Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Strange wildcard behaviour on VPN access list.

Hi folks,

I`ve got a VPN running over ADSL using two 1721's. The VPN runs great but according to the config it shouldn't be. It shouldn't work at all and I can't figure out why it is working. My remote LAN is 10.44.159.65/27 so to match anything in that LAN for encryption I should theoretically use a Wildcard of 0.0.0.31, however, due to time constraints during installation I couldn`t get this working, shoved in 0.0.0.224 and b00m, up it came. Its been left like that. No we`re having Citrix connection trouble and I`d like the VPN side 100% correct before moving on. Can someone have a quick glance at these configs and maybe tell me if I`m right in saying it should be 0.0.0.31 and no 224. And why is 224 working when it shouldn't?

Main Office

-------------

hostname gw1721-1

!

logging buffered 32768 informational

no logging rate-limit

no logging console

enable secret 5 $1$iLIA$FVbpS8ZN26faSIWGsnhT81

!

ip subnet-zero

!

!

ip name-server 212.135.1.36

ip name-server 195.40.1.36

!

ip audit notify log

ip audit po max-events 100

ip address-pool local

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key monkey address 194.172.152.50

!

!

crypto ipsec transform-set transset1 esp-3des esp-md5-hmac

!

crypto map crypmap1 50 ipsec-isakmp

set peer 194.172.152.50

set transform-set transset1

match address vpnacl3

!

!

!

!

interface Tunnel1

ip address 192.168.200.1 255.255.255.252

tunnel source 212.24.167.33

tunnel destination 194.172.152.50

crypto map crypmap1

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

hold-queue 224 in

!

interface FastEthernet0

ip address 10.44.155.2 255.255.255.0

ip access-group fin in

ip nat inside

no ip mroute-cache

speed auto

!

interface Dialer1

mtu 1458

ip address negotiated

ip access-group inbound3 in

ip access-group outbound3 out

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname monkey@dsl.monkey.co.uk

ppp chap password 7 0604003359400F4F5C

crypto map crypmap1

!

router eigrp 1

network 10.0.0.0

network 192.168.200.0 0.0.0.3

no auto-summary

no eigrp log-neighbor-changes

!

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.0.0.0 255.0.0.0 10.44.155.1

ip route 10.44.159.64 255.255.255.224 192.168.200.2

no ip http server

!

!

ip access-list extended fin

deny tcp any any range 137 139

deny udp any any range netbios-ns netbios-ss

permit ip any any

ip access-list extended inbound3

permit gre host 194.172.152.50 host 212.24.167.33

permit udp host 194.172.152.50 eq isakmp host 212.24.167.33 eq isakmp

permit esp host 194.172.152.50 host 212.24.167.33

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

evaluate racl

permit udp any any eq ntp

permit icmp any any

permit udp any eq domain any

ip access-list extended outbound3

permit ip any any reflect racl

ip access-list extended vpnacl3

permit ip 10.0.0.0 0.255.255.255 10.44.159.0 0.0.0.224

permit ip 192.168.200.0 0.0.0.3 192.168.200.0 0.0.0.3

!

logging trap debugging

logging 10.44.155.10

access-list 150 permit ip 192.168.0.0 0.0.0.255 any

access-list 150 permit ip 192.168.1.0 0.0.0.255 any

access-list 150 deny ip 10.44.155.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 150 permit ip host 10.44.155.44 any

access-list 150 permit ip host 10.44.155.46 any

access-list 150 permit ip host 10.44.155.47 any

access-list 199 permit ip any any log

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 150

!

!

line con 0

exec-timeout 120 0

password 7 13021B135E0B0B3D

logging synchronous

stopbits 1

line aux 0

line vty 0 4

access-class 199 in

exec-timeout 0 0

password 7 050C0A0E744B411E

login

length 0

!

no scheduler allocate

end

----------------------

Remote Office

----------------------

!

hostname po1721-1

!

logging buffered 16384 informational

no logging rate-limit

no logging console

enable secret 5 $1$vD.0$gXM7WR9ymG3t.c/ZjIsy7/

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip name-server 212.135.1.36

ip name-server 195.40.1.36

ip dhcp excluded-address 10.44.159.65

ip dhcp excluded-address 10.44.159.66

ip dhcp excluded-address 10.44.159.67

ip dhcp excluded-address 10.44.159.68

ip dhcp excluded-address 10.44.159.69

!

ip dhcp pool dhcppool

network 10.44.159.64 255.255.255.224

default-router 10.44.159.65

dns-server 10.44.155.9 10.44.155.10

domain-name wds.uk.rail.invs.com

lease 2

!

ip audit notify log

ip audit po max-events 100

ip address-pool local

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key monkey address 212.24.167.33

!

!

crypto ipsec transform-set test5 esp-3des esp-md5-hmac

!

crypto map testmap2 10 ipsec-isakmp

set peer 212.24.167.33

set transform-set test5

match address 150

!

!

!

!

interface Tunnel1

ip address 192.168.200.2 255.255.255.252

tunnel source 194.172.152.50

tunnel destination 212.24.167.33

crypto map testmap2

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

no fair-queue

hold-queue 224 in

!

interface FastEthernet0

ip address 10.44.159.65 255.255.255.224

no ip mroute-cache

speed auto

!

interface Dialer1

mtu 1458

ip address negotiated

ip access-group pubin in

ip access-group pubout out

encapsulation ppp

no ip mroute-cache

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname monkey@dsl.monkey.co.uk

ppp chap password 7 01150A0153040A5773

crypto map testmap2

!

router eigrp 1

network 10.0.0.0

network 192.168.200.0 0.0.0.3

no auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.0.0.0 255.0.0.0 192.168.200.1 250

no ip http server

ip pim bidir-enable

!

!

ip access-list extended pubin

permit gre host 212.24.167.33 host 194.172.152.50

permit udp host 212.24.167.33 eq isakmp host 194.172.152.50 eq isakmp

permit esp host 212.24.167.33 host 194.172.152.50

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

evaluate racl

permit udp any any eq ntp

deny icmp any any echo

permit icmp any any

permit udp any eq domain any

deny ip any any log

ip access-list extended pubout

permit ip any any reflect racl

!

no logging trap

access-list 150 permit ip 10.44.159.0 0.0.0.224 10.0.0.0 0.255.255.255

access-list 150 permit ip 192.168.200.0 0.0.0.3 192.168.200.0 0.0.0.3

access-list 199 permit ip any any log

dialer-list 1 protocol ip permit

!

!

line con 0

exec-timeout 120 0

password 7 06110E371F5C051C1C

logging synchronous

stopbits 1

line aux 0

line vty 0 4

access-class 199 in

exec-timeout 0 0

password 7 0718205A1D1B15000E

login

length 0

!

no scheduler allocate

end

2 REPLIES

Re: Strange wildcard behaviour on VPN access list.

In a glance, your access-list is only used for the crypto-map.

When the traffic does not pass this list, it is not encrypted.

It is still sent, but not via the VPN.

If I am not mistaken that is your solution. This means that you now think you are sending encryted data over the Internet, which you are actually not.

No need to suggest you correct this asap.

Regards,

Leo

Community Member

Re: Strange wildcard behaviour on VPN access list.

Thanks, you've just confirmed what I suspected. I didn`t realise before that the tunnel still operated without encryption.

Aha, somethings definitly broken somewhere. The remote router is 10.44.155.65 any traffic from this routers IP is matched by the crypto map. If i telnet into this router I can ping the main router, but can`t ping anywhere on the main LAN. So, if I change the .224 to .31 and match the whole remote LAN, they are going to exhibit the same symptoms and effectively drop off the world.

I would rather solve the remote routers ping problem first before changing my crypto map.

105
Views
0
Helpful
2
Replies
CreatePlease to create content