I am having some difficulty configuring a VPN between two Cisco IOS routers. I can establish the VPN and packets are been encrytped, however my problem is when I apply an inbound ACL on the external interface, the VPN end point, the VPN can still establish but the ACL drops the packets. I want the ACL to allow only AH, ESP and ISAKMP but even though these packets are allowed through in order to make the ACL work I also need to add in entries for the unencrypted traffic.
The two routers are 3620's running IOS version 12.2.5d. Below is the router VPN config with the ACL that fails.
crypto isakmp policy 100
crypto isakmp key ****** address 192.168.63.18
crypto isakmp keepalive 10
crypto ipsec transform-set test ah-md5-hmac esp-des
crypto map mytest 10 ipsec-isakmp
set peer 192.168.63.18
set transform-set test
match address 110
ip address 192.168.63.17 255.255.255.252
crypto map mytest
ip route 192.168.36.32 255.255.255.224 192.168.63.18
access-list 101 permit ahp any any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 110 permit ip 10.34.16.0 0.0.0.255 192.168.36.0 0.0.0.255
So if ACL 101 is applied to e0/0 then packets are dropped. It appears as if the ACL is checked twice, as the packets arrive at the interface and then again after they have been decrypted. This problem seem to be the same for multiple IOS versions that I have tried. 12.2.5, 12.2.3d all IP Plus IPSEC 56.
Anyone come accross this problem before or any ideas would be apprieciated.
As long as the CAL is exactly symetrical at both ends then it will work , It may be an idea to change to AH to esp-ah just in case you NAT at some point . The config shows 2 ACls so a little unsure which is CAl but if it's 101 then in your example it would be permit ip 192.168.36.0 0.0.0.255 10.34.16.0 0.0.0.255 then reverse this at the network 10.34.16.0 interface .
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...