Routing problem:site to site VPN 2811 to RV082

Unanswered Question
Dec 8th, 2009
User Badges:

HI,


I used SDM 2.5 to configure a site to site VPN from my 2811 to a branch office rv802. It almost works!

2811 network is 192.168.10.0/24; rv082 network is 192.168.1.0/24


From the rv082 LAN, I can access anything behind the 2811, but traffic originating behind the 2811 fails. If I try to ping the rv802 inside address or a client behind it, I get "destination host unreachable" from an Internet router(I added a permit icmp rule to the appropriate ACL). IP protocols fail the way you expect when there's no route.


The 2811 only has the default route configured and no routing protocols are enabled.


Here's the mirror dump from the SDM:

The mirror configuration should only be used as a guide when configuring the peer.
The following configuration MUST NOT be directly applied to the peer device.

crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp key XXXXXXXXXX address xx.xx.xx.xx
crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_4
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit icmp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
exit
crypto map SDM_CMAP_3 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address yy.yy.yy.yy that connects to this router.
set transform-set ESP-3DES-SHA1
set peer xx.xx.xx.xx
match address SDM_4
exit


Any idea what I might be missing?


Thanks,


Bruce

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 12/08/2009 - 12:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bruce


Can you post full config of router.


Jon

brucemanore Tue, 12/08/2009 - 13:03
User Badges:

Thanks Jon, Here it is:

!This is the running config of the router: xx.xx.xx.xx
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2811
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $$$$$$$$$$$$$$$$$$
enable password $$$$$$
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ssh
ip inspect name sdm_ins_in_100 ssh
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.149
ip dhcp excluded-address 192.168.10.201 192.168.10.254
!
ip dhcp pool clients
   import all
   network 192.168.10.0 255.255.255.0
   domain-name xxxxxxx.com
   dns-server xx.xx.xx.xx
   default-router 192.168.10.1
   lease 30
!
!
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
!
!
!
crypto pki trustpoint TP-self-signed-111111111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-11111111
revocation-check none
rsakeypair TP-self-signed-111111111
!
!
crypto pki certificate chain TP-self-signed-111111111
certificate self-signed 01
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-

username cccccccccc privilege 15 password 0 cccccccccc
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xx.xx.xx.xx address yy.yy.yy.yy no-xauth
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group remote
key AAAAAAAAAAAAAAA
dns xx.xx.xx.xx
wins 192.168.10.101
domain xxxxxxxx.com
pool SDM_POOL_2
acl 106
save-password
include-local-lan
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA2
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA5
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_3
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toyy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA4
match address 112
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel toyy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA1
match address 111
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 1 ipsec-isakmp
description Tunnel toyy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA1
match address 113
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$$ETH-LAN$
ip address xx.xx.xx.xx 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex full
speed 10
crypto map SDM_CMAP_3
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
!
ip local pool SDM_POOL_2 192.168.10.211 192.168.10.220
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.yy
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_3 interface FastEthernet0/0 overload
ip nat inside source static 192.168.10.100 xx.xx.xx.100 route-map SDM_RMAP_5
ip nat inside source static 192.168.10.101 xx.xx.xx.101 route-map SDM_RMAP_4
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 10 deny   192.168.10.212
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 50 permit xx.xx.xx.102
access-list 50 permit xx.xx.xx.99
access-list 50 remark AAAAAAA
access-list 50 permit xx.xx.xx.101
access-list 50 remark permit NAT passthrough
access-list 50 remark SDM_ACL Category=1
access-list 50 remark mail
access-list 50 permit xx.xx.xx.100
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip host 192.168.10.101 any
access-list 100 permit icmp any any
access-list 100 deny   ip xx.xx.xx.96 0.0.0.31 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit icmp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.10.208 0.0.0.15 192.168.10.0 0.0.0.255
access-list 101 permit udp any host xx.xx.xx.98 eq non500-isakmp
access-list 101 permit udp any host xx.xx.xx.98 eq isakmp
access-list 101 permit esp any host xx.xx.xx.98
access-list 101 permit ahp any host xx.xx.xx.98
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit udp host yy.yy.yy.yy host xx.xx.xx.98 eq non500-isakmp
access-list 101 permit udp host yy.yy.yy.yy host xx.xx.xx.98 eq isakmp
access-list 101 permit esp host yy.yy.yy.yy host xx.xx.xx.98
access-list 101 permit ahp host yy.yy.yy.yy host xx.xx.xx.98
access-list 101 permit udp any host xx.xx.xx.100
access-list 101 permit tcp any host xx.xx.xx.100
access-list 101 permit ip any host xx.xx.xx.101
access-list 101 permit ip host 192.168.10.150 any
access-list 101 permit ip host 192.168.10.201 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.202 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.203 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.204 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.205 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.206 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.207 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.208 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.209 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.210 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.201 any
access-list 101 permit ip host 192.168.10.202 any
access-list 101 permit ip host 192.168.10.203 any
access-list 101 permit ip host 192.168.10.204 any
access-list 101 permit ip host 192.168.10.205 any
access-list 101 permit ip host 192.168.10.206 any
access-list 101 permit ip host 192.168.10.207 any
access-list 101 permit ip host 192.168.10.208 any
access-list 101 permit ip host 192.168.10.209 any
access-list 101 permit ip host 192.168.10.210 any
access-list 101 permit icmp any host xx.xx.xx.101
access-list 101 permit icmp host 192.168.10.102 any
access-list 101 permit icmp any host 192.168.10.102
access-list 101 permit tcp any host xx.xx.xx.102
access-list 101 permit udp any host xx.xx.xx.102
access-list 101 permit icmp any host xx.xx.xx.102
access-list 101 permit udp any host xx.xx.xx.101
access-list 101 permit tcp any host xx.xx.xx.101
access-list 101 permit tcp any host xx.xx.xx.100 eq smtp
access-list 101 permit tcp any host 192.168.10.100 eq pop3
access-list 101 permit ip any host 192.168.10.100
access-list 101 permit tcp any host 192.168.1.100 eq www
access-list 101 permit udp host xx.xx.xx.xx eq domain host xx.xx.xx.98
access-list 101 permit udp host xx.xx.xx.xx eq domain host xx.xx.xx.98
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.98 echo-reply
access-list 101 permit icmp any host xx.xx.xx.98 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.98 unreachable
access-list 101 permit tcp any host xx.xx.xx.98 eq 443
access-list 101 permit tcp any host xx.xx.xx.98 eq 22
access-list 101 permit tcp any host xx.xx.xx.98 eq cmd
access-list 101 permit tcp any host 192.168.10.101 eq 22
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.10.0 0.0.0.255 192.168.10.208 0.0.0.15
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.201
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.202
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.203
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.204
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.205
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.206
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.207
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.208
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.209
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.210
access-list 102 deny   ip any host 192.168.10.201
access-list 102 deny   ip any host 192.168.10.202
access-list 102 deny   ip any host 192.168.10.203
access-list 102 deny   ip any host 192.168.10.204
access-list 102 deny   ip any host 192.168.10.205
access-list 102 deny   ip any host 192.168.10.206
access-list 102 deny   ip any host 192.168.10.207
access-list 102 deny   ip any host 192.168.10.208
access-list 102 deny   ip any host 192.168.10.209
access-list 102 deny   ip any host 192.168.10.210
access-list 102 deny   ip host 192.168.10.100 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 192.168.10.100 192.168.10.208 0.0.0.15
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.210
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.209
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.208
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.207
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.206
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.205
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.204
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.203
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.202
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.201
access-list 103 permit ip host 192.168.10.100 any
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 192.168.10.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 107 remark SDM_ACL Category=2
access-list 107 deny   ip host 192.168.10.101 192.168.10.208 0.0.0.15
access-list 107 permit ip host 192.168.10.101 any
access-list 107 deny   ip host 192.168.10.102 192.168.10.208 0.0.0.15
access-list 107 permit ip host 192.168.10.102 any
access-list 107 remark SDM_ACL Category=2
access-list 107 remark SDM_ACL Category=2
access-list 108 deny   ip host 192.168.10.100 192.168.10.208 0.0.0.15
access-list 108 permit ip host 192.168.10.100 any
access-list 109 deny   ip host 192.168.10.102 192.168.10.208 0.0.0.15
access-list 109 permit ip host 192.168.10.102 any
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 113 remark SDM_ACL Category=4
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 113 permit icmp 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 113 remark SDM_ACL Category=4
access-list 113 remark IPSec Rule
access-list 120 remark SDM_ACL Category=18
access-list 120 deny   icmp 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny   ip 192.168.10.0 0.0.0.255 192.168.10.208 0.0.0.15
access-list 120 remark IPSec Rule
access-list 120 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny   ip host 192.168.10.102 host xx.xx.xx.101
access-list 120 deny   ip 192.168.10.128 0.0.0.63 192.168.10.208 0.0.0.15
access-list 120 permit ip 192.168.10.128 0.0.0.63 any
access-list 120 permit ip host 192.168.10.216 any
access-list 120 deny   ip host 192.168.10.101 any
access-list 120 deny   ip host 192.168.10.100 any
access-list 120 remark SDM_ACL Category=18
access-list 120 remark IPSec Rule
snmp-server community public RO
route-map /help permit 10
continue
!
route-map SDM_RMAP_4 permit 1
match ip address 107
!
route-map SDM_RMAP_5 permit 1
match ip address 108
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 120
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password $$$$$$$
transport input telnet ssh
line vty 5 15
privilege level 15
login authentication xxxxxxx
transport input telnet
!
scheduler allocate 20000 1000
!
end

Jon Marshall Tue, 12/08/2009 - 13:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bruce


Which IP addresses are you testing from behind the 2811 ie. it's not 192.168.10.100 or 192.168.10.101 is it ?


If it is can you try from a different host.


Jon

brucemanore Tue, 12/08/2009 - 14:05
User Badges:

You might be on the something...

The only machines I have access to at the 2811 site right now are the router (x.x.x.98 on the outside,192.168.10.1 on the inside) and 192.168.10.102 which does have One to One NAT rules translating host 101 on the outside network.


Is that my problem?

Jon Marshall Tue, 12/08/2009 - 15:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

brucemanore wrote:


You might be on the something...

The only machines I have access to at the 2811 site right now are the router (x.x.x.98 on the outside,192.168.10.1 on the inside) and 192.168.10.102 which does have One to One NAT rules translating host 101 on the outside network.


Is that my problem?


Bruce


Apologies for delay in replying, i tried to post an answer but site kept messing up.


I can't see an one-to-one NAT for 192.168.10.102 so i'm not sure i follow you.


But my reasoning for asking about the IP addresses was that static translations take precedence over dynamic ones. NAT happens before the traffic is checked against the crypto acl so if the source was already Natted to a diffferent address it would no longer match the crypto access-list.


This is consistent with what you said about getting a destination unreachable from an internet router ie. the traffic was not being sent down the tunnel but onto the internet.


Jon

brucemanore Tue, 12/08/2009 - 20:17
User Badges:

Jon


I've been having some trouble with the site today too!


I don't think I did a very good job sanitizing my config;apologies from a Newbie...

I'm seeing a lot of references to "route-map nonat" on the Net which I don't have in my config. Should I?


This might be a little clearer:


!This is the running config of the router: a.b.c.98
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $**********************
enable password ************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ssh
ip inspect name sdm_ins_in_100 ssh
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.149
ip dhcp excluded-address 192.168.10.201 192.168.10.254
!
ip dhcp pool clients
   import all
   network 192.168.10.0 255.255.255.0
   domain-name *********.com
   dns-server x.x.x.x
   default-router 192.168.10.1
   lease 30
!
!
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
!
crypto pki trustpoint TP-self-signed-xxxxxxxxxx

enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signedxxxxxxxxxxxx!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxxxxxx
certificate self-signed 01
-
-
-
-
-
-
-
-
-

  quit
username xxxxx privilege 15 password 0 *********!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address yy.yy.yy.yy no-xauth
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group remote
key **********
dns x.x.x.x
wins 192.168.10.101
domain *********.com
pool SDM_POOL_2
acl 106
save-password
include-local-lan
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA2
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA5
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_3
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toyy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA4
match address 112
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel toyy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA1
match address 111
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 1 ipsec-isakmp
description Tunnel toyy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA1
match address 113
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_4 1 ipsec-isakmp
description Tunnel toyy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA2
match address 113
!
crypto map SDM_CMAP_5 1 ipsec-isakmp
description Tunnel toyy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA1
match address 114
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$$ETH-LAN$
ip address a.b.c.98 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex full
speed 10
crypto map SDM_CMAP_5
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
!
ip local pool SDM_POOL_2 192.168.10.211 192.168.10.220
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.97
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_3 interface FastEthernet0/0 overload
ip nat inside source static 192.168.10.100 a.b.c.100 route-map SDM_RMAP_5
ip nat inside source static 192.168.10.101 a.b.c.101 route-map SDM_RMAP_4
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 10 deny   192.168.10.212
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 50 permit 173.14.173.102
access-list 50 permit a.b.c.99
access-list 50 remark ***
access-list 50 permit a.b.c.101
access-list 50 remark permit NAT passthrough
access-list 50 remark SDM_ACL Category=1
access-list 50 remark mail
access-list 50 permit a.b.c.100
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip host 192.168.10.101 any
access-list 100 permit icmp any any
access-list 100 deny   ip a.b.c.96 0.0.0.31 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit icmp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit udp host yy.yy.yy.yy host a.b.c.98 eq non500-isakmp
access-list 101 permit udp host yy.yy.yy.yy host a.b.c.98 eq isakmp
access-list 101 permit esp host yy.yy.yy.yy host a.b.c.98
access-list 101 permit ahp host yy.yy.yy.yy host a.b.c.98
access-list 101 permit udp any host a.b.c.100
access-list 101 permit tcp any host a.b.c.100
access-list 101 permit ip any host a.b.c.101
access-list 101 permit ip host 192.168.10.150 any
access-list 101 permit ip host 192.168.10.201 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.202 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.203 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.204 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.205 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.206 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.207 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.208 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.209 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.210 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.201 any
access-list 101 permit ip host 192.168.10.202 any
access-list 101 permit ip host 192.168.10.203 any
access-list 101 permit ip host 192.168.10.204 any
access-list 101 permit ip host 192.168.10.205 any
access-list 101 permit ip host 192.168.10.206 any
access-list 101 permit ip host 192.168.10.207 any
access-list 101 permit ip host 192.168.10.208 any
access-list 101 permit ip host 192.168.10.209 any
access-list 101 permit ip host 192.168.10.210 any
access-list 101 permit icmp any host a.b.c.101
access-list 101 permit icmp host 192.168.10.102 any
access-list 101 permit icmp any host 192.168.10.102
access-list 101 permit tcp any host a.b.c.102
access-list 101 permit udp any host a.b.c.102
access-list 101 permit icmp any host a.b.c.102
access-list 101 permit udp any host a.b.c.101
access-list 101 permit tcp any host a.b.c.101
access-list 101 permit tcp any host a.b.c.100 eq smtp
access-list 101 permit tcp any host 192.168.10.100 eq pop3
access-list 101 permit ip any host 192.168.10.100
access-list 101 permit tcp any host 192.168.1.100 eq www
access-list 101 permit udp host a.b.c.190 eq domain host a.b.c.98
access-list 101 permit udp host a.b.d.190 eq domain host a.b.c.98
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host a.b.c.98 echo-reply
access-list 101 permit icmp any host a.b.c.98 time-exceeded
access-list 101 permit icmp any host a.b.c.98 unreachable
access-list 101 permit tcp any host a.b.c.98 eq 443
access-list 101 permit tcp any host a.b.c.98 eq 22
access-list 101 permit tcp any host a.b.c.98 eq cmd
access-list 101 permit tcp any host 192.168.10.101 eq 22
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.10.0 0.0.0.255 192.168.10.208 0.0.0.15
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.201
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.202
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.203
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.204
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.205
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.206
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.207
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.208
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.209
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.210
access-list 102 deny   ip any host 192.168.10.201
access-list 102 deny   ip any host 192.168.10.202
access-list 102 deny   ip any host 192.168.10.203
access-list 102 deny   ip any host 192.168.10.204
access-list 102 deny   ip any host 192.168.10.205
access-list 102 deny   ip any host 192.168.10.206
access-list 102 deny   ip any host 192.168.10.207
access-list 102 deny   ip any host 192.168.10.208
access-list 102 deny   ip any host 192.168.10.209
access-list 102 deny   ip any host 192.168.10.210
access-list 102 deny   ip host 192.168.10.100 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 102 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 192.168.10.100 192.168.10.208 0.0.0.15
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.210
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.209
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.208
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.207
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.206
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.205
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.204
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.203
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.202
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.201
access-list 103 permit ip host 192.168.10.100 any
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 103 remark SDM_ACL Category=2
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 104 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 105 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 192.168.10.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 106 remark SDM_ACL Category=4
access-list 107 remark SDM_ACL Category=2
access-list 107 deny   ip host 192.168.10.101 192.168.10.208 0.0.0.15
access-list 107 permit ip host 192.168.10.101 any
access-list 107 deny   ip host 192.168.10.102 192.168.10.208 0.0.0.15
access-list 107 permit ip host 192.168.10.102 any
access-list 107 remark SDM_ACL Category=2
access-list 107 remark SDM_ACL Category=2
access-list 108 deny   ip host 192.168.10.100 192.168.10.208 0.0.0.15
access-list 108 permit ip host 192.168.10.100 any
access-list 109 deny   ip host 192.168.10.102 192.168.10.208 0.0.0.15
access-list 109 permit ip host 192.168.10.102 any
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 113 remark SDM_ACL Category=4
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 113 permit icmp 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 113 remark SDM_ACL Category=4
access-list 113 remark IPSec Rule
access-list 114 remark SDM_ACL Category=4
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 permit icmp 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 remark SDM_ACL Category=18
access-list 120 deny   icmp 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny   ip 192.168.10.0 0.0.0.255 192.168.10.208 0.0.0.15
access-list 120 deny   ip host 192.168.10.102 host a.b.c.101
access-list 120 deny   ip 192.168.10.128 0.0.0.63 192.168.10.208 0.0.0.15
access-list 120 permit ip 192.168.10.128 0.0.0.63 any
access-list 120 permit ip host 192.168.10.216 any
access-list 120 deny   ip host 192.168.10.101 any
access-list 120 deny   ip host 192.168.10.100 any
snmp-server community public RO
route-map /help permit 10
continue
!
route-map SDM_RMAP_4 permit 1
match ip address 107
!
route-map SDM_RMAP_5 permit 1
match ip address 108
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 120
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password ********
transport input telnet ssh
line vty 5 15
privilege level 15
login authentication *******
transport input telnet
!
scheduler allocate 20000 1000
!
end

brucemanore Mon, 12/14/2009 - 11:15
User Badges:

OK, I ripped out anything to do with my static NAT rule to 192.168.10.102 ( I think!). and cleaned out all the stale rules,access lists, etc. I could find; deleted and reconfigured site to site VPN.


This time the VPN came up immediately whereas there was some delay on previous attempts and I am able to ping from the router to the remote private LAN when I specify the inside IP of the router as the source


Unfortunately, I still can't access the remote LAN from the 2811 side; The RV082 side still has complete access.


Any other ideas?


Thanks


Here's the latest running config:

!This is the running config of the router: 174.93.6.98
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5
enable password
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ssh
ip inspect name sdm_ins_in_100 ssh
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.149
ip dhcp excluded-address 192.168.10.201 192.168.10.254
!
ip dhcp pool clients
   import all
   network 192.168.10.0 255.255.255.0
   domain-name myco.com
   dns-server 172.14.163.190 116.183.90.190
   default-router 192.168.10.1
   lease 30
!
!
ip name-server 172.14.163.190
ip name-server 116.183.90.190
!
!
!
crypto pki trustpoint TP-self-signed-1193580476
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1193580476
revocation-check none
rsakeypair TP-self-signed-1193580476
!
!
crypto pki certificate chain TP-self-signed-1193580476
certificate self-signed 01
  -
-
-
-
-
-
-
-
-
-
-
-

  quit
username
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key KlkjldkflkIl;kjl address 194.52.177.61 no-xauth
crypto isakmp xauth timeout 15

!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.52.177.61
set peer 194.52.177.61
set transform-set ESP-3DES-SHA1
match address 110
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$$ETH-LAN$
ip address 174.93.6.98 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex full
speed 10
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
!
router rip
version 2
network 192.168.1.0
network 192.168.10.0
no auto-summary
!
ip local pool SDM_POOL_2 192.168.10.211 192.168.10.220
ip classless
ip route 0.0.0.0 0.0.0.0 174.93.6.97
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_3 interface FastEthernet0/0 overload
ip nat inside source static 192.168.10.100 174.93.6.100 route-map SDM_RMAP_5
ip nat inside source static 192.168.10.101 174.93.6.101
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.10.0 0.0.0.255

access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.10.0 0.0.0.255

access-list 10 deny   192.168.10.212
access-list 10 permit 192.168.10.0 0.0.0.255

access-list 50 permit 174.93.6.99
access-list 50 remark trax
access-list 50 permit 174.93.6.101
access-list 50 remark permit NAT passthrough
access-list 50 remark SDM_ACL Category=1
access-list 50 remark mail
access-list 50 permit 174.93.6.100

access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.10.101 any
access-list 100 permit icmp any any
access-list 100 deny   ip 174.93.6.96 0.0.0.31 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 182.168.10.0 0.0.0.255
access-list 101 permit icmp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit udp host 194.52.177.61 host 174.93.6.98 eq non500-isakmp
access-list 101 permit udp host 194.52.177.61 host 174.93.6.98 eq isakmp
access-list 101 permit esp host 194.52.177.61 host 174.93.6.98
access-list 101 permit ahp host 194.52.177.61 host 174.93.6.98
access-list 101 permit udp any host 174.93.6.100
access-list 101 permit tcp any host 174.93.6.100
access-list 101 permit ip any host 174.93.6.101
access-list 101 permit ip host 192.168.10.150 any
access-list 101 permit ip host 192.168.10.201 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.202 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.203 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.204 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.205 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.206 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.207 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.208 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.209 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.210 192.168.10.0 0.0.0.255
access-list 101 permit ip host 192.168.10.201 any
access-list 101 permit ip host 192.168.10.202 any
access-list 101 permit ip host 192.168.10.203 any
access-list 101 permit ip host 192.168.10.204 any
access-list 101 permit ip host 192.168.10.205 any
access-list 101 permit ip host 192.168.10.206 any
access-list 101 permit ip host 192.168.10.207 any
access-list 101 permit ip host 192.168.10.208 any
access-list 101 permit ip host 192.168.10.209 any
access-list 101 permit ip host 192.168.10.210 any
access-list 101 permit icmp any host 174.93.6.101
access-list 101 permit udp any host 174.93.6.101
access-list 101 permit tcp any host 174.93.6.101
access-list 101 permit tcp any host 174.93.6.100 eq smtp
access-list 101 permit tcp any host 192.168.10.100 eq pop3
access-list 101 permit ip any host 192.168.10.100
access-list 101 permit tcp any host 192.168.1.100 eq www
access-list 101 permit udp host 216.183.90.190 eq domain host 174.93.6.98
access-list 101 permit udp host 72.14.163.190 eq domain host 174.93.6.98
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host 174.93.6.98 echo-reply
access-list 101 permit icmp any host 174.93.6.98 time-exceeded
access-list 101 permit icmp any host 174.93.6.98 unreachable
access-list 101 permit tcp any host 174.93.6.98 eq 443
access-list 101 permit tcp any host 174.93.6.98 eq 22
access-list 101 permit tcp any host 174.93.6.98 eq cmd
access-list 101 permit tcp any host 192.168.10.101 eq 22
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 101 remark IPSec Rule

access-list 102 remark SDM_ACL Category=2
access-list 102 deny   icmp host 192.168.10.102 192.168.1.0 0.0.0.255
access-list 102 deny   ip host 192.168.10.102 192.168.1.0 0.0.0.255
access-list 102 deny   icmp 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip 192.168.10.0 0.0.0.255 192.168.10.208 0.0.0.15
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.201
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.202
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.203
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.204
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.205
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.206
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.207
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.208
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.209
access-list 102 deny   ip 192.168.10.0 0.0.0.255 host 192.168.10.210
access-list 102 deny   ip any host 192.168.10.201
access-list 102 deny   ip any host 192.168.10.202
access-list 102 deny   ip any host 192.168.10.203
access-list 102 deny   ip any host 192.168.10.204
access-list 102 deny   ip any host 192.168.10.205
access-list 102 deny   ip any host 192.168.10.206
access-list 102 deny   ip any host 192.168.10.207
access-list 102 deny   ip any host 192.168.10.208
access-list 102 deny   ip any host 192.168.10.209
access-list 102 deny   ip any host 192.168.10.210
access-list 102 deny   ip host 192.168.10.100 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 192.168.10.100 192.168.10.208 0.0.0.15
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.210
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.209
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.208
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.207
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.206
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.205
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.204
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.203
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.202
access-list 103 deny   ip host 192.168.10.100 host 192.168.10.201
access-list 103 permit ip host 192.168.10.100 any


access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.10.0 0.0.0.255 any
a

access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any


access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 192.168.10.0 0.0.0.255 any


access-list 107 remark SDM_ACL Category=2
access-list 107 deny   ip host 192.168.10.102 192.168.1.0 0.0.0.255
access-list 107 deny   icmp host 192.168.10.102 192.168.1.0 0.0.0.255
access-list 107 permit ip host 192.168.10.102 any
access-list 107 permit icmp host 192.168.10.102 any

access-list 108 deny   ip host 192.168.10.100 192.168.10.208 0.0.0.15
access-list 108 permit ip host 192.168.10.100 any

access-list 109 deny   ip host 192.168.10.102 192.168.10.208 0.0.0.15
access-list 109 permit ip host 192.168.10.102 any

access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 remark SDM_ACL Category=18
access-list 120 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny   ip host 192.168.10.101 any
access-list 120 deny   ip 192.168.10.0 0.0.0.255 192.168.10.208 0.0.0.15
access-list 120 deny   ip 192.168.10.128 0.0.0.63 192.168.10.208 0.0.0.15
access-list 120 deny   ip host 192.168.10.100 any
access-list 120 permit ip 192.168.10.0 0.0.0.255 any
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.10.128 0.0.0.63 any
access-list 120 permit ip host 192.168.10.216 any


snmp-server community public RO

!
route-map SDM_RMAP_4 permit 1
match ip address 107
!
route-map SDM_RMAP_5 permit 1
match ip address 108
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 120
!

!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password
transport input telnet ssh
line vty 5 15
privilege level 15
login authentication
transport input telnet
!
scheduler allocate 20000 1000
!
end

Actions

This Discussion