Solved: Weird behaviour of router 871 on VPN tunnel

godzilla0 · ‎09-12-2008

Hi, I have stablished an VPN tunnel site to site with a cisco 871 to a cisco 2800. Everithing is right and working. So, what's the problem ? Let's see:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 6 ipsec-isakmp

description Numintel

set peer 213.192.208.242

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

hidekeys

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 196.12.229.218 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

ip address 192.169.15.100 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 196.12.229.217

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

!

access-list 1 remark local

access-list 1 permit 192.169.15.0 0.0.0.255

access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

The thing is that when I apply the local access list, lo let the 192.169.15.0 hosts access the internet, I can't reach the other end of the tunnel. ( Say ping to 192.168.3.35 ). When I disable the local access list : access-list 1 permit ip 192.169.15.0 0.0.0.255, the tunnel works. I can access the other end of the tunnel from any of the hosts at 192.169.15.0, but I don't have internet access. Can somebody explain what is happening and how to solve it ? Thank you.

singhsaju · ‎09-12-2008

Hi,

You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.169.15.0 0.0.0.255 any

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpul posts

View solution in original post

singhsaju · ‎09-12-2008

Hi,

You have to make IPsec traffic bypass NAT .IPsec traffic needs to be denied in the access list . Use extended access-list for example :

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.169.15.0 0.0.0.255 any

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpul posts

godzilla0 · ‎09-12-2008

I'm not understanding you much. You meant I have to change the access-list 100 for this new one and apply it to the cryto map ? Or add it as new ?

singhsaju · ‎09-12-2008

No it is to replace access-list 1 .

you will have to do change in following statement also:

ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpful posts

godzilla0 · ‎09-14-2008

Thank you now I understand what happens when you do this kind of VPN.

solar00 · ‎09-12-2008

Why do you PAT all outbound encrypted & unencrypted traffic?

Try using a route-map in your nat overload statement and exclude the 192.168.3.0 and 192.168.4.0 networks.

Create an access-list 110 which denies those two networks and permit everything else

route-map permit 10

match address 110