Weird behaviour of router 871 on VPN tunnel

Answered Question
Sep 12th, 2008

Hi, I have stablished an VPN tunnel site to site with a cisco 871 to a cisco 2800. Everithing is right and working. So, what's the problem ? Let's see:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 6 ipsec-isakmp

description Numintel

set peer 213.192.208.242

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

hidekeys

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 196.12.229.218 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

ip address 192.169.15.100 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 196.12.229.217

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

!

access-list 1 remark local

access-list 1 permit 192.169.15.0 0.0.0.255

access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

The thing is that when I apply the local access list, lo let the 192.169.15.0 hosts access the internet, I can't reach the other end of the tunnel. ( Say ping to 192.168.3.35 ). When I disable the local access list : access-list 1 permit ip 192.169.15.0 0.0.0.255, the tunnel works. I can access the other end of the tunnel from any of the hosts at 192.169.15.0, but I don't have internet access. Can somebody explain what is happening and how to solve it ? Thank you.

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 2 months ago

Hi,

You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.169.15.0 0.0.0.255 any

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpul posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
singhsaju Fri, 09/12/2008 - 05:09

Hi,

You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.169.15.0 0.0.0.255 any

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpul posts

godzilla0 Fri, 09/12/2008 - 05:33

I'm not understanding you much. You meant I have to change the access-list 100 for this new one and apply it to the cryto map ? Or add it as new ?

singhsaju Fri, 09/12/2008 - 05:34

No it is to replace access-list 1 .

you will have to do change in following statement also:

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpful posts

godzilla0 Sun, 09/14/2008 - 23:41

Thank you now I understand what happens when you do this kind of VPN.

solar00 Fri, 09/12/2008 - 06:38

Why do you PAT all outbound encrypted & unencrypted traffic?

Try using a route-map in your nat overload statement and exclude the 192.168.3.0 and 192.168.4.0 networks.

Create an access-list 110 which denies those two networks and permit everything else

route-map permit 10

match address 110

Actions

This Discussion