Question

Locked

Cisco NAT ACL denying VPn IPSec Traffic.

By Josh_Young ·
Hi,

I have an issues that is starting to drive me up the wall.
I have created an IPSec VPN tunnel between a cisco 857 and a watchguard firebox x-edge. The tunnel is working correctly. I can ping some hosts on the remote network but not others. I have narrowed this down to the ACL's in the cisco router. for example, i can ping one server in the remote network but not another, the ACL count increases as i get a deny.

I have pasted my config below the ## indicates sensitive stuff i have blacked out.
You can see extended access list 100 has a permit from 192.168.1.0 to 192.168.0.0 (tunnel ACL)
while access list 101 has a deny from 192.168.1.0 to 192.168.0.0.(Nat)

just so your clear on the picture i can pink 192.168.0.252 from the 192.168.1.0 network but i cannot ping 192.168.0.241. It looks like its trying to nat this.

Current configuration : 7065 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ######
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$h8ad$dgc.5pBT25XI79A3JFwny1
!
no aaa new-model
clock timezone PCTime 10
--More-- clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3724662963
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3724662963
revocation-check none
rsakeypair TP-self-signed-3724662963
!
!
crypto pki certificate chain TP-self-signed-3724662963
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373234 36363239 3633301E 170D3032 30333031 30303037
31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37323436
36323936 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B292 57ED6431 3566DBC6 F5D7A9D1 D80A433B 92455E1D B63909E9 3BAB70B8
550BC78E 8BEDFD9D 1FEA33C0 698FC4B1 971EB4BB 36740A58 8EBE274E B2CBD619
A71E510A 9F74601D 39C3526C 2D792AFD 3AE82A39 931AC39F 11DEEAF1 BB3AE9F9
041081DA 5E203251 EF25B4B0 9484BAE2 BBE4DFCE 0DA1193A 6791D473 74878AC6
F7590203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13426178 7465722E 686F6D65 2E636F6D 652E6175 301F0603
--More-- 551D2304 18301680 14A09A9C 6B1B3782 8CA0FAEC 6D5E14AF EEDB1BE9 8E301D06
03551D0E 04160414 A09A9C6B 1B37828C A0FAEC6D 5E14AFEE DB1BE98E 300D0609
2A864886 F70D0101 04050003 81810056 8CAAB293 785005FD 7C2080F7 5CBC8975
F00D0C70 8AF45500 09624702 1BD9F70B 6E33C2F9 85137172 199968FD 56885C9C
16218FC2 12531EE4 094DBEB2 CAF8A798 5A40CCCB BD084104 FAB23AC2 BA2E8D49
1F9485C8 12B49103 99657494 1D78558E 49217E12 961DB290 72645F14 098041A1
1CB87673 C7F848CE 4C390B93 4A282F
quit
dot11 syslog
!
dot11 ssid ######
#####
!

!
no ip source-route
--More-- no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 210.15.254.240
default-router 192.168.1.254
!
!
ip cef
no ip bootp server

!
!
!
username ######## privilege 15 secret 5 #########
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key ######## address #########
!
!
crypto ipsec transform-set Phase2 esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to ########
set peer ##########
set transform-set Phase2
match address 100
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
--More-- ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
--More-- interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm tkip
!
ssid #########
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
--More-- interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ########
ppp chap password ###########
ppp pap sent-username ######### password 7 #######
--More-- crypto map SDM_CMAP_1
!
interface BVI1
description $ES_LAN$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
--More-- access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
--More-- used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
--More-- login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

If I understand correctly

by NetMan1958 In reply to Cisco NAT ACL denying VPn ...

When you ping 192.168.0.241
The count on this acl increases:
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
and the count on this acl doesn't change:
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
?
Edited to add:
If I'm correct, run this command and see if you get any output:
"sh ip nat trans | include 192.168.0.241"

Collapse -

humm so you have a site to site VPN IPSec tunnel

by CG IT In reply to Cisco NAT ACL denying VPn ...

that is established and maintained by the routers. This all works great with no problems. ??????

Clients use this tunnel to pass traffic between sites.

you've created an access control list inside the IPSec tunnel?

Back to Networks Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums