07-30-2007 01:29 PM
i have setup a small home network to practice filtering vpn traffic
(see attachment for network layout) below are the configurations for
the routers (cisco 1720's) at each end of the tunnel,i have configured
an access list (access-list 110) which is placed on the HQ router
what i was aiming for was for computers behind the branch router
to be able to access the web server but be unable to access the file
server behind the HQ router
and
for the remote access client to be able to access the file server
but be unable to access the web server behind the HQ router
I am not sure what the problem is but with the access-list in place
the client computer behind the branch router and the remote access client
are each able to access both the file and web servers behind the HQ router
i would appreciate it if somebody could take a look at the configuration below
and advise me as to what the problem might be as i have drawn a blank.
regards
Melvyn Brown
HQ CONFIGURATION
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit udp any host 192.168.2.2 eq 500
access-list 110 permit udp any host 192.168.2.2 eq 4500
access-list 110 permit esp any host 192.168.2.2
access-list 110 permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.2 eq 80
access-list 110 permit ip 192.168.5.0 0.0.0.255 host 192.168.1.3
access-list 110 deny ip any any
crypto isakmp key cisco123 address 192.168.2.1 no-xauth
crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac
crypto isakmp enable
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto map VPN 10 ipsec-isakmp
set peer 192.168.2.1
set transform-set BOSTON
match address 101
ip local pool remote-pool 192.168.5.1 192.168.5.10
aaa new-model
aaa authentication login user1 local
aaa authorization network group1 local
username fred password flintstone
crypto isakmp client configuration group remote
key cisco321
dns 192.168.1.4
domain cisco.com
pool remote-pool
acl 102
crypto dynamic-map dynmap 10
set transform-set BOSTON
reverse-route
crypto map VPN client authentication list user1
crypto map VPN isakmp authorization list group1
crypto map VPN client configuration address respond
crypto map VPN 15 ipsec-isakmp dynamic dynmap
interface FastEthernet0
ip address 192.168.2.2 255.255.255.0
ip nat outside
crypto map VPN
ip access-group 110 in
no shut
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shut
route-map nonat permit 10
match ip address 103
ip nat inside source route-map nonat interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0
BRANCH CONFIGURATION
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
crypto isakmp enable
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp key cisco123 address 192.168.2.2 no-xauth
crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
set peer 192.168.2.2
set transform-set BOSTON
match address 101
interface FastEthernet0
ip address 192.168.2.1 255.255.255.0
ip nat outside
crypto map VPN
no shut
interface Ethernet0
ip address 192.168.3.1 255.255.255.0
ip nat inside
no shut
route-map nonat permit 10
match ip address 102
ip nat inside source route-map nonat interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0
07-30-2007 08:18 PM
just change your access-list to reflect your goal.
Change your encryption domain to the hosts instead of the full subnet.
07-30-2007 11:39 PM
Hi,
If your able to ping from HQ to Branch Office file server then problem with the server.
If not remove 110 acl from HQ router and check the same. Why means once you permit the VPN IP traffic,
almost all protocols will flow in IP traffic only.Still if your facing the problem please let me know the what
error it is showing and when your replying send me file of "show crypto engine conn active" result.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide