09-25-2010 09:36 AM - edited 02-21-2020 04:52 PM
Hi,
I cannot access the web traffic after established the site to site Ipsec VPN but can access HTTPS. I have tried so many time , Site to Site IPsec VPN between Cisco 3825 and 1812 routers. but cannot findout the exact problem. my Network topology is attached herewidth. BO and HO are Cisco Routers where i have tried to setup Site to Site Ipsec VPN between Bo and Ho.at Ho Fortinet is used as Firewall and edge router. The DMZ (mail server, Active Directory, Web Server etc..) are connected via firewall . The VPN Phase 1 and Phase2 are Seems up and working perfectly while debuging i cannot findout any problem . I can ping all the DMZ as well as internet with jumbo frames and can access https, Mail .But cannot browse HTTP and AD(Active Directory) while using Site to Site Ipsec VPN between them. if i will remove the vpn then it work perfectly. can you please advice me.
09-25-2010 03:02 PM
Given the description of the symptoms I would guess that the most probable cause of the problem was something in the access list used on the routers to identify traffic which should be encrypted. Can you post the access list from each of the routers?
It might also be helpful if you could post the other parts of the configuration for the site to site VPN.
HTH
Rick
09-25-2010 10:51 PM
Hi Richard,
The configuration of IPsec between HO and Bo are as following.
HO
--------
The Network 192.168.0.0/24 , 192.168.1.0/24 , 192.168.5.0/24 , 192.168.18.0/24 ,192.168.100/24 and 192.168.204.0/24 are my DMZ Network and 192.168.254.0/24 is my P2P network among BO and HO and 192.168.253.0/24 is my Bo Lan Network.
crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.2
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.2
set transform-set ESP-3DES-SHA
match address 100
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.204.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 deny ip any any
BO
-------
crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.1
set transform-set ESP-3DES-SHA
match address 100
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.204.0 0.0.0.255
12-17-2015 03:16 AM
I think i have the same problem. Can you remember your solution for this?
Thanks
09-25-2010 05:00 PM
How are you trying to access those HTTP and AD? via DNS or IP Address?
You would also have to make sure that the ip address that you use to access those are part of your crypto ACL while trying to access it via VPN.
Also, you would also have to make sure that the return traffic from those HTTP and AD servers are back to the VPN routers.
09-25-2010 11:01 PM
Hi Jennifer,
I am testing to access web server and AD via ip as well as DNS but cannot success. as i know that the return traffice also via VPN. The HTTP and HTTPS both Services are hosted at the Same machine, I can access HTTPS but cannot HTTP and AD.
09-26-2010 03:00 AM
Can you please share the router configuration? Do you have any ACL that might block other traffic except HTTPS? What about the server itself?
is there any personal/server firewall that might be blocking HTTP and AD access? Are you able to telnet on port 80 on the server's private ip address?
09-26-2010 03:14 AM
The configuration of IPsec between HO and Bo are as following.
HO
--------
The Network 192.168.0.0/24 , 192.168.1.0/24 , 192.168.5.0/24 , 192.168.18.0/24 ,192.168.100/24 and 192.168.204.0/24 are my DMZ Network and 192.168.254.0/24 is my P2P network among BO and HO and 192.168.253.0/24 is my Bo Lan Network.
crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.2
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.2
set transform-set ESP-3DES-SHA
match address 100
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.204.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 deny ip any any
BO
-------
crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.1
set transform-set ESP-3DES-SHA
match address 100
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.204.0 0.0.0.255
I can telnet the port 80 of http Server. The Web Server is Windows 2003 Server.i have disabled the default firewall also. There is no any ACL policy except interesting traffic I can easy access http and AD also if by pass the VPN.Is there any paramater missing at my configuration ?.
09-26-2010 03:34 AM
If you can telnet on port 80 to the web server through the VPN tunnel, that means as far as network connectivity is concern through the VPN tunnel, it is working just fine.
It is probably more an application layer issue with HTTP. I assume that you have no proxy server or anything that might be the issue, right?
What about checking the logs on the Windows 2003 server itself? It might give you some clue as to why HTTP via browser is not working.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: