2811 with VPN tunnel and CBAC firewall - internet access problem

Unanswered Question
Feb 7th, 2006
User Badges:

Hi All,

I got a 2811 with the security IOS on it and I am trying to open a VPN tunnel to a Cisco 3030 VPN con, and also enable CBAC and gain internet access via it (using split tunneling).

I do manage to open the VPN tunnel but I can't surf the WEB on a PC that is located behind the internal interface, can someone please help me ?


Thanks,


Here is my router config:

!!!!! x.x.x.x = Public IP of the 3030 VPN concentrator !!!!!!!!

!!!!! y.y.y.y = Public IP of the 2811 !!!!!!!!

!!!!! z.z.z.z = Public IP of the 2811 - default gateway !!!!!!!!



service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 informational

no logging console

enable secret !!!some secert !!!

!

aaa new-model

!

!

aaa authentication login default local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

no ip source-route

ip tcp intercept list 110

!

ip cef

!

ip domain name domainname.com

ip name-server 10.x.x.x

ip name-server 10.x.x.x

ip inspect name FW icmp

ip inspect name FW http

ip inspect name FW ftp

ip inspect name FW tftp

!

crypto pki trustpoint TP-self-signed-xxxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-xxxx

revocation-check none

rsakeypair TP-self-signed-xxxx

!

!

crypto pki certificate chain TP-self-signed-xxxx

certificate self-signed 01

username ******* secret 5 ******

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mortimer11 address x.x.x.x

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map VPNmap 10 ipsec-isakmp

set peer x.x.x.x

set transform-set myset

match address VPN

!

interface FastEthernet0/0

description Outside Interface

ip address y.y.y.y 255.255.255.252

ip access-group Firewall in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map VPNmap

!

interface FastEthernet0/1

description Inside Interface

ip address 10.197.4.2 255.255.252.0

ip nat inside

ip inspect FW in

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 z.z.z.z

!

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool mypool y.y.y.y y.y.y.y netmask 255.255.255.252

ip nat inside source route-map translate pool mypool overload

!

ip access-list extended Firewall

deny ip host 255.255.255.255 any

permit icmp any host y.y.y.y echo

permit udp any eq isakmp any

permit esp any any

permit tcp any host y.y.y.y eq 22

deny ip any any

ip access-list extended NAT

deny tcp any any eq 22

deny tcp any eq 22 any

deny ip 10.197.4.0 0.0.3.255 10.0.0.0 0.255.255.255

permit ip 10.197.0.0 0.0.255.255 any

ip access-list extended VPN

permit ip 10.197.4.0 0.0.3.255 10.0.0.0 0.255.255.255

!

access-list 110 permit ip any any

snmp-server community ********** RO

snmp-server community ********** RW

snmp-server location somewhere over the rainbow

snmp-server contact [email protected]

snmp-server system-shutdown

snmp-server enable traps tty

!

route-map translate permit 10

match ip address NAT

!

!

!

tacacs-server host 10.32.4.16

tacacs-server host 10.32.6.47

tacacs-server directed-request

tacacs-server key 7 ********************

!

control-plane

!

!

line con 0

password 7 *************

line aux 0

line vty 0 4

exec-timeout 5 0

privilege level 15

password 7 *************

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp clock-period 17179877

ntp source FastEthernet0/1

ntp server 10.32.0.2

!

end




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bbayer Mon, 01/29/2007 - 16:41
User Badges:

Hi,

I think I have seen this problem before. Try taking the "ip inspect FW in" off int fa0/1 and putting it on fa0/0 as "ip inspect FW out". I know it contradicts the documentation but it worked for me.


": )


Actions

This Discussion