Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Lan-to-LAN tunnel (IOS - VPN 3000) ICMP problem.

Hi

I have configured a LAN to LAN tunnel between and 3005 and an 837 ADSL router. The tunnel works fine for tcp/udp applications but I cannot ping between the remote site and the central office (initiating from either end). The icmp echo packet is denied by the access list on the public interface of the 837. I don;t know why this is as it comes through the encrypted tunnel. Ping works fine IF I remove the "ip nat outside" statement from the interface dialer0 (as below)??

Any pointers?

Config as follows:

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cj-192.168.150.1

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 debugging

no logging console

enable secret 5 xxx

!

username xxxx password 7 xxxx

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00

no aaa new-model

ip subnet-zero

no ip source-route

no ip icmp rate-limit unreachable

ip tcp path-mtu-discovery

no ip domain lookup

ip domain name xxx

ip host helsinki xxx

ip host vpn3005 xxx

ip host publicip xxx

!

!

no ip bootp server

ip inspect name fwout cuseeme

ip inspect name fwout ftp

ip inspect name fwout http

ip inspect name fwout skinny

ip inspect name fwout tcp

ip inspect name fwout udp

ip inspect name fwout vdolive

ip inspect name fwout fragment maximum 256 timeout 1

ip inspect name fwout h323

ip inspect name fwout netshow

ip inspect name fwout icmp

ip inspect name fwout realaudio

ip inspect name fwout smtp

ip inspect name fwout sqlnet

ip inspect name fwout streamworks

ip inspect name fwout rcmd

ip inspect name fwout rtsp

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address xxxx

!

!

crypto ipsec transform-set office-set esp-3des esp-sha-hmac

!

crypto map office-map 10 ipsec-isakmp

set peer xxxx

set security-association lifetime kilobytes 10000

set security-association lifetime seconds 28800

set transform-set office-set

set pfs group2

match address TO-OFFICE

!

!

!

!

interface Ethernet0

ip address 192.168.150.1 255.255.255.252

ip access-group OUTBOUND in

no ip redirects

no ip proxy-arp

ip nat inside

ip inspect fwout in

no ip route-cache

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

atm vc-per-vp 256

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer0

ip address negotiated

ip access-group INBOUND in

no ip redirects

no ip proxy-arp

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer string 37

ppp chap hostname xxxxxxxx

ppp chap password 7 xxxxxxx

crypto map office-map

!

ip nat inside source list NONAT interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

!

ip access-list extended INBOUND

permit esp host xxxx host xxxx

permit udp host xxxx eq isakmp host xxxx eq isakmp

permit tcp host xxxx host xxxx eq 22 log

permit tcp host xxxx host xxxx eq telnet log

permit icmp any host xxxx echo-reply

permit icmp any host xxxx unreachable

permit icmp any host xxxx ttl-exceeded

permit icmp any host xxxx source-quench

permit udp host xxxx eq ntp host xxxx eq ntp

permit udp host xxxx eq ntp host xxxx eq ntp

deny ip any any log

ip access-list extended NONAT

deny ip 192.168.150.0 0.0.1.255 10.0.0.0 0.0.0.255

permit ip 192.168.150.0 0.0.1.255 any

deny ip any any

ip access-list extended OUTBOUND

permit ip 192.168.150.0 0.0.1.255 any

deny ip any any

ip access-list extended TO-OFFICE

permit ip 192.168.150.0 0.0.0.3 10.0.0.0 0.0.0.255

access-list 1 permit xxxx

access-list 2 permit 137.33.0.0 0.0.255.255

no cdp run

!

control-plane

!

!

line con 0

no modem enable

transport preferred all

transport output all

stopbits 1

line aux 0

transport preferred all

transport output all

stopbits 1

line vty 0 4

access-class 1 in

login local

transport preferred all

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

sntp server xxxx

sntp server xxxx

!

end

Thanks in advance.

2 REPLIES
New Member

Re: Lan-to-LAN tunnel (IOS - VPN 3000) ICMP problem.

I have done some more testing and having removed NAT completly I still get the same problem. Packets are decrypted but are denied by the INBOUND acl. I have since added statements for the LAN to LAN private traffic to the INBOUND acl and it works ok now.

access-list INBOUND permit ip

Is this correct? Why isn't traffic that comes through the tunnel allowed to bypass the acl?

New Member

Re: Lan-to-LAN tunnel (IOS - VPN 3000) ICMP problem.

Answering my own problem here!

Yes it is correct

See bug id CSCdz54626

154
Views
0
Helpful
2
Replies
CreatePlease login to create content