VPN IPsec connection establish but remote site cannot ping main office

Answered Question
Aug 2nd, 2010
User Badges:

Hi, I setup VPN IPsec site to site connection between cisco 892 router (main site) and linksys wrv210 router (remote site). My problem is that I can ping network on wrv210 router lan from my main office where is cisco 892 router, but I cannot ping main site from linksys wrv210 lan (my remote site).


My setup on cisco 892 router:


class-map type inspect match-all sdm-cls-VPNOutsideToInside-1


match access-group 103


class-map type inspect match-all sdm-cls-VPNOutsideToInside-3


match access-group 106


class-map type inspect match-all sdm-cls-VPNOutsideToInside-2


match access-group 105


class-map type inspect match-all sdm-cls-VPNOutsideToInside-5


match access-group 108


class-map type inspect match-all sdm-cls-VPNOutsideToInside-4


match access-group 107


class-map type inspect match-all sdm-cls-VPNOutsideToInside-7


match access-group 110


class-map type inspect match-all sdm-cls-VPNOutsideToInside-6


match access-group 109


class-map type inspect match-all sdm-cls-VPNOutsideToInside-9


match access-group 112


class-map type inspect match-all sdm-cls-VPNOutsideToInside-8


match access-group 111


class-map type inspect match-any SDM_AH


match access-group name SDM_AH


class-map type inspect match-any SDM_ESP


match access-group name SDM_ESP


class-map type inspect match-any SDM_VPN_TRAFFIC


match protocol isakmp


match protocol ipsec-msft


match class-map SDM_AH


match class-map SDM_ESP


class-map type inspect match-all SDM_VPN_PT


match access-group 102


match class-map SDM_VPN_TRAFFIC


class-map type inspect match-any ccp-cls-insp-traffic


match protocol cuseeme


match protocol dns


match protocol ftp


match protocol h323


match protocol https


match protocol icmp


match protocol imap


match protocol pop3


match protocol netshow


match protocol shell


match protocol realmedia


match protocol rtsp


match protocol smtp


match protocol sql-net


match protocol streamworks


match protocol tftp


match protocol vdolive


match protocol tcp


match protocol udp


class-map type inspect match-all ccp-insp-traffic


match class-map ccp-cls-insp-traffic


class-map type inspect match-all sdm-cls-VPNOutsideToInside-10


match access-group 113


class-map type inspect match-any sdm-service-ccp-inspect-1


match protocol http


match protocol https


class-map type inspect match-any ccp-cls-icmp-access


match protocol icmp


match protocol tcp


match protocol udp


class-map type inspect match-all ccp-invalid-src


match access-group 100


class-map type inspect match-all ccp-icmp-access


match class-map ccp-cls-icmp-access


class-map type inspect match-all ccp-protocol-http


match class-map sdm-service-ccp-inspect-1


!


!


policy-map type inspect ccp-permit-icmpreply


class type inspect ccp-icmp-access


  inspect


class class-default


  pass


policy-map type inspect sdm-pol-VPNOutsideToInside-1


class type inspect sdm-cls-VPNOutsideToInside-1


  inspect


class type inspect sdm-cls-VPNOutsideToInside-2


  pass


class type inspect sdm-cls-VPNOutsideToInside-3


  pass


class type inspect sdm-cls-VPNOutsideToInside-4


  pass


class type inspect sdm-cls-VPNOutsideToInside-5


  pass


class type inspect sdm-cls-VPNOutsideToInside-6


  inspect


class type inspect sdm-cls-VPNOutsideToInside-7


  pass


class type inspect sdm-cls-VPNOutsideToInside-8


  pass


class type inspect sdm-cls-VPNOutsideToInside-9


  inspect


class type inspect sdm-cls-VPNOutsideToInside-10


  pass


class class-default


  drop


policy-map type inspect ccp-inspect


class type inspect ccp-invalid-src


  drop log


class type inspect ccp-protocol-http


  inspect


class type inspect ccp-insp-traffic


  inspect


class class-default


  drop


policy-map type inspect ccp-permit


class type inspect SDM_VPN_PT


  pass


class class-default


  drop


!


zone security out-zone


zone security in-zone


zone-pair security ccp-zp-self-out source self destination out-zone


service-policy type inspect ccp-permit-icmpreply


zone-pair security ccp-zp-in-out source in-zone destination out-zone


service-policy type inspect ccp-inspect


zone-pair security ccp-zp-out-self source out-zone destination self


service-policy type inspect ccp-permit


zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone


service-policy type inspect sdm-pol-VPNOutsideToInside-1


!


!


crypto isakmp policy 1


encr 3des


hash md5


authentication pre-share


group 2


lifetime 28800


crypto isakmp key xxxxxxxxxxx address 83.xx.xx.50


!


!


crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac


!


crypto map SDM_CMAP_1 1 ipsec-isakmp


description NY_NJ


set peer 83.xx.xx.50


set transform-set ESP-3DES


match address 101


!


!


!


!


!


interface BRI0


no ip address


no ip redirects


no ip unreachables


no ip proxy-arp


ip flow ingress


encapsulation hdlc


shutdown


isdn termination multidrop


!


!


interface FastEthernet0


!


!


interface FastEthernet1


!


!


interface FastEthernet2


!


!


interface FastEthernet3


!


!


interface FastEthernet4


!


!


interface FastEthernet5


!


!


interface FastEthernet6


!


!


interface FastEthernet7


!


!


interface FastEthernet8


no ip address


no ip redirects


no ip unreachables


no ip proxy-arp


ip flow ingress


duplex auto


speed auto


!


!


interface GigabitEthernet0


description $ES_WAN$$FW_OUTSIDE$


ip address 89.xx.xx.4 255.255.255.xx


no ip redirects


no ip unreachables


no ip proxy-arp


ip flow ingress


ip nat outside


ip virtual-reassembly


zone-member security out-zone


duplex auto


speed auto


crypto map SDM_CMAP_1


!


!


interface Vlan1


description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$


ip address 192.168.0.253 255.255.255.0


no ip redirects


no ip unreachables


no ip proxy-arp


ip flow ingress


ip nat inside


ip virtual-reassembly


zone-member security in-zone


ip tcp adjust-mss 1452


!


!


ip forward-protocol nd


ip http server


ip http authentication local


ip http secure-server


ip http timeout-policy idle 60 life 86400 requests 10000


!


!


ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload


ip route 0.0.0.0 0.0.0.0 89.xx.xx.1


!


ip access-list extended SDM_AH


remark CCP_ACL Category=1


permit ahp any any


ip access-list extended SDM_ESP


remark CCP_ACL Category=1


permit esp any any


!


logging trap debugging


access-list 1 remark INSIDE_IF=Vlan1


access-list 1 remark CCP_ACL Category=2


access-list 1 permit 192.168.0.0 0.0.0.255


access-list 100 remark CCP_ACL Category=128


access-list 100 permit ip host 255.255.255.255 any


access-list 100 permit ip 127.0.0.0 0.255.255.255 any


access-list 100 permit ip 89.xx.xx.0 0.0.0.7 any


access-list 101 remark CCP_ACL Category=4


access-list 101 remark IPSec Rule


access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255


access-list 102 remark CCP_ACL Category=128


access-list 102 permit ip host 83.xx.xx.50 any


access-list 103 remark CCP_ACL Category=0


access-list 103 remark IPSec Rule


access-list 103 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 104 remark CCP_ACL Category=2


access-list 104 remark IPSec Rule


access-list 104 deny   ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255


access-list 104 permit ip 192.168.0.0 0.0.0.255 any


access-list 105 remark CCP_ACL Category=0


access-list 105 remark IPSec Rule


access-list 105 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 106 remark CCP_ACL Category=0


access-list 106 remark IPSec Rule


access-list 106 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 107 remark CCP_ACL Category=0


access-list 107 remark IPSec Rule


access-list 107 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 108 remark CCP_ACL Category=0


access-list 108 remark IPSec Rule


access-list 108 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 109 remark CCP_ACL Category=0


access-list 109 remark IPSec Rule


access-list 109 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 110 remark CCP_ACL Category=0


access-list 110 remark IPSec Rule


access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 111 remark CCP_ACL Category=0


access-list 111 remark IPSec Rule


access-list 111 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 112 remark CCP_ACL Category=0


access-list 112 remark IPSec Rule


access-list 112 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


access-list 113 remark CCP_ACL Category=0


access-list 113 remark IPSec Rule


access-list 113 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255


no cdp run




!


!


!


!


route-map SDM_RMAP_1 permit 1


match ip address 104


--------------------------------------------------------


I only give you cisco 892 router setting because there is nothnig much to chnage on linksys wrv210 router.


Hope that somebody will be able to help me. Cheers

Correct Answer by Rahul Govindan about 6 years 10 months ago

Hi from the logs I see that you are pinging the inside interface of  the router and that is being blocked by the zone based firewall. that  basically classifies under the out zone (untrusted ) to self zone  traffic ( inside interface of router). As you see the logs say that it  is being dropped by a particular class map class default on the zone  pair policy ccp-zp-out-self:



in the access-list 102 add one more entry:any ip traffic from remote subnet to your subnet

and make a change in the " class-map type inspect match-all SDM_VPN_PT " from match-all to match any

and under policy map ccp-permit under the class SDM_VPN_PT, make the policy as inspect


this should do the trick

Correct Answer by Rahul Govindan about 6 years 10 months ago

Can you run an "ip inspect log drop-pkt" and see if you getting any FW-DROP logs corresponding to the traffic that you send from linksys to the main site. Zone based firewall could be blocking the traffic initiated from outside to internal.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Rahul Govindan Mon, 08/02/2010 - 04:12
User Badges:
  • Silver, 250 points or more

Can you run an "ip inspect log drop-pkt" and see if you getting any FW-DROP logs corresponding to the traffic that you send from linksys to the main site. Zone based firewall could be blocking the traffic initiated from outside to internal.

zycha1983 Mon, 08/02/2010 - 05:09
User Badges:

I didit what you said and found thet packets are block

2 packets were dropped from 192.168.7.106:8 => 192.168.0.253:0 (target:class)-(ccp-zp-out-self:class-default)


Now could you help resolve that issue? and why its not getting policy for VPN connection?

Correct Answer
Rahul Govindan Mon, 08/02/2010 - 05:23
User Badges:
  • Silver, 250 points or more

Hi from the logs I see that you are pinging the inside interface of  the router and that is being blocked by the zone based firewall. that  basically classifies under the out zone (untrusted ) to self zone  traffic ( inside interface of router). As you see the logs say that it  is being dropped by a particular class map class default on the zone  pair policy ccp-zp-out-self:



in the access-list 102 add one more entry:any ip traffic from remote subnet to your subnet

and make a change in the " class-map type inspect match-all SDM_VPN_PT " from match-all to match any

and under policy map ccp-permit under the class SDM_VPN_PT, make the policy as inspect


this should do the trick

Actions

This Discussion