Cisco 2801 Access List issue wtih NAT and VPN

It has been a while so I am going to stab at it.

Access list 110 appears to be the list and it appears to be 1 way.  
Need to make it 2 ways

I believe if memory serves me
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255

should be
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip  10.0.0.0 0.255.255.255 10.1.36.0 0.0.0.255

I am still knew at all this bur isn't access list 110 only applied to the crypto map?  That part is working fine, the VPN is up and passing traffic exactly as designed.

I have two way communication between my 10.0.0.0 network and the 10.1.36.0 site....what I don't have is a connection to the public internet from the 10.1.36.0 site.

from the router I am fine, I can ping 4.2.2.2 and 72.215.224.24 anything else I try but from a server behind the router I get time outs....even from the switch connected directly to the router I get a time out.

OK I was misunderstanding I thought you couldn't pass between the sites except for router to router.

Now I am guessing the problem is somewhere in the DSL connection config, but I honestly have never configured a router in this manner, but I imagine you had no choice.  
I can see the route for all traffic to go to the dialer, but it appears the dialer is only pushing over the VPN and not over the internet.

yep...this is in Guam of all places behind what they refer to as a business DSL line....It took me 6 weeks to get them to allocate a static IP block....and I hate this config...I miss my MPLS :(

My goal is as follows

If any traffic from 10.1.36.0/24 is headed to 10.0.0.0/8 go through the VPN, anything else is assumed off network and head out the default route of the router.

I have another site on guam but they are behind a t1 and not a dialer.  I used that config as the basis but still can't find the error in the access-lists.  What bugs me is the router is fine and handles traffic correctly sourced at the router, its when the traffic comes from behind the router it gets stupid.

What happens if you take the VPN down will it pass properly?  You may want to look at that off hours and see if it will no pass at all you can resolve it first then add the vpn back in.

yep...passes fine....this is a new office and while its 12:45 in the afternoon here it's 3 am over there...I just have to be careful not to kill my access.

your NAT defines the addresses to be translated for internet: you used the route-map nonat

ip nat inside source route-map **nonat** interface Dialer1 overload

now looking into that route map, it identifies ACL 112, you don't seem to have an ACL 112. To simplify this, just change the route-map match to

match ip address 100.

without analyzing too much, that should do the trick.

hope this helps! let me know how it goes!

will have to let you know, I removed the 112 route-map match and lost the damn router....I have a guy there but he won't be up for a few hours....

I was wondering about the 112 but whenever I added in an actual 112 list to match that of 100 it always broke vpn....will update soon after a reboot clears that last change.

ooops

forgot a hidden rule on ACL. NAT ACL is processed first before VPN ACL.

try adding on ACL 100
deny ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255

that would deny traffic from 10.1.36 to your remote 10. network from being NATed

that makes sense, as soon as I see the router come back up I will make the changes....thanks.

hey you might want to read on this cisco command, very usual when making changes on remote devices.

command:
reload in (minutes)

the router automatically reboots in specified time. as long as config change is not save. router will reload and use previous config.

to cancel reload (in case you change worked)
reload cancel

http://www.oreillynet.com/pub/a/network/2002/01/02/ciscotips.html

I am not normally this sappy but damn that is beautiful, I always find it amazing what I don't know and think should be covered in the first 5 pages of every cisco book....thank you....

Final working code....only problem is I can't ssh into the external side but that is so far off my list...

Notes to anyone finding this...

This is a 2801 connected to an ADSL modem through the FA0/1 interface with POP authentication and an IPSEC VPN back to a Cisco 3000 concentrator, hope you never have to do this.

ICRC-GUAM-RTR01#show run 
Building configuration...

Current configuration : 2849 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ICRC-GUAM-RTR01
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-5c.bin
boot-end-marker
!
enable secret [deleted]
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.36.1 10.1.36.99
!
ip dhcp pool 10.1.36.0/24
   network 10.1.36.0 255.255.255.0
   default-router 10.1.36.1 
   dns-server 202.151.90.232 202.151.91.241 
!
ip domain name vsecorp.com
vpdn enable
!
voice-card 0
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key [deleted] address [deleted]
!
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac 
!
crypto map vse-vpn 10 ipsec-isakmp 
 set peer 192.206.240.10
 set transform-set tset 
 match address 110
!
interface FastEthernet0/0
 ip address 10.1.36.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description DSL Interface
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description DSL WAN Dialer
 ip address negotiated
 ip access-group 120 in
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username [deleted].net password [deleted]
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 crypto map vse-vpn
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!        
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 10 permit 10.1.36.0 0.0.0.255
access-list 100 deny   ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip any any
access-list 110 permit ip 10.1.36.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip any any
access-list 120 permit esp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 22
access-list 120 permit ip 10.0.0.0 0.255.255.255 10.1.36.0 0.0.0.255
access-list 120 permit icmp any any
access-list 120 deny   ip any any log
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 100
!
control-plane
!
line con 0
[deleted]
line aux 0
[deleted]
line vty 0 4
[deleted]   
!
scheduler allocate 20000 1000
end

Select allOpen in new window