ipsec half working

Answered Question
Jun 6th, 2014
User Badges:

Hi Everyone,

 

Thanks for taking the time to read my post.

Using ISO version 12.4(13r)T11

 

i have setup a IPSEC tunnel between my cisco 2821 and a UBNT device.  The LAN on the 2821 side is 10.0.1.x and the lan on the UBNT side is 10.0.2.x.  The internet is in the middle.

from the ubnt device, they can access everything on the 10.0.1.x network but 10.0.1.x can not access anything on the 10.0.2.x network.  Im thinking i missed a no nat statement somewhere..  but where?

 

 

Current configuration : 4951 bytes
!
! Last configuration change at 00:15:28 EDT Sat Jun 7 2014 by a-rogarrett
! NVRAM config last updated at 23:12:54 EDT Fri Jun 6 2014 by a-rogarrett
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname home1
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone EDT -4
!
!
!
!
ip cef
!
!
ip domain name <removed>
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 l2tp tunnel receive-window 1024
!
!
voice-card 0
 no dspfarm
!
!
!
voice service voip
 clid substitute name
 allow-connections sip to sip
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer
 sip
  bind control source-interface GigabitEthernet0/1
  bind media source-interface GigabitEthernet0/1
  asserted-id ppi
  e911
  transport switch udp tcp
   outbound-proxy dns:<removed>
   outbound-proxy dns:<removed>
  no call service stop
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username <removed> password 0 <removed>
!
crypto keyring orddie
  pre-shared-key address <UBNT IP ADDRESS> key <removed>
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key <removed> hostname <UBNT dns name> no-xauth
!
!
crypto ipsec transform-set orddie esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map orddie 10 ipsec-isakmp
 set peer UBNT Device IP
 set transform-set orddie
 match address 101
!
archive
 log config
  hidekeys
!
!
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
interface GigabitEthernet0/0
 description Comcast
 ip address dhcp
 ip access-group 184 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map orddie
!
interface GigabitEthernet0/1
 description Network
 ip address 10.0.1.169 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/1/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/1/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool ppp
 no keepalive
 ppp encrypt mppe auto
 ppp authentication pap chap ms-chap
!
ip local pool ppp 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
!
access-list 100 remark Internal network
access-list 100 deny   ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 100 deny   ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 184 permit ip host UBNT Device IP any
access-list 184 permit ip host <removed> any
access-list 184 permit ip host <removed> any
access-list 184 permit gre any any
access-list 184 permit tcp any any eq 1723
access-list 184 permit udp any any eq 1701
access-list 184 permit icmp any any echo
access-list 184 permit icmp any any echo-reply
access-list 184 permit udp any any eq bootpc
access-list 184 permit udp any any eq bootps
access-list 184 permit udp any any eq isakmp
access-list 184 permit udp host 75.75.75.75 eq domain any
access-list 184 permit udp host 75.75.76.76 eq domain any
access-list 184 permit udp host 8.8.8.8 eq domain any
access-list 184 permit udp any any eq ntp
access-list 184 permit udp any eq ntp any
access-list 184 permit tcp any eq www any
access-list 184 permit tcp any eq 443 any
access-list 184 permit udp any any eq non500-isakmp
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
dial-peer voice <removed> voip
 destination-pattern <removed>
 session protocol sipv2
 session target ipv4:10.0.1.99
 session transport udp
 codec g711ulaw
!
dial-peer voice 10 voip
 destination-pattern 1..........
 session protocol sipv2
 session target dns:<removed>
 session transport udp
!
!
sip-ua
<removed>
!
!
!
line con 0
line aux 0
line vty 0 4
 transport input ssh
line vty 5 15
 access-class 100 in
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180192
ntp server 17.151.16.21 prefer
!
end

 

Correct Answer by syed kazim abbas about 3 years 2 months ago

hi,

you have problem with ACL's:

you need to do this way: because Cisco recommend ACL should be mirror both sides.

access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
no access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

and

no access-list 100 deny   ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

when u using pure IPSEC site to site not GRE over IPSEC then you need permit ESP not GRE

no access-list 184 permit gre any any

access-list 184 permit esp any any 

the last one Cisco recommend for no-nat with route-map:

 

ip nat inside source route-map no-nat interface GigabitEthernet0/0 overload

route-map no-nat permit 10

match ip address 100

Regards,

kazim

 

"please rate me, if post helpful"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
syed kazim abbas Sat, 06/07/2014 - 01:58
User Badges:
  • Bronze, 100 points or more

hi,

you have problem with ACL's:

you need to do this way: because Cisco recommend ACL should be mirror both sides.

access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
no access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

and

no access-list 100 deny   ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

when u using pure IPSEC site to site not GRE over IPSEC then you need permit ESP not GRE

no access-list 184 permit gre any any

access-list 184 permit esp any any 

the last one Cisco recommend for no-nat with route-map:

 

ip nat inside source route-map no-nat interface GigabitEthernet0/0 overload

route-map no-nat permit 10

match ip address 100

Regards,

kazim

 

"please rate me, if post helpful"

rbblue234 Sat, 06/07/2014 - 10:30
User Badges:

Thanks for the response!

I tried as you suggested, and now 10.0.2.x can no longer ping 10.0.1.x and 10.0.1.x can not ping 10.0.2.x.

 

 

Building configuration...

Current configuration : 4917 bytes
!
! Last configuration change at 13:17:44 EDT Sat Jun 7 2014 by a-rogarrett
! NVRAM config last updated at 13:17:47 EDT Sat Jun 7 2014 by a-rogarrett
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname home1
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone EDT -4
!
!
!
!
ip cef
!
!
ip domain name orddie.net
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 l2tp tunnel receive-window 1024
!
!
voice-card 0
 no dspfarm
!
!
!
voice service voip
 clid substitute name
 allow-connections sip to sip
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer
 sip
  bind control source-interface GigabitEthernet0/1
  bind media source-interface GigabitEthernet0/1
  asserted-id ppi
  e911
  transport switch udp tcp
   outbound-proxy dns:<removed>
   outbound-proxy dns:<removed>
  no call service stop
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username <removed> password 0 <removed>
!
crypto keyring orddie
  pre-shared-key address <UBNT IP> key <removed>
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key <removed> hostname <UBNT HOSTNAME> no-xauth
!
!
crypto ipsec transform-set orddie esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map orddie 10 ipsec-isakmp
 set peer <UBNT IP>
 set transform-set orddie
 match address 101
!
archive
 log config
  hidekeys
!
!
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
interface GigabitEthernet0/0
 description Comcast
 ip address dhcp
 ip access-group 184 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map orddie
!
interface GigabitEthernet0/1
 description Network
 ip address 10.0.1.169 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/1/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/1/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool ppp
 no keepalive
 ppp encrypt mppe auto
 ppp authentication pap chap ms-chap
!
ip local pool ppp 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map no-nat interface GigabitEthernet0/0 overload
!
access-list 100 remark Internal network
access-list 100 deny   ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 184 permit ip host <UBNT Host> any
access-list 184 permit ip host <removed> any
access-list 184 permit ip host <removed> any
access-list 184 permit gre any any
access-list 184 permit esp any any
access-list 184 permit tcp any any eq 1723
access-list 184 permit udp any any eq 1701
access-list 184 permit icmp any any echo
access-list 184 permit icmp any any echo-reply
access-list 184 permit udp any any eq bootpc
access-list 184 permit udp any any eq bootps
access-list 184 permit udp any any eq isakmp
access-list 184 permit udp host 75.75.75.75 eq domain any
access-list 184 permit udp host 75.75.76.76 eq domain any
access-list 184 permit udp host 8.8.8.8 eq domain any
access-list 184 permit udp any any eq ntp
access-list 184 permit udp any eq ntp any
access-list 184 permit tcp any eq www any
access-list 184 permit tcp any eq 443 any
access-list 184 permit udp any any eq non500-isakmp
!
!
!
route-map no-nat permit 10
 match ip address 100
!
!
!
!
control-plane
!
!
!
!
!
!
!
dial-peer voice <removed> voip
 destination-pattern <removed>
 session protocol sipv2
 session target ipv4:10.0.1.99
 session transport udp
 codec g711ulaw
!
dial-peer voice 10 voip
 destination-pattern 1..........
 session protocol sipv2
 session target <removed>
 session transport udp
!
!
sip-ua
 <removed>
!
!
!
line con 0
line aux 0
line vty 0 4
 transport input ssh
line vty 5 15
 access-class 100 in
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180196
ntp server 17.151.16.21 prefer
!
end

home1#

 

rbblue234 Sat, 06/07/2014 - 14:11
User Badges:

got it working.  was a firewall rule on the UBNT.

 

Thanks!

Actions

This Discussion