Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
4
Helpful
2
Replies

IP problem with ACL's

alburton
Level 1
Level 1

‎08-11-2002 04:31 PM - edited ‎02-20-2020 09:18 PM

I am having some difficulty configuring a VPN between two Cisco IOS routers. I can establish the VPN and packets are been encrytped, however my problem is when I apply an inbound ACL on the external interface, the VPN end point, the VPN can still establish but the ACL drops the packets. I want the ACL to allow only AH, ESP and ISAKMP but even though these packets are allowed through in order to make the ACL work I also need to add in entries for the unencrypted traffic.

The two routers are 3620's running IOS version 12.2.5d. Below is the router VPN config with the ACL that fails.

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key ****** address 192.168.63.18

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set test ah-md5-hmac esp-des

!

crypto map mytest 10 ipsec-isakmp

set peer 192.168.63.18

set transform-set test

match address 110

!

interface Ethernet0/0

ip address 192.168.63.17 255.255.255.252

crypto map mytest

!

ip route 192.168.36.32 255.255.255.224 192.168.63.18

!

access-list 101 permit ahp any any

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 110 permit ip 10.34.16.0 0.0.0.255 192.168.36.0 0.0.0.255

!

So if ACL 101 is applied to e0/0 then packets are dropped. It appears as if the ACL is checked twice, as the packets arrive at the interface and then again after they have been decrypted. This problem seem to be the same for multiple IOS versions that I have tried. 12.2.5, 12.2.3d all IP Plus IPSEC 56.

Anyone come accross this problem before or any ideas would be apprieciated.

Thanks

Justin

Labels:
0 Helpful
2 Replies 2

paqiu
Level 1
Level 1

‎08-11-2002 04:49 PM

Hi Justin,

In the Begining(12.0.x T), the ACL are always checked twice. After the packet decrypted, it will recheck the ACL applied to the interface again.

In some 12.1.x T version, the ACL only check once. When the packet is decrypted, it will not be checked by the ACL again.

But in the latest 12.2 version, I believe DE eventually going back to the original design to increase more sure for the IPSEC tunnel. This is same as 12.2.8T

That means, in all the 12.2 code, the ACL will be checked twice, I believe this will be same in the future 12.2.x release.

Best Regards,

0 Helpful

mjbriggs
Level 1
Level 1

‎11-07-2002 10:09 AM

Hi Justin,

As long as the CAL is exactly symetrical at both ends then it will work , It may be an idea to change to AH to esp-ah just in case you NAT at some point . The config shows 2 ACls so a little unsure which is CAl but if it's 101 then in your example it would be permit ip 192.168.36.0 0.0.0.255 10.34.16.0 0.0.0.255 then reverse this at the network 10.34.16.0 interface .

Good luck

Mike

Customers Also Viewed These Support Documents