Strange IPSec behaviour

Answered Question
Nov 28th, 2008

Hello everybody!

I'm having some issues with a IPSec site-to-site connection between my home 827 and a remote Endian firewall.

The problem is: the connection is established and I can ping remote router's internal IP address but not any other machine in the network.

Also, I can only ping the remote router using my home computer. The Cisco 827 itself cannot ping any remote host.

Here's my config:

!

version 12.3

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname cisco827

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 12

!

clock timezone GMT 0

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.201 192.168.1.254

!

ip dhcp pool local-lan-pool

network 192.168.1.0 255.255.255.0

domain-name local.lan

default-router 192.168.1.1

dns-server 83.174.45.162

!

!

no ip bootp server

ip inspect name FIREWALL ftp

ip inspect name FIREWALL h323

ip inspect name FIREWALL icmp

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL sip

ip inspect name FIREWALL http

ip inspect name FIREWALL rtsp

ip inspect name FIREWALL smtp

ip inspect name FIREWALL cuseeme

ip inspect name FIREWALL fragment maximum 256 timeout 1

ip inspect name FIREWALL realaudio

ip inspect name FIREWALL vdolive

ip inspect name FIREWALL netshow

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

!

username admin privilege 15 secret SECRETPASSWORD

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key IPSECPASSWD address 62.28.79.6 no-xauth

no crypto isakmp ccm

!

!

crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac

crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac

crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac

crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac

!

crypto map cm-cryptomap 110 ipsec-isakmp

set peer 62.28.79.6

set transform-set tr-3des-sha

match address 110

!

bridge irb

!

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

bridge-group 1

pvc 0/35

encapsulation aal5snap

!

!

interface BVI1

mac-address xxxx.xxxx.xxxx

ip address dhcp

ip access-group 101 in

ip nat outside

ip virtual-reassembly

no ip route-cache

no ip mroute-cache

crypto map cm-cryptomap

!

ip classless

ip route 0.0.0.0 0.0.0.0 77.54.224.1

no ip http server

no ip http secure-server

!

ip nat inside source list 105 interface BVI1 overload

!

access-list 2 remark SSH access

access-list 2 permit 62.28.79.6

access-list 2 permit 213.13.115.23

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 105 remark Traffic to NAT

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 105 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 remark Traffic to VPN

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 110 deny ip 192.168.1.0 0.0.0.255 any

no cdp run

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^C

*********************************************

*** WARNING! ***

*** ***

*** unauthorized access prohibited! ***

*********************************************

^C

!

line con 0

line vty 0 4

access-class 2 in

exec-timeout 30 0

privilege level 15

login local

transport preferred ssh

transport input ssh

transport output none

!

scheduler max-task-time 5000

end

Kind Regards!

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 1 week ago

Rui

If your home network can ping the remote router and one remote machine, then I think that it shows that there is not a problem on your end. And since I do not see anything in your config that would allow access to some machine but not to others, then I believe that there may be some issue on the remote side. Is it possible that machines at the remote side that you are attempting to ping have firewalls running that do not accept ping? If there is a web server on the remote side, can you establish an HTTP connection? Or if there is an FTP server on the remote side can you establish an FTP connection?

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Tue, 12/02/2008 - 10:33

It is clear why the 827 can not ping anything at the remote (at least with standard ping). Here is the access list that identifies traffic for the VPN tunnel to the remote:

access-list 110 remark Traffic to VPN

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 110 deny ip 192.168.1.0 0.0.0.255 any

this access list says that if the source address is not in 192.168.1.0/24 then it does not qualify. And a standard ping from the router would not source from 192.168.1.0. I suspect that if you try extended ping and specify the source as the router Ethernet that the ping would work.

I do not see anything in your config that explains why you can not ping anything remote other than the remote router inside interface. I suspect that the reason is something in the remote config.

Also I note that there is an access-group 101 configured on the BVI but there is no access list 101. It might be helpful to clean this up.

HTH

Rick

skizofrenik Wed, 12/03/2008 - 02:37

Hi Rick,

I've removed the access-group 101 in the BVI1 interface and tryed an extended ping with the source from the router's ethernet address and still no go.

As I said before, I can ping both remote router's ethernet address and one(?) remote machine address from my home network but that's all. Everything else is unreachable.

Kind Regards

Rui

Correct Answer
Richard Burts Wed, 12/03/2008 - 07:43

Rui

If your home network can ping the remote router and one remote machine, then I think that it shows that there is not a problem on your end. And since I do not see anything in your config that would allow access to some machine but not to others, then I believe that there may be some issue on the remote side. Is it possible that machines at the remote side that you are attempting to ping have firewalls running that do not accept ping? If there is a web server on the remote side, can you establish an HTTP connection? Or if there is an FTP server on the remote side can you establish an FTP connection?

HTH

Rick

skizofrenik Thu, 12/04/2008 - 03:57

Hi Rick,

Thanks for your help!

The problem was on the Endian firewall side all the time.

I made a new IPSEC connection between the Cisco 827 and a D-Link DFL-210 and everything is working fine on both sides now.

Kind Regards,

Rui

Richard Burts Thu, 12/04/2008 - 10:19

Rui

I am glad that you got your problem resolved. It confirms my suggestion that the problem was on the remote device.

Thank you for posting back to the thread and indicating what the problem was and how you solved it. It makes the forum more useful when people can read about a problem and can read what the cause of the problem was and how the problem was solved.

HTH

Rick

Actions

This Discussion