VPN problem 877 - can't ping hosts.

Unanswered Question
Jan 1st, 2009

I have an 877 with tunnels configured to two sites. These are working fine. I can ping from the remote sites the inside address of the router but nothing beyond. I can ping hosts directly from the router.


Not sure if there is some issue with my route-map NAT or something else stopping it.


Any help much appreciated - i've attached a config with relvant parts.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 01/01/2009 - 11:03

Hello Rob,

I see that you used SDM and that some ACLs look like to contain some strange lines


example:

vlan1 is your client vlan

ip access-group 115 in


if you look at what ACL 115 is:


access-list 115 permit udp host 87.85.165.82 host 192.168.104.6 eq non500-isakmp

access-list 115 permit udp host 87.85.165.82 host 192.168.104.6 eq isakmp

access-list 115 permit esp host 87.85.165.82 host 192.168.104.6

access-list 115 permit ahp host 87.85.165.82 host 192.168.104.6


the first line above look like strange mixing public ip addresses and private ip addresses


access-list 115 permit tcp 192.168.104.0 0.0.0.255 host 192.168.104.6 eq telnet

access-list 115 permit tcp 192.168.104.0 0.0.0.255 host 192.168.104.6 eq 22

access-list 115 permit tcp 192.168.104.0 0.0.0.255 host 192.168.104.6 eq www

access-list 115 permit tcp 192.168.104.0 0.0.0.255 host 192.168.104.6 eq 443

access-list 115 permit tcp 192.168.104.0 0.0.0.255 host 192.168.104.6 eq cmd

access-list 115 deny tcp any host 192.168.104.6 eq telnet

access-list 115 deny tcp any host 192.168.104.6 eq 22

access-list 115 deny tcp any host 192.168.104.6 eq www

access-list 115 deny tcp any host 192.168.104.6 eq 443

access-list 115 deny tcp any host 192.168.104.6 eq cmd

access-list 115 deny udp any host 192.168.104.6 eq snmp


! the lines above can be a form of antispoofing and protection for the router


access-list 115 remark IPSec Rule

access-list 115 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255

>>>access-list 115 permit ip any any


then you end with permit ip any any Probably you have modified your configuration after the troubles.


ACL 115 inbound applies to packets received by SVI Vlan1 on the switch side


permit ip 192.168.104.0 0.0.0.255 any


legimitate users have ip addresses 192.168.104.x given by DHCP local pool


then be aware that you have inspect rules applied to your zone based firewall and they are still applied:


zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

!


try disabling any inspect rule and see if there is connectivity between hosts of the two client subnets

192.168.104.0/24 and 192.168.103.0/24


Hope to help

Giuseppe






rasoftware Thu, 01/01/2009 - 12:04

Many thanks for your reply.


I've removed AL 115 but still no better.


I configured the firewall with SDM as it's the first time i've used zone based. There is a bit of redudant config.


Any idea which inspect might be causing this?

Giuseppe Larosa Thu, 01/01/2009 - 12:35

Hello Rob,


I would point to the following


zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

!


the second should be fine it has no service-policy applied


I would try to remove the application of sdm-inspect


something like

zone-pair security sdm-zp-in-out source in-zone destination out-zone

no service-policy type inspect sdm-inspect


there is no need to delete the policy definitions it is enough to remove their application to the zones.



Hope to help

Giuseppe


rasoftware Thu, 01/01/2009 - 13:20

hi Giuseppe


Tried removing that but still can't ping the LAN.


As a test I also tried removing out-zone from VLAN2 (outside) and also access list 112 in but still no go.


When I remove "in-zone" from VLAN1 it works -

Which bit might be causing this?




Richard Burts Thu, 01/01/2009 - 13:02

Rob


There are several very odd things in access list 115. Starting with this:

access-list 115 permit udp host 87.85.165.82 host 192.168.104.6 eq non500-isakmp

access-list 115 permit udp host 87.85.165.82 host 192.168.104.6 eq isakmp

access-list 115 permit esp host 87.85.165.82 host 192.168.104.6

access-list 115 permit ahp host 87.85.165.82 host 192.168.104.6

The source address in these lines is one of your VPN peers. So how could it be in an inbound access list on the LAN interface? And the access list also has this:

access-list 115 remark IPSec Rule

access-list 115 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255

The comment indicates that it is for IPSec and the source address appears to be the LAN of one of your VPN peers. So how did it get inbound on your LAN interface?


HTH


Rick

rasoftware Thu, 01/01/2009 - 13:32

Yes it's redudant now - I have removed the ACL. Unfortunaltey I inherited a lot from a previous attempts to get it working and SDM has left a real mess in there.


We have isolated the problem to be the in-zone firewall policy I think, since removing it makes it work.


If I remove this from VLAN1 it works ok - not sure what element on the sdm-inspect is causing this.

Giuseppe Larosa Thu, 01/01/2009 - 13:41

Hello Rob,


>> When I remove "in-zone" from VLAN1 it works -

Which bit might be causing this?


removing a zone classification for Vlan1 you are bypassing all the zone based inspect commands.


I think it is like NAT: NAT works if you go from a NAT inside interface to NAT outside interface.


with that simple command you have bypassed all the inspect stuff that counts for 80% of your configuration.


I would suggest to start again from stratch because there are so many strange statements and class maps that call other classes and so on.

Also I'm not sure that every inspect policy is defined and this could be the reason of the problem but again the suggestion is to clear up this configuration.


Hope to help

Giuseppe


rasoftware Thu, 01/01/2009 - 14:50

Thanks Giuseppe.


I can probably just remove it and the config associated. It is a simple site with VPN access to the main centre with just RDP required from terminals. I could add a simple inspect if I need a SPI, ACLs should be sufficient.


I have cut the config to a bare minium but still can't set it to work. I'm not sure if my route-map NAT and redundant WAN may be causing a problem with it. It's the first time I have come across the new zone based firewall.

Actions

This Discussion