Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
1
Replies

IPSec, NAT, Interface ACL

rsvensson
Level 1
Level 1

‎04-01-2009 01:53 PM - edited ‎02-21-2020 04:11 PM

Setup:

clients --- fa0/1 R1 fa0/0 ---ipsec--- fa0/0 R2 --- loopback

R1 fa0/1: 10.30.50.254

R1 fa0/0: 10.10.10.1

R2 fa0/0: 10.10.10.2

R2 Loop0: 10.10.20.171

I have a lab setup to help me learn about setting up IPSec tunnels and I can get the tunnel up and running with packets passing back and forth, however, when I assign an ACL to the inside interface traffic no longer passes.

A bit more information:

I have noticed that although the inbound ACL seems to kill the connection, I can issue 'sh ip nat trans' and still see translations being made....

here is my relevant config on R1:

####################

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key *** address 10.10.10.2

!

!

crypto ipsec transform-set esp-3des esp-3des

!

crypto map VPN_crypto 10 ipsec-isakmp

set peer 10.10.10.2

set transform-set esp-3des

match address VPN_Traffic

!

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.252

ip nat outside

crypto map VPN_crypto

!

interface FastEthernet0/1

ip address 10.30.50.254 255.255.255.0

ip nat inside

ip nat inside source list VPN_NAT interface FastEthernet0/0 overload

!

ip access-list extended VPN_NAT

permit tcp any host 10.10.20.171 eq www

permit tcp any host 10.10.20.171 eq 443

permit ip host 10.30.50.124 host 10.10.20.171

ip access-list extended VPN_Traffic

permit ip any host 10.10.20.171

ip access-list extended Inside_Allowed

permit ip 10.25.25.0 0.0.0.255 host 10.30.50.254

permit ip host 10.30.50.124 any

permit ip any host 10.10.20.171

##################3

Thank you for any advice and assistance in advanced.

Richard

Labels:
0 Helpful
1 Reply 1

htarra
Level 4
Level 4

‎04-07-2009 07:48 AM

The below list contains simple things to check when you suspect that an ACL is the cause of problems with your IPsec VPN.

Make sure that your NAT exemption and crypto ACLs specify the correct traffic.

If you have multiple VPN tunnels and multiple crypto ACLs, make sure that those ACLs do not overlap.

Do not use ACLs twice. Even if your NAT exemption ACL and crypto ACL specify the same traffic, use two different access lists.

Make sure that your device is configured to use the NAT exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and remote access configurations.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents