Simon Cox
asked on
Site to Site VPN between two Cisco's is only allowing PING, nothing else.
We are having an issue where we can only Ping machines on the opposite network of a Site to Site VPN tunnel between two Cisco devices.
Ports that are open, e.g. port 81 on 192.168.1.30, cannot be accessed using the internal IP Address, however can when using the external IP.
The Cisco in question is CLI only and unfortunately I am not very experienced with the cisco style of network management.
Is there anything obvious in the config file below that would prevent me browsing from 10.0.0.10 to 192.168.1.30:81?
please note, the config has been edited in parts for customer security reasons, e.g. external ip's show as 123.123.XX
Current configuration : 8322 bytes
!
! Last configuration change at 16:38:00 BST Wed Jun 26 2019 by X
!
version 15.6
no service pad
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no service password-recovery
!
hostname R1031232
!
boot-start-marker
boot system flash c800-universalk9-mz.SPA.15 6-2.T1.bin
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered informational
logging rate-limit 1000
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization console
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.63
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
domain-name XXX.local
dns-server 192.168.1.254 208.67.220.220
lease 7
!
!
!
no ip bootp server
ip domain name XXX.local
ip name-server 208.67.XX
ip name-server 208.67.XX
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
license udi pid XXX
!
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path XXX
write-memory
time-period 1440
object-group network CCTV-SERVER
host 192.168.1.30
!
object-group network INSIDE-NETWORK-SUBNET
range 192.168.1.0 255.255.255.0
!
object-group network OGN_CCTV_PUB
host 62.31.XX
host 81.137.XX
host 80.247.XX
host 176.35.XX
!
object-group network OGN_XXX
82.118.XX 255.255.255.240
host 35.189.XX
host 77.76.XX
host 212.105.XX
host 78.25.XX
host 78.25.XX
host 82.118.XX
!
object-group network OGN_IPSEC_PUB
description 'Group for IPSEC VPN trusted Public IPs'
host 80.247.XX
!
object-group network OGN_LAN_REMOTE
10.0.0.0 255.255.255.0
!
object-group network OGN_LAN_VLAN1
description "192.168.1.0/24 Native"
192.168.1.0 255.255.255.0
!
object-group service OGS_CCTV
tcp eq 3333
tcp source eq 3333
tcp eq 81
tcp source eq 81
tcp eq 3000
!
object-group service OGS_SERVICES_ALL
tcp eq ftp-data
tcp eq ftp
tcp eq www
tcp eq pop3
tcp eq 143
tcp eq 993
igmp
udp eq ntp
tcp eq smtp
tcp eq 443
udp eq domain
tcp eq 587
tcp eq 22
tcp eq domain
udp eq bootpc
icmp
udp eq 443
tcp eq 3389
!
object-group service OGS_SERVICES_ALL_NEW
tcp eq ftp-data
tcp eq ftp
tcp eq www
tcp eq pop3
tcp eq 143
tcp eq 993
igmp
udp eq ntp
tcp eq smtp
tcp eq 443
udp eq domain
tcp eq 587
tcp eq 22
tcp eq domain
udp eq bootpc
icmp
udp eq 443
tcp eq 3389
!
username X privilege 15 password 7 X
username X privilege 15 password 7 X
!
!
!
!
!
controller VDSL 0
no cdp run
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key XXX address 80.247.XX
!
!
crypto ipsec transform-set BAL002SET_1 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile BAL002TUN_1
set transform-set BAL002SET_1
!
!
!
crypto map IPSEC 10 ipsec-isakmp
description "Main Office"
set peer 80.247.XX
set transform-set BAL002SET_1
match address ACL_IPSEC_MAIN-OFFICE
!
!
!
!
!
!
interface ATM0
description BT ADSL
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
description Switch/A/P2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip access-group ACL_V1-IN in
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description XXX
mtu 1492
ip address negotiated
ip access-group ACL_D1-IN in
ip access-group ACL_D1-OUT out
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXX
ppp chap password 7 X
no cdp enable
crypto map IPSEC
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
no ip ftp passive
ip ftp username X
ip ftp password 7 XXX
ip dns server
ip nat inside source list ACL_NAT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.30 3333 interface Dialer1 3333
ip nat inside source static udp 192.168.1.30 3333 interface Dialer1 3333
ip nat inside source static udp 192.168.1.30 3000 interface Dialer1 3000
ip nat inside source static tcp 192.168.1.30 3000 interface Dialer1 3000
ip nat inside source static tcp 192.168.1.30 81 interface Dialer1 81
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
ip access-list extended ACL_D1-IN
permit icmp any any
permit ip object-group OGN_XXX any log
permit udp any eq domain any gt 1023
permit udp any any eq domain
permit object-group OGS_CCTV object-group OGN_CCTV_PUB any
permit ip object-group OGN_IPSEC_PUB any
evaluate ACL_D1-REFLEX
deny ip any any log
ip access-list extended ACL_D1-OUT
permit ip any any reflect ACL_D1-REFLEX timeout 300
ip access-list extended ACL_IPSEC_MAIN-OFFICE
permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended ACL_L2L_XXX
ip access-list extended ACL_NAT
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_V1-IN
permit udp any any eq bootpc
permit udp any any eq bootps
permit ip object-group OGN_LAN_VLAN1 object-group OGN_LAN_VLAN1
permit ip object-group OGN_LAN_VLAN1 object-group OGN_LAN_REMOTE
permit object-group OGS_SERVICES_ALL any any
permit object-group OGS_CCTV any any
ip access-list extended ACL_VTY_IN
permit tcp object-group OGN_XXX any
permit tcp 192.168.1.0 0.0.0.255 any
permit tcp 10.0.0.0 0.0.0.255 any
deny ip any any log
!
kron occurrence daily-backup at 0:10 recurring
policy-list daily-backup
!
kron policy-list daily-backup
cli show run | redirect ftp://XXX
cli show run | redirect ftp://XXX
!
!
snmp-server group XXX v3 priv read ALL write ALL
snmp-server view ALL internet included
snmp-server ifindex persist
snmp-server location XXX
snmp-server contact XXX
access-list 20 deny any log
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
banner motd ^C
XXXXXXXXXXXXXXXXXXXXXXXX
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
session-timeout 300
access-class ACL_VTY_IN in
length 0
transport preferred ssh
transport input ssh
transport output ssh
line vty 5 15
session-timeout 300
access-class ACL_VTY_IN in
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler allocate 60000 1000
ntp server uk.pool.ntp.org
!
end
Ports that are open, e.g. port 81 on 192.168.1.30, cannot be accessed using the internal IP Address, however can when using the external IP.
The Cisco in question is CLI only and unfortunately I am not very experienced with the cisco style of network management.
Is there anything obvious in the config file below that would prevent me browsing from 10.0.0.10 to 192.168.1.30:81?
please note, the config has been edited in parts for customer security reasons, e.g. external ip's show as 123.123.XX
Current configuration : 8322 bytes
!
! Last configuration change at 16:38:00 BST Wed Jun 26 2019 by X
!
version 15.6
no service pad
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no service password-recovery
!
hostname R1031232
!
boot-start-marker
boot system flash c800-universalk9-mz.SPA.15
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered informational
logging rate-limit 1000
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization console
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.63
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
domain-name XXX.local
dns-server 192.168.1.254 208.67.220.220
lease 7
!
!
!
no ip bootp server
ip domain name XXX.local
ip name-server 208.67.XX
ip name-server 208.67.XX
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
license udi pid XXX
!
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path XXX
write-memory
time-period 1440
object-group network CCTV-SERVER
host 192.168.1.30
!
object-group network INSIDE-NETWORK-SUBNET
range 192.168.1.0 255.255.255.0
!
object-group network OGN_CCTV_PUB
host 62.31.XX
host 81.137.XX
host 80.247.XX
host 176.35.XX
!
object-group network OGN_XXX
82.118.XX 255.255.255.240
host 35.189.XX
host 77.76.XX
host 212.105.XX
host 78.25.XX
host 78.25.XX
host 82.118.XX
!
object-group network OGN_IPSEC_PUB
description 'Group for IPSEC VPN trusted Public IPs'
host 80.247.XX
!
object-group network OGN_LAN_REMOTE
10.0.0.0 255.255.255.0
!
object-group network OGN_LAN_VLAN1
description "192.168.1.0/24 Native"
192.168.1.0 255.255.255.0
!
object-group service OGS_CCTV
tcp eq 3333
tcp source eq 3333
tcp eq 81
tcp source eq 81
tcp eq 3000
!
object-group service OGS_SERVICES_ALL
tcp eq ftp-data
tcp eq ftp
tcp eq www
tcp eq pop3
tcp eq 143
tcp eq 993
igmp
udp eq ntp
tcp eq smtp
tcp eq 443
udp eq domain
tcp eq 587
tcp eq 22
tcp eq domain
udp eq bootpc
icmp
udp eq 443
tcp eq 3389
!
object-group service OGS_SERVICES_ALL_NEW
tcp eq ftp-data
tcp eq ftp
tcp eq www
tcp eq pop3
tcp eq 143
tcp eq 993
igmp
udp eq ntp
tcp eq smtp
tcp eq 443
udp eq domain
tcp eq 587
tcp eq 22
tcp eq domain
udp eq bootpc
icmp
udp eq 443
tcp eq 3389
!
username X privilege 15 password 7 X
username X privilege 15 password 7 X
!
!
!
!
!
controller VDSL 0
no cdp run
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key XXX address 80.247.XX
!
!
crypto ipsec transform-set BAL002SET_1 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile BAL002TUN_1
set transform-set BAL002SET_1
!
!
!
crypto map IPSEC 10 ipsec-isakmp
description "Main Office"
set peer 80.247.XX
set transform-set BAL002SET_1
match address ACL_IPSEC_MAIN-OFFICE
!
!
!
!
!
!
interface ATM0
description BT ADSL
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
description Switch/A/P2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip access-group ACL_V1-IN in
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description XXX
mtu 1492
ip address negotiated
ip access-group ACL_D1-IN in
ip access-group ACL_D1-OUT out
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXX
ppp chap password 7 X
no cdp enable
crypto map IPSEC
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
no ip ftp passive
ip ftp username X
ip ftp password 7 XXX
ip dns server
ip nat inside source list ACL_NAT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.30 3333 interface Dialer1 3333
ip nat inside source static udp 192.168.1.30 3333 interface Dialer1 3333
ip nat inside source static udp 192.168.1.30 3000 interface Dialer1 3000
ip nat inside source static tcp 192.168.1.30 3000 interface Dialer1 3000
ip nat inside source static tcp 192.168.1.30 81 interface Dialer1 81
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
ip access-list extended ACL_D1-IN
permit icmp any any
permit ip object-group OGN_XXX any log
permit udp any eq domain any gt 1023
permit udp any any eq domain
permit object-group OGS_CCTV object-group OGN_CCTV_PUB any
permit ip object-group OGN_IPSEC_PUB any
evaluate ACL_D1-REFLEX
deny ip any any log
ip access-list extended ACL_D1-OUT
permit ip any any reflect ACL_D1-REFLEX timeout 300
ip access-list extended ACL_IPSEC_MAIN-OFFICE
permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended ACL_L2L_XXX
ip access-list extended ACL_NAT
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_V1-IN
permit udp any any eq bootpc
permit udp any any eq bootps
permit ip object-group OGN_LAN_VLAN1 object-group OGN_LAN_VLAN1
permit ip object-group OGN_LAN_VLAN1 object-group OGN_LAN_REMOTE
permit object-group OGS_SERVICES_ALL any any
permit object-group OGS_CCTV any any
ip access-list extended ACL_VTY_IN
permit tcp object-group OGN_XXX any
permit tcp 192.168.1.0 0.0.0.255 any
permit tcp 10.0.0.0 0.0.0.255 any
deny ip any any log
!
kron occurrence daily-backup at 0:10 recurring
policy-list daily-backup
!
kron policy-list daily-backup
cli show run | redirect ftp://XXX
cli show run | redirect ftp://XXX
!
!
snmp-server group XXX v3 priv read ALL write ALL
snmp-server view ALL internet included
snmp-server ifindex persist
snmp-server location XXX
snmp-server contact XXX
access-list 20 deny any log
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
banner motd ^C
XXXXXXXXXXXXXXXXXXXXXXXX
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
session-timeout 300
access-class ACL_VTY_IN in
length 0
transport preferred ssh
transport input ssh
transport output ssh
line vty 5 15
session-timeout 300
access-class ACL_VTY_IN in
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler allocate 60000 1000
ntp server uk.pool.ntp.org
!
end
ASKER
Thanks for the pointers, my techs have made the suggested changes and reported back that we are still unable to ping from the remote site to the HO. Looks like the tunnel has initiated and we can ping from 10.0.0.x to 192.168.1.x but not the other way around.
Is there anything else we are missing?
Many thanks Simon
Is there anything else we are missing?
Many thanks Simon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your assistance, it appears there was a rouge rule in the config blocking the flow of traffic.
If you can ping and nothing else then most likely reason is that packet is still to big.
ICMP echo request is typically 64 bytes.
You can test maximum packet size for VPN with DF bit set:
ping X.X.X.X size 1420 df-bit
and adjust ip mtu and ip tcp adjust-mss accordingly.
MTU is configured as 1492 which does not include additional bytes for ESP header.
You may need to additionally reduce packet size (if this is root cause) after testing with df bit set, but generally should work with: