 crypto map HSNC
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 172.10.1.1 255.255.255.0
 no ip redirects
 ip nat inside
!
interface FastEthernet0/1.200
 description Guest Wireles
 encapsulation dot1Q 200
 ip address 172.10.200.1 255.255.255.0
 ip nat inside
 rate-limit input 2048000 375000 375000 conform-action transmit exceed-action drop
 rate-limit output 2048000 375000 375000 conform-action transmit exceed-action drop
!
ip nat inside source list 100 interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 69.231.46.1
!
!
access-list 100 permit ip 172.10.0.0 0.0.255.255 any
access-list 111 permit ip 69.231.46.244 255.255.255.255 99.176.59.238 255.255.255.255
!
!
!
!
!
!
!
!
!
line con 0
 password 7 ***************
 login
line aux 0
line vty 0 4
 password 7 ***************
 login
line vty 5 15
 password 7 ***************
 login
!
ntp clock-period 17180232
ntp server 64.125.78.85
!
end
0
occs07
Asked:
occs07
  • 8
  • 6
1 Solution
 
ionut_mirCommented:
It is a little strange that after 5 minutes you loose connectivity. I mean, the connectivity should work or not work at all, not for only 5 minutes :).
One thing I noticed from your configuration.
crypto map HSNC 10 ipsec-isakmp
 ! Incomplete - this part!!

You should reconfigure your crypto settings.

I will try to simulate a network to see where this error come from, but until then, maybe you figure it out.
0
 
occs07Author Commented:
yes that incomplete -this part is because currently the access-lists 111 are not created so I can have internet at both locations.
0
 
peterelvidgeCommented:
I think access list 111 is causing the problem here

It should be the private  traffic you are encrypting rather than the Public IP peers on each side...

it should look more like...

for the first router
access-list 111 permit ip 10.100.0.0 0.0.255.255 172.10.0.0 0.0.255.255

for the secound router

access-list 111 permit ip 172.10.0.0 0.0.255.255 10.100.0.0 0.0.255.255

with the access list in this way , the private traffic gets encrypted and all the internet traffic gets natted as per usual.



0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
occs07Author Commented:
When I do it that way the VPN doesnt connect. When doing a debug and an extended ping nothing comes on the screen to show any issues at either end. But when I put the public IP's in VPN connects and works briefly.
0
 
occs07Author Commented:
CARC1.CR1.1#sh crypto isakmp sa
dst             src             state          conn-id slot status
69.231.46.244   99.176.59.238   QM_IDLE              6    0 ACTIVE

CARC1.CR1.1#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: HSNC, local addr 99.176.59.238

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 69.231.46.244 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2736, #pkts encrypt: 2736, #pkts digest: 2736
    #pkts decaps: 2657, #pkts decrypt: 2657, #pkts verify: 2657
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 99.176.59.238, remote crypto endpt.: 69.231.46.244
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x37D484E6(936674534)

     inbound esp sas:
      spi: 0xC346450F(3276162319)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: HSNC
        sa timing: remaining key lifetime (k/sec): (4465634/3216)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x37D484E6(936674534)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: HSNC
        sa timing: remaining key lifetime (k/sec): (4465622/3216)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
0
 
peterelvidgeCommented:
protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   

This part is a bit odd , as there should be actual networks shown here , not 0.0.0.0s  

Is this what you see when you put in the public IPs as the transformed set?

0
 
peterelvidgeCommented:
With the following config, it should work fine...


______________________

ROUTER A:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ****************** address 69.231.46.244
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
crypto map HSNC local-address FastEthernet0/0
crypto map HSNC 10 ipsec-isakmp
 set peer 69.231.46.244
 set transform-set HSNC
 match address 111

access-list 111 permit ip 10.100.0.0 0.0.255.255 172.10.0.0 0.0.255.255


( also crypto map put in FA 0/0)
--------------------------------------------------------------------

ROUTER B:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key *************** address 99.176.59.238
!
!
crypto ipsec transform-set HSNC esp-3des esp-sha-hmac
!
!
crypto map HSNC 10 ipsec-isakmp
crypto map HSNC local-address FastEthernet0/0
 set peer 99.176.59.238
 set transform-set HSNC
 match address 111


access-list 111 permit ip 172.10.0.0 0.0.255.255 10.100.0.0 0.0.255.255


( also crypto map put in FA 0/0)



can you try this, then do extended ping and show us output of  , sh crpyto isakmp sa

0
 
peterelvidgeCommented:
i think also access list 100 needs to be changed...because you are natting all to outside-- just realised this.. -- you need to make sure there is no nat here.

Router A:

access-list 100 deny ip 10.100.0.0 0.0.255.255 172.10.0.0 0.0.255.255
access-list 100 permit ip 10.100.0.0 0.0.255.255 any

Router B:

access-list 100 deny ip  172.10.0.0 0.0.255.255 10.100.0.0 0.0.255.255
access-list 100 permit ip 172.10.0.0 0.0.255.255 any
0
 
occs07Author Commented:
Yes, when I do sh crypto ipsec sa I see all zeros using public ip's. Yet I am able to ping inside private networks on both ends.

Ok I will give this a try and post it here soon.
0
 
peterelvidgeCommented:
yes i think adjusting access list 100 is the key here -- didnt realise you were natting all at the start.


0
 
occs07Author Commented:
So I will have both access-list 100 and 111?
0
 
peterelvidgeCommented:
yes

with access-list 100 , the adjusted made is so that any traffic between your private networks is not natted, this is so the crypto map works  

if you adjust access-list 100 ,      and do the  previous config i showed   -- im very sure it will work.

0
 
occs07Author Commented:
That fixed the problem, Thank you so much.

CARC1.CR1.1#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: HSNC, local addr 99.176.59.238

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.10.0.0/255.255.0.0/0/0)
   current_peer 69.231.46.244 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 99.176.59.238, remote crypto endpt.: 69.231.46.244
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x5F90EB87(1603332999)

     inbound esp sas:
      spi: 0x3769118F(929632655)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: HSNC
        sa timing: remaining key lifetime (k/sec): (4592343/3560)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x5F90EB87(1603332999)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: HSNC
        sa timing: remaining key lifetime (k/sec): (4592341/3560)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
0
 
occs07Author Commented:
I have another question if you may know and/or have time. The reason for the vpn is I am trying to connect a cisco 7940g ip phone from my friends house to my house. I am running cisco call manager express on a 1760 router. Is there anything special I need to do for the VPN to make that work? Or should the phone automatically connect to my CME since we are connected via VPN?
0
 
occs07Author Commented:
I had to add option 150 ip (ip to CME) and everything worked great. Thanks for the help.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now