Comptx
asked on
cisco 2911 gre tunnel lost after applying firewall rules
hello.
I recently rebuilt my 2911 config, and after configuring everything and testing it out, I decided to apply the default security default cisco configuration professional firewall rules. I have several site to site vpns and one GRE tunnel to another site.
everything worked after setting the rules, except the GRE tunnel did not come back up and cannot ping or access any host on the other end.
and I also lost my Microsoft VPN ability, so I couldn't vpn in from my phone/computer to my network anymore, or MS VPN out from my network to a different network.
the firewall wizard added some "ip access-groups" to both my "inside" interfaces, and I did not see any of that on the GRE tunnel interfaces, so that might be why, but not sure.
attached is the sanitized config:
Building configuration...
Current configuration : 16149 bytes
!
! Last configuration change at 13:02:32 UTC Fri Jul 18 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
!
no ip domain lookup
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/0
ip ssh logging events
ip ssh stricthostkeycheck
!
track 101 ip sla 101 reachability
!
!
crypto isakmp policy 1
encr *
authentication pre-share
group 2
!
crypto isakmp policy 2
encr *
authentication pre-share
!
!
crypto ipsec transform-set *
mode tunnel
crypto ipsec transform-set *
mode tunnel
!
crypto ipsec profile GRE_TUNNELS
set transform-set *
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to204.*.*.215
set peer 204.*.*.215
set transform-set *
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to76.*.*.115
set peer 76.*.*.115
set transform-set *
match address 102
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to76.*.*.115
set peer 76.*.*.115
set transform-set *
match address 103
crypto map SDM_CMAP_2 2 ipsec-isakmp
description Tunnel to204.*.*.215
set peer 204.*.*.215
set transform-set *
match address 104
!
!
!
!
!
interface Tunnel101
description "Herakles Datacenter Shared Pipe"
ip address 172.16.101.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
tunnel source GigabitEthernet0/0
tunnel destination 65.*.*.70
tunnel protection ipsec profile GRE_TUNNELS
!
interface Tunnel301
description **Secondary Connection To SAC Datacenter**
ip address 172.19.101.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
tunnel source GigabitEthernet0/2
tunnel destination 65.*.*.70
tunnel protection ipsec profile GRE_TUNNELS
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address 162.*.*.65 255.255.255.240
ip access-group 106 in
ip verify unicast reverse-path
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 10.*.*.1 255.255.255.0
ip access-group 105 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ETH-WAN$$FW_OUTSIDE$
ip address 12.*.*.222 255.255.255.240
ip access-group 107 in
ip verify unicast reverse-path
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_2
!
interface FastEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 10.*.*.20 1723 12.*.*.212 1723 extendable
ip nat inside source static tcp 10.*.*.19 1723 12.*.*.213 1723 extendable
ip nat inside source static tcp 10.*.*.20 1723 162.*.*.68 1723 extendable
ip nat inside source static tcp 10.*.*.19 1723 162.*.*.69 1723 extendable
ip route 10.*.15.0 255.255.255.0 Tunnel101 track 101
ip route 10.*.20.0 255.255.255.0 Tunnel101 track 101
ip route 10.*.21.0 255.255.255.0 Tunnel101 track 101
ip route 10.*.22.0 255.255.255.0 Tunnel101 track 101
ip route 10.*.23.0 255.255.255.0 Tunnel101 track 101
ip route 0.0.0.0 0.0.0.0 162.*.*.78
ip route 0.0.0.0 0.0.0.0 12.*.*.209 10
ip route 10.*.15.0 255.255.255.0 Tunnel301 10
ip route 10.*.20.0 255.255.255.0 Tunnel301 10
ip route 10.*.21.0 255.255.255.0 Tunnel301 10
ip route 10.*.22.0 255.255.255.0 Tunnel301 10
ip route 10.*.23.0 255.255.255.0 Tunnel301 10
ip route 65.*.*.70 255.255.255.255 162.*.*.78
ip route 65.*.*.70 255.255.255.255 12.*.*.209 10
!
!
ip sla auto discovery
ip sla 101
icmp-echo 172.16.101.1 source-interface Tunnel101
frequency 5
ip sla schedule 101 life forever start-time now
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.*.*.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 101 deny ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 101 permit ip 10.*.*.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 deny ip 12.*.*.208 0.0.0.15 any
access-list 105 deny ip 162.*.*.64 0.0.0.15 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by CCP firewall configuration
access-list 106 remark CCP_ACL Category=1
access-list 106 permit tcp any host 162.*.*.69 eq 1723
access-list 106 permit tcp any host 162.*.*.68 eq 1723
access-list 106 permit tcp any host 12.*.*.213 eq 1723
access-list 106 permit tcp any host 12.*.*.212 eq 1723
access-list 107 remark auto generated by CCP firewall configuration
access-list 107 remark CCP_ACL Category=1
access-list 107 permit tcp any host 162.*.*.69 eq 1723
access-list 107 permit tcp any host 162.*.*.68 eq 1723
access-list 107 permit tcp any host 12.*.*.213 eq 1723
access-list 107 permit tcp any host 12.*.*.212 eq 1723
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
!
end
I recently rebuilt my 2911 config, and after configuring everything and testing it out, I decided to apply the default security default cisco configuration professional firewall rules. I have several site to site vpns and one GRE tunnel to another site.
everything worked after setting the rules, except the GRE tunnel did not come back up and cannot ping or access any host on the other end.
and I also lost my Microsoft VPN ability, so I couldn't vpn in from my phone/computer to my network anymore, or MS VPN out from my network to a different network.
the firewall wizard added some "ip access-groups" to both my "inside" interfaces, and I did not see any of that on the GRE tunnel interfaces, so that might be why, but not sure.
attached is the sanitized config:
Building configuration...
Current configuration : 16149 bytes
!
! Last configuration change at 13:02:32 UTC Fri Jul 18 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
!
no ip domain lookup
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/0
ip ssh logging events
ip ssh stricthostkeycheck
!
track 101 ip sla 101 reachability
!
!
crypto isakmp policy 1
encr *
authentication pre-share
group 2
!
crypto isakmp policy 2
encr *
authentication pre-share
!
!
crypto ipsec transform-set *
mode tunnel
crypto ipsec transform-set *
mode tunnel
!
crypto ipsec profile GRE_TUNNELS
set transform-set *
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to204.*.*.215
set peer 204.*.*.215
set transform-set *
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to76.*.*.115
set peer 76.*.*.115
set transform-set *
match address 102
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to76.*.*.115
set peer 76.*.*.115
set transform-set *
match address 103
crypto map SDM_CMAP_2 2 ipsec-isakmp
description Tunnel to204.*.*.215
set peer 204.*.*.215
set transform-set *
match address 104
!
!
!
!
!
interface Tunnel101
description "Herakles Datacenter Shared Pipe"
ip address 172.16.101.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
tunnel source GigabitEthernet0/0
tunnel destination 65.*.*.70
tunnel protection ipsec profile GRE_TUNNELS
!
interface Tunnel301
description **Secondary Connection To SAC Datacenter**
ip address 172.19.101.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
tunnel source GigabitEthernet0/2
tunnel destination 65.*.*.70
tunnel protection ipsec profile GRE_TUNNELS
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address 162.*.*.65 255.255.255.240
ip access-group 106 in
ip verify unicast reverse-path
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 10.*.*.1 255.255.255.0
ip access-group 105 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ETH-WAN$$FW_OUTSIDE$
ip address 12.*.*.222 255.255.255.240
ip access-group 107 in
ip verify unicast reverse-path
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_2
!
interface FastEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 10.*.*.20 1723 12.*.*.212 1723 extendable
ip nat inside source static tcp 10.*.*.19 1723 12.*.*.213 1723 extendable
ip nat inside source static tcp 10.*.*.20 1723 162.*.*.68 1723 extendable
ip nat inside source static tcp 10.*.*.19 1723 162.*.*.69 1723 extendable
ip route 10.*.15.0 255.255.255.0 Tunnel101 track 101
ip route 10.*.20.0 255.255.255.0 Tunnel101 track 101
ip route 10.*.21.0 255.255.255.0 Tunnel101 track 101
ip route 10.*.22.0 255.255.255.0 Tunnel101 track 101
ip route 10.*.23.0 255.255.255.0 Tunnel101 track 101
ip route 0.0.0.0 0.0.0.0 162.*.*.78
ip route 0.0.0.0 0.0.0.0 12.*.*.209 10
ip route 10.*.15.0 255.255.255.0 Tunnel301 10
ip route 10.*.20.0 255.255.255.0 Tunnel301 10
ip route 10.*.21.0 255.255.255.0 Tunnel301 10
ip route 10.*.22.0 255.255.255.0 Tunnel301 10
ip route 10.*.23.0 255.255.255.0 Tunnel301 10
ip route 65.*.*.70 255.255.255.255 162.*.*.78
ip route 65.*.*.70 255.255.255.255 12.*.*.209 10
!
!
ip sla auto discovery
ip sla 101
icmp-echo 172.16.101.1 source-interface Tunnel101
frequency 5
ip sla schedule 101 life forever start-time now
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.*.*.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 101 deny ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 101 permit ip 10.*.*.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.*.*.0 0.0.0.255 10.*.*.0 0.0.0.255
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 deny ip 12.*.*.208 0.0.0.15 any
access-list 105 deny ip 162.*.*.64 0.0.0.15 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by CCP firewall configuration
access-list 106 remark CCP_ACL Category=1
access-list 106 permit tcp any host 162.*.*.69 eq 1723
access-list 106 permit tcp any host 162.*.*.68 eq 1723
access-list 106 permit tcp any host 12.*.*.213 eq 1723
access-list 106 permit tcp any host 12.*.*.212 eq 1723
access-list 107 remark auto generated by CCP firewall configuration
access-list 107 remark CCP_ACL Category=1
access-list 107 permit tcp any host 162.*.*.69 eq 1723
access-list 107 permit tcp any host 162.*.*.68 eq 1723
access-list 107 permit tcp any host 12.*.*.213 eq 1723
access-list 107 permit tcp any host 12.*.*.212 eq 1723
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the access-lists 106 and 107 need to have those commands otherwise those lists will stop the gre traffic
Regards
Greg
Regards
Greg
ASKER
hi. this fixed the Microsoft VPN, but my GRE tunnel to the other site is still down
I would try using the commands below to allow gre to the outside interface used by the tunnels
access-list 106 permit gre any host 162.*.*.65
access-list 107 permit gre any host 12.*.*.222
Regards
Greg
access-list 106 permit gre any host 162.*.*.65
access-list 107 permit gre any host 12.*.*.222
Regards
Greg
ASKER
I added the commands, but still no traffic between the tunnels. im at a loss here
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
missing access list
ASKER
ip access-list extended SDM_GRE
remark pptp passthru
remark CCP_ACL Category=1
permit gre any any
ip access-list extended gre
remark permit GRE
remark CCP_ACL Category=2
permit gre any any
does any of those command do what you suggested I added?