Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list problem with VPN

I've set up a vpn router to router between two Cisco 1720 routers. There will be a third router brought on line soon.

The routers are set up the same and they have the internal FastEthernet interface and an external WIC Ethernet card.

I was having trouble getting traffic though the IPSec tunnel until the access list I use on the External Wic Ethernet card included permit statements for the traffic comming from the other subnet.

I imagine I have something set up wrong. What seems to be happening is the vpn tunnel is ending at my external WIC card. The router is decrypting the information and then placing it back on the external interface. I then need to add the statement that allows the traffic from the other subnet through the external interface!?!? This seems it would open me up to attack from anyone who spoofed my internal IP addresses from the other subnett.

My main question is about the last statement on access-list 103. I would not have thought I needed this statement.

I'm new at this and any help would be appreciated.

Matt J.

The diagram of the networks is like this but flows in both directions.

internal network -> Router 65.xx.xx.xx -> Internet -> 64.xx.xx.xx router -> internal network

Here is the configuration for the router at subnet The router for subnet is set up the same except for the subnet information.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address



crypto ipsec transform-set cm-transformset-1 ah-sha-hmac esp-3des


crypto map cm-cryptomap local-address Ethernet0

crypto map cm-cryptomap 1 ipsec-isakmp

set peer

set transform-set cm-transformset-1

match address 100



interface Ethernet0

description connected to Internet

ip address

ip access-group 103 in

ip nat outside

no ip route-cache

no ip mroute-cache


crypto map cm-cryptomap


interface FastEthernet0

description connected to EthernetLAN

ip address

ip access-group 101 in

ip nat inside

ip inspect FastEthernet_0 in

speed auto


router rip

version 2

passive-interface Ethernet0


no auto-summary


ip nat inside source list 102 interface Ethernet0 overload

ip classless

ip route Ethernet0

no ip http server


access-list 100 remark Access-List to identify traffic for encryption

access-list 100 remark Match private to private network traffic

access-list 100 permit ip

access-list 100 remark Deny any other traffic from this network

access-list 100 deny ip any

no access-list 101

access-list 101 permit ip any

no access-list 102

access-list 102 remark NAT Source List

access-list 102 deny ip

access-list 102 deny ip

access-list 102 permit ip any

no access-list 103

access-list 103 remark allow access to ipsec protocols from other subnet

access-list 103 permit udp host eq isakmp host

access-list 103 permit ahp host host

access-list 103 permit esp host host

access-list 103 remark anti-spoofing

access-list 103 deny ip any

access-list 103 remark routing protocol

access-list 103 permit udp any eq rip any eq rip

access-list 103 remark domain responses

access-list 103 permit tcp any any eq domain

access-list 103 permit udp any eq domain any eq domain

access-list 103 remark allow icmp protocol

access-list 103 permit icmp any any

access-list 103 remark permit unencrypted data from other subnet

access-list 103 permit ip any



New Member

Re: Access list problem with VPN

I think your problem is with the access-list. Start with only two access-list statement for now, one for the tunnel and the other for the nat.

access-list 100 permit ip

access-list 102 deny ip

access-list 102 permit ip any

When you add the third site, just include the access-list permit statement for the tunnel and rearrange the nat access-list making sure that the permit statement ends the 102 list. From experience I will advice you use route-map statement for your nat. Example;

ip nat inside source route-map you interface Ethernet0 overload

route-map nonat permit 10

match ip address 102

You have to be careful with applying access-list on the external interface because you use this for your nat. You have to the IP you want to deny and you cannot use deny any. Always list the deny statement and end with permit. Advice, try to simplify your configuration. If you are using applying static route, I dont see any need for the RIP.

CreatePlease login to create content