02-16-2007 05:21 AM - edited 02-20-2020 09:38 PM
I have a Main Router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back and forth from the 850 to the 871. However I think I have an access list issue because I can't seem to open the Main Database that is at the Main site from any of the 5 locations nor can I get on the internet as the proxy server not getting to the other sites. I can ping these from remote sites but can't actually use them. These rules are much different then from the PIX.
***192.168.1x
** FROM REMOTE LOCATION
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 101
***192.168.0.X
***FROM MAIN ROUTER
logging trap debugging
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 101
!
Solved! Go to Solution.
02-16-2007 10:33 AM
02-16-2007 05:36 AM
Hi,
It doesn't seem to be an ACL issue, as you are allowing all "ip" traffic to go through the tunnel. What do you mean by " can ping these from remote sites but can't actually use them" ? Could you please elaborate.
Also, You might want to check the access-groups applied on the inside LAN interfaces, if there's any.
HTH,
-Kanishka
02-16-2007 05:50 AM
Sorry, I am able to ping the IP address of the database from the remote.
Database: 192.168.0.50 at main
can ping this address from 192.168.1.x but can't use it.
*******MAIN CONFIG
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address X.X.X.X
crypto isakmp key XXX address X.X.X.X
crypto isakmp key XXX address X.X.X.X
crypto isakmp key xXX address X.X.X.X
crypto isakmp keepalive 20 5
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map bhsn 10 ipsec-isakmp
description VPN to PARC
set peer X.X.X.X
set transform-set myset
match address 100
crypto map bhsn 20 ipsec-isakmp
description VPN to Corneilia
set peer X.X.X.X
set transform-set myset
match address 102
crypto map bhsn 30 ipsec-isakmp
description VPN to OAK
set peer X.X.X.X
set transform-set myset
match address 103
crypto map bhsn 40 ipsec-isakmp
description VPN to Wells
set peer X.X.X.X
set transform-set myset
match address 104
!
interface FastEthernet4
description 5Mb WAN
ip address 216.x.x.x 255.255.255.128 secondary
ip address 216.x.x.x. 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map bhsn
!
interface Vlan1
description Default Gateway fa0-fa3
ip address 216.X.X.X 255.255.255.248 secondary
ip address 192.168.0.11 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 216.x.x.x.
!
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 101
!
**** REMOTE SITE
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address X.X.X.X
crypto isakmp keepalive 20 5
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map bhsn 10 ipsec-isakmp
description Connect to main BHSN
set peer X.X.X.X
set transform-set myset
match address 100
!
!
interface FastEthernet4
description WAN
ip address 216.X.X.X 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map bhsn
!
interface Vlan1
description Default Gateway
ip address 192.168.1.2 255.255.255.0
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 101
Thanks
02-16-2007 06:03 AM
Hi,
If ping works, then it is most likely be a packet size issue. Can you try lowering down the TCP MSS on LAN interfaces on both the routers.
HTH,
-Kanishka
02-16-2007 06:57 AM
I hate to sound dumb but how do I go about doing that?
02-16-2007 10:33 AM
ip tcp mss <68-10000>
Hope this helps,
gilbert
02-16-2007 10:43 AM
Thanks for the help - that didn't help.
Any others idea?
02-16-2007 10:53 AM
Can you go into the LAN side where the server is and see if you can change the mss.
conf t
interface
ip tcp adjust-mss <500-1460>
Set the mss to something like 900 and see if that works. If it does, please increase by 100 (900 then 1000 then 1100) and see if that helps.
Thanks
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: