Site to Site VPN with public IP as Interesting traffic destination

Unanswered Question
Sep 23rd, 2010
User Badges:

I configured a site to site VPN with our vendor. The network that we need to access from them is a global pool. when i tried to ping one of the address on that pool it brought up the tunnel, but when I tried to browse the server the traffic is getting routed to the internet and the tunnel is not coming up, there is no proxy configured on my browser setting, below is my config:


object-group network INTERNAL-USER-SUBNETS
network-object 172.16.150.0 255.255.254.0
network-object 172.16.115.0 255.255.255.0
object-group network IMPO-NET
network-object 205.xxx.xxx.xxx 255.255.255.240

access-list NO-NAT extended permit ip object-group INTERNAL-USER-SUBNETS object-group IMPO-NET
access-list INTERNAL-USER-IMPO extended permit ip object-group INTERNAL-USER-SUBNETS object-group IMPO-NET

nat (INSIDE) 0 access-list NO-NAT


crypto map OUTSIDE_map 20 match address INTERNAL-USER-IMPO
crypto map OUTSIDE_map 20 set peer 205.xxx.xxx.xxx
crypto map OUTSIDE_map 20 set transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 20 set pfs group5
crypto map OUTSIDE_map 20 set security-association lifetime seconds 28800

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Thu, 09/23/2010 - 02:11
User Badges:
  • Cisco Employee,

Hi,


The configuration looks alright. Sometimes the object-group configuration leads to problems in crypto ACLs. How do you know the packets to the server are getitng routed thorugh the internet? Do you have some captures?


What happens when you run a packet-tracer like below:


packet-tracer input inside icmp 172.16.150.10 8 0 205.xxx.xxx.xxx detailed


Thanks and Regards,

Prapanch

renato.berana Thu, 09/23/2010 - 02:27
User Badges:

Hi Prapanch,


thanks for the reply!


I can it is routed to the outside because when i tried to telnet port 80 on any of the server it is replying and the tunnel is not up


Anyway here is the output of the trace:


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.09.23 13:20:48 =~=~=~=~=~=~=~=~=~=~=~=
$icmp 172.16.150.10 8 0 205.xxx.xxx.xxx detailedpacket-tracer input inside icmp 172.16.150.10 8 0 205.xxx$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb4540a38, priority=12, domain=capture, deny=false
hits=953447, user_data=0xb3ea8a40, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb1bce900, priority=1, domain=permit, deny=false
hits=163298835, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
<--- More --->
            

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.150.0    255.255.254.0   INSIDE

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FROM-IN in interface INSIDE
access-list FROM-IN extended permit icmp any any
<--- More --->
             
access-list FROM-IN remark McAfeeAV Update Server
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb1fb3078, priority=12, domain=permit, deny=false
hits=190911, user_data=0xae983200, cs_id=0x0, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map ICMP-TTL
match any
policy-map global_policy
class ICMP-TTL
  set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb296ce08, priority=7, domain=conn-set, deny=false
hits=12367290, user_data=0xb296bf50, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
<--- More --->
             
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb1bd14b0, priority=0, domain=inspect-ip-options, deny=true
hits=13040075, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
<--- More --->
             
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb2965140, priority=70, domain=inspect-icmp, deny=false
hits=190922, user_data=0xb2964a90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb1bd1128, priority=66, domain=inspect-icmp-error, deny=false
hits=206714, user_data=0xb1bd1010, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
<--- More --->
             
Config:
nat-control
  match ip INSIDE 172.16.150.0 255.255.254.0 OUTSIDE 205.xxx.xxx.xxx 255.255.255.240
    NAT exempt
    translate_hits = 16, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb442e5d8, priority=6, domain=nat-exempt, deny=false
hits=16, user_data=0xb3143a20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=172.16.150.0, mask=255.255.254.0, port=0
dst ip=205.xxx.xxx.xxx, mask=255.255.255.240, port=0, dscp=0x0

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (INSIDE,DMZ3) 172.16.150.0 172.16.150.0 netmask 255.255.255.0
nat-control
  match ip INSIDE 172.16.150.0 255.255.255.0 DMZ3 any
    static translation to 172.16.150.0
    translate_hits = 1363, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
<--- More --->
             
in  id=0xb1f88fa0, priority=5, domain=host, deny=false
hits=585425, user_data=0xb1f882a8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.150.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 1 access-list INSIDE-PAT-ACL
nat-control
  match ip INSIDE 172.16.150.0 255.255.254.0 OUTSIDE any
    dynamic translation to pool 1 (94.56.130.18 [Interface PAT])
    translate_hits = 593648, untranslate_hits = 551884
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xb1dca140, priority=2, domain=nat, deny=false
hits=602098, user_data=0xb3eef260, cs_id=0x0, flags=0x0, protocol=0
src ip=172.16.150.0, mask=255.255.254.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13
Type: VPN
<--- More --->
             
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xb1dd8228, priority=70, domain=encrypt, deny=false
hits=7, user_data=0x31309c, cs_id=0xb2fd0558, reverse, flags=0x0, protocol=0
src ip=172.16.150.0, mask=255.255.254.0, port=0
dst ip=205.xxx.xxx.xxx, mask=255.255.255.240, port=0, dscp=0x0

Phase: 14
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xb28d38a8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=7, user_data=0x31419c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=205.xxx.xxx.xxx, mask=255.255.255.240, port=0
dst ip=172.16.150.0, mask=255.255.254.0, port=0, dscp=0x0

Phase: 15
Type: IP-OPTIONS
<--- More --->
             
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xb1b82038, priority=0, domain=inspect-ip-options, deny=true
hits=12994732, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 14956985, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
<--- More --->
             
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow


ENECASA01/pri/act#

praprama Thu, 09/23/2010 - 06:53
User Badges:
  • Cisco Employee,

Hi,


Based on the packet-tracer for pings, i see it passing traffic thorugh the tunnel. Please paste the output of


packet-tracer input inside tcp 172.16.150.10 1234 205.xxx.xxx.xxx 80 detailed


Also, when trying to telnet on port 80 and ping, please paste the output of "show cry isa sa" and "show cry ips sa".


Regards,

Prapanch

Actions

This Discussion