Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN ACL Problem?? or is it?!

Status
Not open for further replies.
joesnow

joesnow

Technical User
Jan 19, 2004
8
GB
Just a quick question to anyone who can answer this...

I have my VPN set up between two cisco 26x routers.
The strange thing is that the servers at either end of the VPN tunnel can ping and connect to each other, however, none of the clients on either side of the VPN can do the same.

The ACLs are simply permit 192.168.x.0 0.0.0.255 jobies so that any host on that network can see the other end.

I have checked the Ip config of the servers and clients (are identical) and am stuck :-(

Any ideas??


Joe.
 
Sort by date Sort by votes
What is your VPN clients IP address?
There is an explicit deny at the end of any ACL list unless you specify permit any.

If the network between the 2 routers is 192.168.1.0 /24 then on the local side of each router will be a different network ID, so those will not be able to crossover.

Can you paste the int config on both routers and your ACL config. This will help more as your not providing much info.

Regards,

NP
 
Upvote 0 Downvote
here is the acl for routerA, router B is the exact opposite:


thanks...

joe.

ACL 100 = ip nat inside source list 100 pool OUTSIDE overload
ACL 101 = crypto map (match address)
ACL 120 and 130 are the ethernet interfaces
ACL 110 = not used ..

access-list 1 permit 0.0.0.0 255.255.255.0
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.254.0 0.0.0.255 any
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.254.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.254.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip any any
access-list 120 permit ip 192.168.254.0 0.0.0.255 any
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
 
Upvote 0 Downvote
Hi,

does it work when you take off your ACL? If so then start to adding the ACL's and you'll find out which one is bugging you.
Just to make sure you're ACL is the problem.

 
Upvote 0 Downvote
Hiya, I need to keep some of the ACLs so that the VPN and NAT keep working...

It is strange that just the servers can see through the tunnel.

The local IPs obviously :) are .1. and .254. on a 2611 and the remotes are .4. and .2.

Time for a beer!

Joe.
 
Upvote 0 Downvote
OK, configs for your perusal (please god real ips are not in there !! :) )

hostname routera
!
enable password xxx
!
ip subnet-zero
!
!
no ip domain lookup
!
ip inspect name OUTGOING http
ip inspect name OUTGOING smtp
ip inspect name OUTGOING ftp
ip inspect name OUTGOING tcp
ip inspect name OUTGOING udp
ip inspect name INCOMING smtp
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key vpn address routercip
crypto isakmp key vpn address routerbip
!
!
crypto ipsec transform-set TS_ALL ah-md5-hmac esp-des esp-md5-hmac
!
!
crypto map ALLVPN 10 ipsec-isakmp
set peer routercip
set peer routerbip
set transform-set TS_ALL
match address 101
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0
ip address ispipandmask
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Ethernet0/0
ip address 192.168.254.251 255.255.255.0
ip access-group 120 in
ip nat inside
ip inspect OUTGOING in
ip inspect INCOMING out
half-duplex
!
interface Ethernet0/1
ip address 192.168.1.242 255.255.255.0
ip access-group 130 in
ip nat inside
ip inspect OUTGOING in
ip inspect INCOMING out
half-duplex
!
interface Dialer1
ip unnumbered Loopback0
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password xxx
crypto map ALLVPN
!
router rip
version 2
passive-interface Dialer1
network 192.168.1.0
network 192.168.254.0
!
ip nat pool OUTSIDE ispip ispip netmask ipmask
ip nat inside source list 100 pool OUTSIDE overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.254.0 0.0.0.255 any
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.254.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.254.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip any any
access-list 120 permit ip 192.168.254.0 0.0.0.255 any
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!


and router b (router c is the same)

hostname routerb
!
enable password xxx
!
ip subnet-zero
!
!
no ip domain lookup
!
ip inspect name OUTGOING http
ip inspect name OUTGOING ftp
ip inspect name OUTGOING tcp
ip inspect name OUTGOING udp
ip inspect name OUTGOING smtp
ip inspect name INCOMING smtp
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key vpn address routeraispip
!
!
crypto ipsec transform-set to_HO ah-md5-hmac esp-des esp-md5-hmac
!
crypto map HOVPN 10 ipsec-isakmp
set peer routeraispip
set transform-set to_HO
match address 101
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0
ip address ispip
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Ethernet0/0
ip address 192.168.2.3 255.255.255.0
ip access-group 120 in
ip nat inside
ip inspect OUTGOING in
ip inspect INCOMING out
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Dialer1
ip unnumbered Loopback0
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password xxx
crypto map HOVPN
!
router rip
version 2
passive-interface Dialer1
network 192.168.2.0
no auto-summary
!
ip nat pool OUTSIDE ispip ispip netmask 255.255.255.0
ip nat inside source list 100 pool OUTSIDE overload
ip nat inside source static tcp 192.168.2.2 25 ispip 25 extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.225
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 deny tcp host ispip eq smtp any
access-list 105 permit tcp any host ispip eq smtp
access-list 110 deny ip any any
access-list 120 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit


the servers in this scenario are 192.168.1.1 and 192.168.2.1, router c is 192.168.4.1

I just cant work out what has gone wrong (or what I have done :))
 
Upvote 0 Downvote
Hiya, Ive gone over this again and again, I just cant understand what is happening here...

I have checked the routes on the PCs (.1.x)and servers. from a pc doing a traceroute the packets are sent out to the internet. why is this not happening to the (.1.1) server though and they always go through the vpn?????

also on the other side of the cisco .254.x any client can ping any device on the .2.x side

any help at all would be appreciated... :-(

Joe.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DavidSigma
  • Locked
  • Question
CP7861 problem
Replies
0
Views
358
DavidSigma
DavidSigma
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
718
BIS
BIS
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
263
quazimotto
quazimotto
jobsp90
  • Locked
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
299
DavetheChef
DavetheChef
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
382
CPM86
CPM86

Part and Inventory Search

Sponsor

Back
Top