VPN L2L problem

Unanswered Question
Sep 11th, 2009

Hi everybody

I am building a L2L vpn between my HQ and a remote branch using cisco routers 851; in HQ when I apply the ACl "which is underneath", the HQ lost the internet connection. please is there any line in that ACL which can cause this?

rle_internet(config)# ip access-list extended perimeter

rle_internet(config-ext-nacl)# permit udp host 193.205.89.57 host 193.205.80.45 eq 500

rle_internet(config-ext-nacl)# permit esp host 193.205.89.57 host 193.205.80.45

rle_internet(config-ext-nacl)# permit ip 192.168.1.224 0.0.0.31 192.168.6.0 0.0.0.255

rle_internet(config-ext-nacl)# deny ip deny ip 192.168.6. 0.0.0.255 any log

rle_internet(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any log

rle_internet(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any log

rle_internet(config-ext-nacl)# deny ip 0.0.0.0 0.255.255.255 any log

rle_internet(config-ext-nacl)# deny ip 192.0.2.0 0.0.0.255 any log

rle_internet(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any log

rle_internet(config-ext-nacl)# deny ip 224.0.0.0 15.255.255.255 any log

rle_internet(config-ext-nacl)# deny ip any host 192.168.6.0 log

rle_internet(config-ext-nacl)# deny ip any host 192.168.6.255 any log

rle_internet(config-ext-nacl)# permit icmp 192.168.1.224 0.0.0.31 any

rle_internet(config-ext-nacl)# deny icmp any any redirect log

rle_internet(config-ext-nacl)# deny icmp any any mask-request log

rle_internet(config-ext-nacl)# deny tcp any any range 6000 6063 log

rle_internet(config-ext-nacl)# deny tcp any any eq 6667 log log

rle_internet(config-ext-nacl)# deny tcp any any range 12345 12346 log

rle_internet(config-ext-nacl)# deny tcp any any eq 31337 log

rle_internet(config-ext-nacl)# deny udp any any eq 2049 log

rle_internet(config-ext-nacl)# deny udp any any eq 31337 log

rle_internet(config-ext-nacl)# permit udp any eq 53 any gt 1023

rle_internet(config-ext-nacl)# deny tcp any range 0 65535 any range 0 65535 log

rle_internet(config-ext-nacl)# deny udp any range 0 65535 any range 0 65535 log

rle_internet(config-ext-nacl)# deny ip any any

rle_internet(config-ext-nacl)# exit

rle_internet(config)# interface Ethernet4

rle_internet(config-if)# ip address 193.205.80.45 255.255.255.224

rle_internet(config-if)# ip access-group perimeter in

rle_internet(config-if)# crypto map mymap

Please help me

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Fri, 09/11/2009 - 06:18

I would need to see the entire config to be sure. If you do not have CBAC or ZBFW configured to provide for a stateful fw, then you will need to explicitly permit the returning TCP 80 traffic in your ACL. An easy way to troubleshoot this type of issue is to add the "log" feature to the deny ip any any rule so that you can see what packets are being discarded.

slmansfield Fri, 09/11/2009 - 06:35

I'm wondering if the problem is within these two rules. You allow destination port UDP 500 and source ESP.

rle_internet(config-ext-nacl)# permit udp host 193.205.89.57 host 193.205.80.45 eq 500

rle_internet(config-ext-nacl)# permit esp host 193.205.89.57 host 193.205.80.45

habibnoubissi Fri, 09/11/2009 - 07:46

hi

this is my entire configuration:

Current configuration : 2435 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname rle_internet

!

boot-start-marker

boot-end-marker

!

logging buffered 16000 informational

enable secret 5 $1$adL3$bZtG3BtWf7gbK0dJsFwUp1

!

no aaa new-model

!

!

dot11 syslog

!

!

ip cef

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip bootp server

no ip domain lookup

!

!

!

username rle password 7 15531900016B222A3C36272C161357070617

!

!

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxx address 193.205.89.57 no-xauth

!

!

crypto ipsec transform-set rle_residence esp-aes esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 41.205.89.57

set transform-set rle_residence

match address rle_residence

!

archive

log config

hidekeys

!

!

!

!

!

interface Loopback0

description main interface loopback

ip address 192.168.5.35 255.255.255.0

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN

crypto map mymap

ip address 193.205.80.45 255.255.255.224

ip access-group perimeter in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description LAN

ip address 192.168.6.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 41.205.80.33

ip route 192.168.1.224 255.255.255.224 193.205.89.57

!

no ip http server

no ip http secure-server

ip nat inside source list internet_access interface FastEthernet4 overload

!

ip access-list extended internet_access

permit ip 192.168.6.0 0.0.0.255 any

ip access-list extended rle_residence

permit ip 192.168.6.0 0.0.0.255 192.168.1.224 0.0.0.31

ip access-list extended perimeter

permit udp host 193.205.89.57 host 193.205.80.45 eq 500

permit esp host 193.205.89.57 host 193.205.80.45

permit ip 192.168.1.224 0.0.0.31 192.168.6.0 0.0.0.255

deny ip deny ip 192.168.6. 0.0.0.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 0.0.0.0 0.255.255.255 any log

deny ip 192.0.2.0 0.0.0.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

deny ip any host 192.168.6.0 log

deny ip any host 192.168.6.255 any log

permit icmp 192.168.1.224 0.0.0.31 any

deny icmp any any redirect log

deny icmp any any mask-request log

deny tcp any any range 6000 6063 log

deny tcp any any eq 6667 log log

deny tcp any any range 12345 12346 log

deny tcp any any eq 31337 log

deny udp any any eq 2049 log

deny udp any any eq 31337 log

permit udp any eq 53 any gt 1023

deny tcp any range 0 65535 any range 0 65535 log

deny udp any range 0 65535 any range 0 65535 log

deny ip any any

!

logging source-interface Loopback0

logging 192.168.6.90

access-list 20 permit 192.168.6.90

access-list 20 permit 192.168.6.52

access-list 20 permit 192.168.6.53

access-list 20 deny any

access-list 99 permit 192.168.0.2 log

access-list 99 permit 192.168.0.18 log

snmp-server community xyxy RW 20

no cdp run

!

control-plane

!

line con 0

password 7 095E4B0E100A19130709

login local

no modem enable

line aux 0

line vty 0 4

password 7 03165E0C0F002F4D420C

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

thanks a lot

Actions

This Discussion