IPSec, NAT, Interface ACL

Unanswered Question
Apr 1st, 2009

Setup:

clients --- fa0/1 R1 fa0/0 ---ipsec--- fa0/0 R2 --- loopback

R1 fa0/1: 10.30.50.254

R1 fa0/0: 10.10.10.1

R2 fa0/0: 10.10.10.2

R2 Loop0: 10.10.20.171

I have a lab setup to help me learn about setting up IPSec tunnels and I can get the tunnel up and running with packets passing back and forth, however, when I assign an ACL to the inside interface traffic no longer passes.

A bit more information:

I have noticed that although the inbound ACL seems to kill the connection, I can issue 'sh ip nat trans' and still see translations being made....

here is my relevant config on R1:

####################

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key *** address 10.10.10.2

!

!

crypto ipsec transform-set esp-3des esp-3des

!

crypto map VPN_crypto 10 ipsec-isakmp

set peer 10.10.10.2

set transform-set esp-3des

match address VPN_Traffic

!

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.252

ip nat outside

crypto map VPN_crypto

!

interface FastEthernet0/1

ip address 10.30.50.254 255.255.255.0

ip nat inside

ip nat inside source list VPN_NAT interface FastEthernet0/0 overload

!

ip access-list extended VPN_NAT

permit tcp any host 10.10.20.171 eq www

permit tcp any host 10.10.20.171 eq 443

permit ip host 10.30.50.124 host 10.10.20.171

ip access-list extended VPN_Traffic

permit ip any host 10.10.20.171

ip access-list extended Inside_Allowed

permit ip 10.25.25.0 0.0.0.255 host 10.30.50.254

permit ip host 10.30.50.124 any

permit ip any host 10.10.20.171

##################3

Thank you for any advice and assistance in advanced.

Richard

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
htarra Tue, 04/07/2009 - 07:48

The below list contains simple things to check when you suspect that an ACL is the cause of problems with your IPsec VPN.

Make sure that your NAT exemption and crypto ACLs specify the correct traffic.

If you have multiple VPN tunnels and multiple crypto ACLs, make sure that those ACLs do not overlap.

Do not use ACLs twice. Even if your NAT exemption ACL and crypto ACL specify the same traffic, use two different access lists.

Make sure that your device is configured to use the NAT exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and remote access configurations.

Actions

This Discussion