ACCESS LIST ISSUES??

Answered Question
Feb 16th, 2007

I have a Main Router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back and forth from the 850 to the 871. However I think I have an access list issue because I can't seem to open the Main Database that is at the Main site from any of the 5 locations nor can I get on the internet as the proxy server not getting to the other sites. I can ping these from remote sites but can't actually use them. These rules are much different then from the PIX.

***192.168.1x

** FROM REMOTE LOCATION

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

route-map nonat permit 10

match ip address 101

***192.168.0.X

***FROM MAIN ROUTER

logging trap debugging

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

no cdp run

route-map nonat permit 10

match ip address 101

!

I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 7 months ago

ip tcp mss <68-10000>

Hope this helps,

gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
kaachary Fri, 02/16/2007 - 05:36

Hi,

It doesn't seem to be an ACL issue, as you are allowing all "ip" traffic to go through the tunnel. What do you mean by " can ping these from remote sites but can't actually use them" ? Could you please elaborate.

Also, You might want to check the access-groups applied on the inside LAN interfaces, if there's any.

HTH,

-Kanishka

cozyk1515 Fri, 02/16/2007 - 05:50

Sorry, I am able to ping the IP address of the database from the remote.

Database: 192.168.0.50 at main

can ping this address from 192.168.1.x but can't use it.

*******MAIN CONFIG

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXX address X.X.X.X

crypto isakmp key XXX address X.X.X.X

crypto isakmp key XXX address X.X.X.X

crypto isakmp key xXX address X.X.X.X

crypto isakmp keepalive 20 5

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map bhsn 10 ipsec-isakmp

description VPN to PARC

set peer X.X.X.X

set transform-set myset

match address 100

crypto map bhsn 20 ipsec-isakmp

description VPN to Corneilia

set peer X.X.X.X

set transform-set myset

match address 102

crypto map bhsn 30 ipsec-isakmp

description VPN to OAK

set peer X.X.X.X

set transform-set myset

match address 103

crypto map bhsn 40 ipsec-isakmp

description VPN to Wells

set peer X.X.X.X

set transform-set myset

match address 104

!

interface FastEthernet4

description 5Mb WAN

ip address 216.x.x.x 255.255.255.128 secondary

ip address 216.x.x.x. 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map bhsn

!

interface Vlan1

description Default Gateway fa0-fa3

ip address 216.X.X.X 255.255.255.248 secondary

ip address 192.168.0.11 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 216.x.x.x.

!

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nonat interface FastEthernet4 overload

!

logging trap debugging

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

no cdp run

route-map nonat permit 10

match ip address 101

!

**** REMOTE SITE

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXX address X.X.X.X

crypto isakmp keepalive 20 5

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map bhsn 10 ipsec-isakmp

description Connect to main BHSN

set peer X.X.X.X

set transform-set myset

match address 100

!

!

interface FastEthernet4

description WAN

ip address 216.X.X.X 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map bhsn

!

interface Vlan1

description Default Gateway

ip address 192.168.1.2 255.255.255.0

ip directed-broadcast

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nonat interface FastEthernet4 overload

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

route-map nonat permit 10

match ip address 101

Thanks

kaachary Fri, 02/16/2007 - 06:03

Hi,

If ping works, then it is most likely be a packet size issue. Can you try lowering down the TCP MSS on LAN interfaces on both the routers.

HTH,

-Kanishka

Correct Answer
ggilbert Fri, 02/16/2007 - 10:33

ip tcp mss <68-10000>

Hope this helps,

gilbert

ggilbert Fri, 02/16/2007 - 10:53

Can you go into the LAN side where the server is and see if you can change the mss.

conf t

interface

ip tcp adjust-mss <500-1460>

Set the mss to something like 900 and see if that works. If it does, please increase by 100 (900 then 1000 then 1100) and see if that helps.

Thanks

Gilbert

Actions

This Discussion