09-11-2009 03:16 AM
Hi everybody
I am building a L2L vpn between my HQ and a remote branch using cisco routers 851; in HQ when I apply the ACl "which is underneath", the HQ lost the internet connection. please is there any line in that ACL which can cause this?
rle_internet(config)# ip access-list extended perimeter
rle_internet(config-ext-nacl)# permit udp host 193.205.89.57 host 193.205.80.45 eq 500
rle_internet(config-ext-nacl)# permit esp host 193.205.89.57 host 193.205.80.45
rle_internet(config-ext-nacl)# permit ip 192.168.1.224 0.0.0.31 192.168.6.0 0.0.0.255
rle_internet(config-ext-nacl)# deny ip deny ip 192.168.6. 0.0.0.255 any log
rle_internet(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any log
rle_internet(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any log
rle_internet(config-ext-nacl)# deny ip 0.0.0.0 0.255.255.255 any log
rle_internet(config-ext-nacl)# deny ip 192.0.2.0 0.0.0.255 any log
rle_internet(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any log
rle_internet(config-ext-nacl)# deny ip 224.0.0.0 15.255.255.255 any log
rle_internet(config-ext-nacl)# deny ip any host 192.168.6.0 log
rle_internet(config-ext-nacl)# deny ip any host 192.168.6.255 any log
rle_internet(config-ext-nacl)# permit icmp 192.168.1.224 0.0.0.31 any
rle_internet(config-ext-nacl)# deny icmp any any redirect log
rle_internet(config-ext-nacl)# deny icmp any any mask-request log
rle_internet(config-ext-nacl)# deny tcp any any range 6000 6063 log
rle_internet(config-ext-nacl)# deny tcp any any eq 6667 log log
rle_internet(config-ext-nacl)# deny tcp any any range 12345 12346 log
rle_internet(config-ext-nacl)# deny tcp any any eq 31337 log
rle_internet(config-ext-nacl)# deny udp any any eq 2049 log
rle_internet(config-ext-nacl)# deny udp any any eq 31337 log
rle_internet(config-ext-nacl)# permit udp any eq 53 any gt 1023
rle_internet(config-ext-nacl)# deny tcp any range 0 65535 any range 0 65535 log
rle_internet(config-ext-nacl)# deny udp any range 0 65535 any range 0 65535 log
rle_internet(config-ext-nacl)# deny ip any any
rle_internet(config-ext-nacl)# exit
rle_internet(config)# interface Ethernet4
rle_internet(config-if)# ip address 193.205.80.45 255.255.255.224
rle_internet(config-if)# ip access-group perimeter in
rle_internet(config-if)# crypto map mymap
Please help me
09-11-2009 06:18 AM
I would need to see the entire config to be sure. If you do not have CBAC or ZBFW configured to provide for a stateful fw, then you will need to explicitly permit the returning TCP 80 traffic in your ACL. An easy way to troubleshoot this type of issue is to add the "log" feature to the deny ip any any rule so that you can see what packets are being discarded.
09-11-2009 06:35 AM
I'm wondering if the problem is within these two rules. You allow destination port UDP 500 and source ESP.
rle_internet(config-ext-nacl)# permit udp host 193.205.89.57 host 193.205.80.45 eq 500
rle_internet(config-ext-nacl)# permit esp host 193.205.89.57 host 193.205.80.45
09-11-2009 06:37 AM
Sorry, my bad, that's not the issue.
09-11-2009 07:46 AM
hi
this is my entire configuration:
Current configuration : 2435 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname rle_internet
!
boot-start-marker
boot-end-marker
!
logging buffered 16000 informational
enable secret 5 $1$adL3$bZtG3BtWf7gbK0dJsFwUp1
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
!
!
!
username rle password 7 15531900016B222A3C36272C161357070617
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address 193.205.89.57 no-xauth
!
!
crypto ipsec transform-set rle_residence esp-aes esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 41.205.89.57
set transform-set rle_residence
match address rle_residence
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
description main interface loopback
ip address 192.168.5.35 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN
crypto map mymap
ip address 193.205.80.45 255.255.255.224
ip access-group perimeter in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description LAN
ip address 192.168.6.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 41.205.80.33
ip route 192.168.1.224 255.255.255.224 193.205.89.57
!
no ip http server
no ip http secure-server
ip nat inside source list internet_access interface FastEthernet4 overload
!
ip access-list extended internet_access
permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended rle_residence
permit ip 192.168.6.0 0.0.0.255 192.168.1.224 0.0.0.31
ip access-list extended perimeter
permit udp host 193.205.89.57 host 193.205.80.45 eq 500
permit esp host 193.205.89.57 host 193.205.80.45
permit ip 192.168.1.224 0.0.0.31 192.168.6.0 0.0.0.255
deny ip deny ip 192.168.6. 0.0.0.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip any host 192.168.6.0 log
deny ip any host 192.168.6.255 any log
permit icmp 192.168.1.224 0.0.0.31 any
deny icmp any any redirect log
deny icmp any any mask-request log
deny tcp any any range 6000 6063 log
deny tcp any any eq 6667 log log
deny tcp any any range 12345 12346 log
deny tcp any any eq 31337 log
deny udp any any eq 2049 log
deny udp any any eq 31337 log
permit udp any eq 53 any gt 1023
deny tcp any range 0 65535 any range 0 65535 log
deny udp any range 0 65535 any range 0 65535 log
deny ip any any
!
logging source-interface Loopback0
logging 192.168.6.90
access-list 20 permit 192.168.6.90
access-list 20 permit 192.168.6.52
access-list 20 permit 192.168.6.53
access-list 20 deny any
access-list 99 permit 192.168.0.2 log
access-list 99 permit 192.168.0.18 log
snmp-server community xyxy RW 20
no cdp run
!
control-plane
!
line con 0
password 7 095E4B0E100A19130709
login local
no modem enable
line aux 0
line vty 0 4
password 7 03165E0C0F002F4D420C
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
thanks a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide