Solved

Cisco 2801 Access List issue wtih NAT and VPN

Posted on 2011-03-22
14
1,014 Views
Last Modified: 2012-05-11
see attached config.

The router is up and running, the VPN is up and tunneling, however only internal traffic is working over the VPN.  I can ping from the router to the internet but not from anything behind the router.  I know it's an access list issue but for the life of me I can't figure out which one.


ICRC-GUAM-RTR01#show run 
Building configuration...

Current configuration : 2780 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ICRC-GUAM-RTR01
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-5c.bin
boot-end-marker
!
enable secret 5 [HAHA]
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.36.1 10.1.36.99
!
ip dhcp pool 10.1.36.0/24
   network 10.1.36.0 255.255.255.0
   default-router 10.1.36.1 
   dns-server 202.151.90.232 202.151.91.241 
!
ip domain name vsecorp.com
vpdn enable
!
voice-card 0
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key [deleted] address 192.206.240.10
!
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac 
!
crypto map vse-vpn 10 ipsec-isakmp 
 set peer 192.206.240.10
 set transform-set tset 
 match address 110
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.36.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description DSL Interface
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description DSL WAN Dialer
 ip address negotiated
 ip access-group 120 in
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username [deleted] password [deleted]
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 crypto map vse-vpn
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 10 permit 10.1.36.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip any any
access-list 120 permit esp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 22
access-list 120 permit ip 10.0.0.0 0.255.255.255 10.1.36.0 0.0.0.255
access-list 120 permit icmp any any
access-list 120 deny   ip any any log
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 112
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

Open in new window

0
Comment
Question by:ChrisWillis
  • 7
  • 4
  • 3
14 Comments
 
LVL 10

Expert Comment

by:Hutch_77
Comment Utility
It has been a while so I am going to stab at it.

Access list 110 appears to be the list and it appears to be 1 way.  
Need to make it 2 ways

I believe if memory serves me
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255

should be
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip  10.0.0.0 0.255.255.255 10.1.36.0 0.0.0.255

0
 
LVL 1

Author Comment

by:ChrisWillis
Comment Utility
I am still knew at all this bur isn't access list 110 only applied to the crypto map?  That part is working fine, the VPN is up and passing traffic exactly as designed.

I have two way communication between my 10.0.0.0 network and the 10.1.36.0 site....what I don't have is a connection to the public internet from the 10.1.36.0 site.

from the router I am fine, I can ping 4.2.2.2 and 72.215.224.24 anything else I try but from a server behind the router I get time outs....even from the switch connected directly to the router I get a time out.

0
 
LVL 10

Expert Comment

by:Hutch_77
Comment Utility
OK I was misunderstanding I thought you couldn't pass between the sites except for router to router.

Now I am guessing the problem is somewhere in the DSL connection config, but I honestly have never configured a router in this manner, but I imagine you had no choice.  
I can see the route for all traffic to go to the dialer, but it appears the dialer is only pushing over the VPN and not over the internet.

0
 
LVL 1

Author Comment

by:ChrisWillis
Comment Utility
yep...this is in Guam of all places behind what they refer to as a business DSL line....It took me 6 weeks to get them to allocate a static IP block....and I hate this config...I miss my MPLS :(

My goal is as follows

If any traffic from 10.1.36.0/24 is headed to 10.0.0.0/8 go through the VPN, anything else is assumed off network and head out the default route of the router.

I have another site on guam but they are behind a t1 and not a dialer.  I used that config as the basis but still can't find the error in the access-lists.  What bugs me is the router is fine and handles traffic correctly sourced at the router, its when the traffic comes from behind the router it gets stupid.

0
 
LVL 10

Expert Comment

by:Hutch_77
Comment Utility
What happens if you take the VPN down will it pass properly?  You may want to look at that off hours and see if it will no pass at all you can resolve it first then add the vpn back in.
0
 
LVL 1

Author Comment

by:ChrisWillis
Comment Utility
yep...passes fine....this is a new office and while its 12:45 in the afternoon here it's 3 am over there...I just have to be careful not to kill my access.
0
 
LVL 9

Expert Comment

by:ffleisma
Comment Utility
your NAT defines the addresses to be translated for internet: you used the route-map nonat

ip nat inside source route-map **nonat** interface Dialer1 overload

now looking into that route map, it identifies ACL 112, you don't seem to have an ACL 112. To simplify this, just change the route-map match to

match ip address 100.

without analyzing too much, that should do the trick.

hope this helps! let me know how it goes!
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:ChrisWillis
Comment Utility
will have to let you know, I removed the 112 route-map match and lost the damn router....I have a guy there but he won't be up for a few hours....

I was wondering about the 112 but whenever I added in an actual 112 list to match that of 100 it always broke vpn....will update soon after a reboot clears that last change.
0
 
LVL 9

Expert Comment

by:ffleisma
Comment Utility
ooops

forgot a hidden rule on ACL. NAT ACL is processed first before VPN ACL.

try adding on ACL 100
deny ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255

that would deny traffic from 10.1.36 to your remote 10. network from being NATed
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
Comment Utility
acl 100 should be
deny ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any

the deny statement comes first.

if that doesnt work, then you should apply NAT-traversal on your VPN config

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution01
0
 
LVL 1

Author Comment

by:ChrisWillis
Comment Utility
that makes sense, as soon as I see the router come back up I will make the changes....thanks.
0
 
LVL 9

Expert Comment

by:ffleisma
Comment Utility
hey you might want to read on this cisco command, very usual when making changes on remote devices.

command:
reload in (minutes)

the router automatically reboots in specified time. as long as config change is not save. router will reload and use previous config.

to cancel reload (in case you change worked)
reload cancel

http://www.oreillynet.com/pub/a/network/2002/01/02/ciscotips.html
0
 
LVL 1

Author Comment

by:ChrisWillis
Comment Utility
I am not normally this sappy but damn that is beautiful, I always find it amazing what I don't know and think should be covered in the first 5 pages of every cisco book....thank you....
0
 
LVL 1

Author Comment

by:ChrisWillis
Comment Utility
Final working code....only problem is I can't ssh into the external side but that is so far off my list...

Notes to anyone finding this...

This is a 2801 connected to an ADSL modem through the FA0/1 interface with POP authentication and an IPSEC VPN back to a Cisco 3000 concentrator, hope you never have to do this.
ICRC-GUAM-RTR01#show run 
Building configuration...

Current configuration : 2849 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ICRC-GUAM-RTR01
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-5c.bin
boot-end-marker
!
enable secret [deleted]
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.36.1 10.1.36.99
!
ip dhcp pool 10.1.36.0/24
   network 10.1.36.0 255.255.255.0
   default-router 10.1.36.1 
   dns-server 202.151.90.232 202.151.91.241 
!
ip domain name vsecorp.com
vpdn enable
!
voice-card 0
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key [deleted] address [deleted]
!
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac 
!
crypto map vse-vpn 10 ipsec-isakmp 
 set peer 192.206.240.10
 set transform-set tset 
 match address 110
!
interface FastEthernet0/0
 ip address 10.1.36.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description DSL Interface
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description DSL WAN Dialer
 ip address negotiated
 ip access-group 120 in
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username [deleted].net password [deleted]
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 crypto map vse-vpn
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!        
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 10 permit 10.1.36.0 0.0.0.255
access-list 100 deny   ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip any any
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip any any
access-list 120 permit esp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 22
access-list 120 permit ip 10.0.0.0 0.255.255.255 10.1.36.0 0.0.0.255
access-list 120 permit icmp any any
access-list 120 deny   ip any any log
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 100
!
control-plane
!
line con 0
[deleted]
line aux 0
[deleted]
line vty 0 4
[deleted]   
!
scheduler allocate 20000 1000
end

Open in new window

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now