ChrisWillis
asked on
Cisco 2801 Access List issue wtih NAT and VPN
see attached config.
The router is up and running, the VPN is up and tunneling, however only internal traffic is working over the VPN. I can ping from the router to the internet but not from anything behind the router. I know it's an access list issue but for the life of me I can't figure out which one.
The router is up and running, the VPN is up and tunneling, however only internal traffic is working over the VPN. I can ping from the router to the internet but not from anything behind the router. I know it's an access list issue but for the life of me I can't figure out which one.
ICRC-GUAM-RTR01#show run
Building configuration...
Current configuration : 2780 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ICRC-GUAM-RTR01
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-5c.bin
boot-end-marker
!
enable secret 5 [HAHA]
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.36.1 10.1.36.99
!
ip dhcp pool 10.1.36.0/24
network 10.1.36.0 255.255.255.0
default-router 10.1.36.1
dns-server 202.151.90.232 202.151.91.241
!
ip domain name vsecorp.com
vpdn enable
!
voice-card 0
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key [deleted] address 192.206.240.10
!
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac
!
crypto map vse-vpn 10 ipsec-isakmp
set peer 192.206.240.10
set transform-set tset
match address 110
!
!
!
!
interface FastEthernet0/0
ip address 10.1.36.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description DSL Interface
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
description DSL WAN Dialer
ip address negotiated
ip access-group 120 in
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username [deleted] password [deleted]
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
crypto map vse-vpn
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 10 permit 10.1.36.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip any any
access-list 120 permit esp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 22
access-list 120 permit ip 10.0.0.0 0.255.255.255 10.1.36.0 0.0.0.255
access-list 120 permit icmp any any
access-list 120 deny ip any any log
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 112
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end
ASKER
I am still knew at all this bur isn't access list 110 only applied to the crypto map? That part is working fine, the VPN is up and passing traffic exactly as designed.
I have two way communication between my 10.0.0.0 network and the 10.1.36.0 site....what I don't have is a connection to the public internet from the 10.1.36.0 site.
from the router I am fine, I can ping 4.2.2.2 and 72.215.224.24 anything else I try but from a server behind the router I get time outs....even from the switch connected directly to the router I get a time out.
I have two way communication between my 10.0.0.0 network and the 10.1.36.0 site....what I don't have is a connection to the public internet from the 10.1.36.0 site.
from the router I am fine, I can ping 4.2.2.2 and 72.215.224.24 anything else I try but from a server behind the router I get time outs....even from the switch connected directly to the router I get a time out.
OK I was misunderstanding I thought you couldn't pass between the sites except for router to router.
Now I am guessing the problem is somewhere in the DSL connection config, but I honestly have never configured a router in this manner, but I imagine you had no choice.
I can see the route for all traffic to go to the dialer, but it appears the dialer is only pushing over the VPN and not over the internet.
Now I am guessing the problem is somewhere in the DSL connection config, but I honestly have never configured a router in this manner, but I imagine you had no choice.
I can see the route for all traffic to go to the dialer, but it appears the dialer is only pushing over the VPN and not over the internet.
ASKER
yep...this is in Guam of all places behind what they refer to as a business DSL line....It took me 6 weeks to get them to allocate a static IP block....and I hate this config...I miss my MPLS :(
My goal is as follows
If any traffic from 10.1.36.0/24 is headed to 10.0.0.0/8 go through the VPN, anything else is assumed off network and head out the default route of the router.
I have another site on guam but they are behind a t1 and not a dialer. I used that config as the basis but still can't find the error in the access-lists. What bugs me is the router is fine and handles traffic correctly sourced at the router, its when the traffic comes from behind the router it gets stupid.
My goal is as follows
If any traffic from 10.1.36.0/24 is headed to 10.0.0.0/8 go through the VPN, anything else is assumed off network and head out the default route of the router.
I have another site on guam but they are behind a t1 and not a dialer. I used that config as the basis but still can't find the error in the access-lists. What bugs me is the router is fine and handles traffic correctly sourced at the router, its when the traffic comes from behind the router it gets stupid.
What happens if you take the VPN down will it pass properly? You may want to look at that off hours and see if it will no pass at all you can resolve it first then add the vpn back in.
ASKER
yep...passes fine....this is a new office and while its 12:45 in the afternoon here it's 3 am over there...I just have to be careful not to kill my access.
your NAT defines the addresses to be translated for internet: you used the route-map nonat
ip nat inside source route-map **nonat** interface Dialer1 overload
now looking into that route map, it identifies ACL 112, you don't seem to have an ACL 112. To simplify this, just change the route-map match to
match ip address 100.
without analyzing too much, that should do the trick.
hope this helps! let me know how it goes!
ip nat inside source route-map **nonat** interface Dialer1 overload
now looking into that route map, it identifies ACL 112, you don't seem to have an ACL 112. To simplify this, just change the route-map match to
match ip address 100.
without analyzing too much, that should do the trick.
hope this helps! let me know how it goes!
ASKER
will have to let you know, I removed the 112 route-map match and lost the damn router....I have a guy there but he won't be up for a few hours....
I was wondering about the 112 but whenever I added in an actual 112 list to match that of 100 it always broke vpn....will update soon after a reboot clears that last change.
I was wondering about the 112 but whenever I added in an actual 112 list to match that of 100 it always broke vpn....will update soon after a reboot clears that last change.
ooops
forgot a hidden rule on ACL. NAT ACL is processed first before VPN ACL.
try adding on ACL 100
deny ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
that would deny traffic from 10.1.36 to your remote 10. network from being NATed
forgot a hidden rule on ACL. NAT ACL is processed first before VPN ACL.
try adding on ACL 100
deny ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
that would deny traffic from 10.1.36 to your remote 10. network from being NATed
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that makes sense, as soon as I see the router come back up I will make the changes....thanks.
hey you might want to read on this cisco command, very usual when making changes on remote devices.
command:
reload in (minutes)
the router automatically reboots in specified time. as long as config change is not save. router will reload and use previous config.
to cancel reload (in case you change worked)
reload cancel
http://www.oreillynet.com/pub/a/network/2002/01/02/ciscotips.html
command:
reload in (minutes)
the router automatically reboots in specified time. as long as config change is not save. router will reload and use previous config.
to cancel reload (in case you change worked)
reload cancel
http://www.oreillynet.com/pub/a/network/2002/01/02/ciscotips.html
ASKER
I am not normally this sappy but damn that is beautiful, I always find it amazing what I don't know and think should be covered in the first 5 pages of every cisco book....thank you....
ASKER
Final working code....only problem is I can't ssh into the external side but that is so far off my list...
Notes to anyone finding this...
This is a 2801 connected to an ADSL modem through the FA0/1 interface with POP authentication and an IPSEC VPN back to a Cisco 3000 concentrator, hope you never have to do this.
Notes to anyone finding this...
This is a 2801 connected to an ADSL modem through the FA0/1 interface with POP authentication and an IPSEC VPN back to a Cisco 3000 concentrator, hope you never have to do this.
ICRC-GUAM-RTR01#show run
Building configuration...
Current configuration : 2849 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ICRC-GUAM-RTR01
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-5c.bin
boot-end-marker
!
enable secret [deleted]
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.36.1 10.1.36.99
!
ip dhcp pool 10.1.36.0/24
network 10.1.36.0 255.255.255.0
default-router 10.1.36.1
dns-server 202.151.90.232 202.151.91.241
!
ip domain name vsecorp.com
vpdn enable
!
voice-card 0
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key [deleted] address [deleted]
!
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac
!
crypto map vse-vpn 10 ipsec-isakmp
set peer 192.206.240.10
set transform-set tset
match address 110
!
interface FastEthernet0/0
ip address 10.1.36.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description DSL Interface
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
description DSL WAN Dialer
ip address negotiated
ip access-group 120 in
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username [deleted].net password [deleted]
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
crypto map vse-vpn
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 10 permit 10.1.36.0 0.0.0.255
access-list 100 deny ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip any any
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip any any
access-list 120 permit esp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 22
access-list 120 permit ip 10.0.0.0 0.255.255.255 10.1.36.0 0.0.0.255
access-list 120 permit icmp any any
access-list 120 deny ip any any log
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 100
!
control-plane
!
line con 0
[deleted]
line aux 0
[deleted]
line vty 0 4
[deleted]
!
scheduler allocate 20000 1000
end
Access list 110 appears to be the list and it appears to be 1 way.
Need to make it 2 ways
I believe if memory serves me
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
should be
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 10.0.0.0 0.255.255.255 10.1.36.0 0.0.0.255