Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1574
Views
0
Helpful
4
Replies

VPN IPsec connection establish but remote site cannot ping main office

Go to solution
zycha1983
Level 1
Level 1

‎08-02-2010 03:47 AM - edited ‎02-21-2020 04:46 PM

Hi, I setup VPN IPsec site to site connection between cisco 892 router (main site) and linksys wrv210 router (remote site). My problem is that I can ping network on wrv210 router lan from my main office where is cisco 892 router, but I cannot ping main site from linksys wrv210 lan (my remote site).

My setup on cisco 892 router:

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 103

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

match access-group 106

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 105

class-map type inspect match-all sdm-cls-VPNOutsideToInside-5

match access-group 108

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

match access-group 107

class-map type inspect match-all sdm-cls-VPNOutsideToInside-7

match access-group 110

class-map type inspect match-all sdm-cls-VPNOutsideToInside-6

match access-group 109

class-map type inspect match-all sdm-cls-VPNOutsideToInside-9

match access-group 112

class-map type inspect match-all sdm-cls-VPNOutsideToInside-8

match access-group 111

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 102

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all sdm-cls-VPNOutsideToInside-10

match access-group 113

class-map type inspect match-any sdm-service-ccp-inspect-1

match protocol http

match protocol https

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match class-map sdm-service-ccp-inspect-1

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class type inspect sdm-cls-VPNOutsideToInside-2

  pass

class type inspect sdm-cls-VPNOutsideToInside-3

  pass

class type inspect sdm-cls-VPNOutsideToInside-4

  pass

class type inspect sdm-cls-VPNOutsideToInside-5

  pass

class type inspect sdm-cls-VPNOutsideToInside-6

  inspect

class type inspect sdm-cls-VPNOutsideToInside-7

  pass

class type inspect sdm-cls-VPNOutsideToInside-8

  pass

class type inspect sdm-cls-VPNOutsideToInside-9

  inspect

class type inspect sdm-cls-VPNOutsideToInside-10

  pass

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxxxxxxx address 83.xx.xx.50

!

!

crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description NY_NJ

set peer 83.xx.xx.50

set transform-set ESP-3DES

match address 101

!

!

!

!

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation hdlc

shutdown

isdn termination multidrop

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

!

!

interface GigabitEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address 89.xx.xx.4 255.255.255.xx

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.253 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 89.xx.xx.1

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 89.xx.xx.0 0.0.0.7 any

access-list 101 remark CCP_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 83.xx.xx.50 any

access-list 103 remark CCP_ACL Category=0

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 104 remark CCP_ACL Category=2

access-list 104 remark IPSec Rule

access-list 104 deny   ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 remark CCP_ACL Category=0

access-list 105 remark IPSec Rule

access-list 105 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 106 remark CCP_ACL Category=0

access-list 106 remark IPSec Rule

access-list 106 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 107 remark CCP_ACL Category=0

access-list 107 remark IPSec Rule

access-list 107 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 108 remark CCP_ACL Category=0

access-list 108 remark IPSec Rule

access-list 108 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 109 remark CCP_ACL Category=0

access-list 109 remark IPSec Rule

access-list 109 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 110 remark CCP_ACL Category=0

access-list 110 remark IPSec Rule

access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 111 remark CCP_ACL Category=0

access-list 111 remark IPSec Rule

access-list 111 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 112 remark CCP_ACL Category=0

access-list 112 remark IPSec Rule

access-list 112 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 113 remark CCP_ACL Category=0

access-list 113 remark IPSec Rule

access-list 113 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 104

--------------------------------------------------------

I only give you cisco 892 router setting because there is nothnig much to chnage on linksys wrv210 router.

Hope that somebody will be able to help me. Cheers

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
rahgovin
Level 4
Level 4

‎08-02-2010 04:12 AM

Can you run an "ip inspect log drop-pkt" and see if you getting any FW-DROP logs corresponding to the traffic that you send from linksys to the main site. Zone based firewall could be blocking the traffic initiated from outside to internal.

View solution in original post

0 Helpful

Go to solution
rahgovin
Level 4
Level 4

‎08-02-2010 05:23 AM

Hi from the logs I see that you are pinging the inside interface of  the router and that is being blocked by the zone based firewall. that  basically classifies under the out zone (untrusted ) to self zone  traffic ( inside interface of router). As you see the logs say that it  is being dropped by a particular class map class default on the zone  pair policy ccp-zp-out-self:

in the access-list 102 add one more entry:any ip traffic from remote subnet to your subnet

and make a change in the " class-map type inspect match-all SDM_VPN_PT " from match-all to match any

and under policy map ccp-permit under the class SDM_VPN_PT, make the policy as inspect

this should do the trick

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rahgovin
Level 4
Level 4

‎08-02-2010 04:12 AM

Can you run an "ip inspect log drop-pkt" and see if you getting any FW-DROP logs corresponding to the traffic that you send from linksys to the main site. Zone based firewall could be blocking the traffic initiated from outside to internal.

0 Helpful

Go to solution
zycha1983
Level 1
Level 1
In response to rahgovin

‎08-02-2010 05:09 AM

I didit what you said and found thet packets are block

2 packets were dropped from 192.168.7.106:8 => 192.168.0.253:0 (target:class)-(ccp-zp-out-self:class-default)

Now could you help resolve that issue? and why its not getting policy for VPN connection?

0 Helpful

Go to solution
rahgovin
Level 4
Level 4

‎08-02-2010 05:23 AM

Hi from the logs I see that you are pinging the inside interface of  the router and that is being blocked by the zone based firewall. that  basically classifies under the out zone (untrusted ) to self zone  traffic ( inside interface of router). As you see the logs say that it  is being dropped by a particular class map class default on the zone  pair policy ccp-zp-out-self:

in the access-list 102 add one more entry:any ip traffic from remote subnet to your subnet

and make a change in the " class-map type inspect match-all SDM_VPN_PT " from match-all to match any

and under policy map ccp-permit under the class SDM_VPN_PT, make the policy as inspect

this should do the trick

0 Helpful

Go to solution
zycha1983
Level 1
Level 1
In response to rahgovin

‎08-03-2010 02:47 AM

OK, seems to be working

Thanks for help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents