×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN access list and internet access list troubles.

Unanswered Question
Mar 11th, 2014
User Badges:

Hi All,

I cant seem to find where i'm going wrong. I have a site to site VPN tunnel that works and passes traffic, as soon as a add another access list to allow internet bound  traffic out nothing then passes through the tunnel. What am i missing? 

 

ip nat pool _Int 217.10.175.100 217.10.175.100 prefix-length 24
ip nat inside source list 101 pool _Int overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 217.10.176.xxx permanent
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255
 permit ip 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255
 permit ip 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255
 permit ip 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255
 permit ip 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255
 permit ip 192.168.224.200 0.0.0.7 any
 permit ip 192.168.224.200 0.0.0.7 10.82.128.0 0.0.31.255
 permit ip 192.168.224.200 0.0.0.7 10.82.160.0 0.0.7.255
 permit ip 192.168.224.200 0.0.0.7 10.82.168.0 0.0.3.255
 permit ip 192.168.224.200 0.0.0.7 10.82.172.0 0.0.1.255
 permit ip 192.168.224.200 0.0.0.7 10.82.174.0 0.0.0.255
!
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq www
access-list 101 permit udp 10.82.175.0 0.0.0.255 any eq domain
access-list 101 permit icmp 10.82.175.0 0.0.0.255 any

Any help is appriecated,

Thanks,

Joel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
realmatrix Wed, 03/12/2014 - 06:09
User Badges:

try to deny tcp/udp/icmp traffic to remote site in the acl 101 for the NAT. Put the deny rules at the top of acl 101

no access-list 101

access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq domain
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq www
access-list 101 permit udp 10.82.175.0 0.0.0.255 any eq domain
access-list 101 permit icmp 10.82.175.0 0.0.0.255 any

Actions

This Discussion