04-01-2009 01:53 PM - edited 02-21-2020 04:11 PM
Setup:
clients --- fa0/1 R1 fa0/0 ---ipsec--- fa0/0 R2 --- loopback
R1 fa0/1: 10.30.50.254
R1 fa0/0: 10.10.10.1
R2 fa0/0: 10.10.10.2
R2 Loop0: 10.10.20.171
I have a lab setup to help me learn about setting up IPSec tunnels and I can get the tunnel up and running with packets passing back and forth, however, when I assign an ACL to the inside interface traffic no longer passes.
A bit more information:
I have noticed that although the inbound ACL seems to kill the connection, I can issue 'sh ip nat trans' and still see translations being made....
here is my relevant config on R1:
####################
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key *** address 10.10.10.2
!
!
crypto ipsec transform-set esp-3des esp-3des
!
crypto map VPN_crypto 10 ipsec-isakmp
set peer 10.10.10.2
set transform-set esp-3des
match address VPN_Traffic
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.252
ip nat outside
crypto map VPN_crypto
!
interface FastEthernet0/1
ip address 10.30.50.254 255.255.255.0
ip nat inside
ip nat inside source list VPN_NAT interface FastEthernet0/0 overload
!
ip access-list extended VPN_NAT
permit tcp any host 10.10.20.171 eq www
permit tcp any host 10.10.20.171 eq 443
permit ip host 10.30.50.124 host 10.10.20.171
ip access-list extended VPN_Traffic
permit ip any host 10.10.20.171
ip access-list extended Inside_Allowed
permit ip 10.25.25.0 0.0.0.255 host 10.30.50.254
permit ip host 10.30.50.124 any
permit ip any host 10.10.20.171
##################3
Thank you for any advice and assistance in advanced.
Richard
04-07-2009 07:48 AM
The below list contains simple things to check when you suspect that an ACL is the cause of problems with your IPsec VPN.
Make sure that your NAT exemption and crypto ACLs specify the correct traffic.
If you have multiple VPN tunnels and multiple crypto ACLs, make sure that those ACLs do not overlap.
Do not use ACLs twice. Even if your NAT exemption ACL and crypto ACL specify the same traffic, use two different access lists.
Make sure that your device is configured to use the NAT exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and remote access configurations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide