10-25-2002 02:48 PM - edited 02-21-2020 12:08 PM
Hi,
We have a 1721 router at a remote site connecting to a VPN3000 concentrator using pre-shared key and DES as encryption.
Internal addressing at central site is 172.16.x.x.
On 1721 ethernet0 has ip address x.x.x.x connected to VPN 3000 public interface y.y.y.y
On 1721 i have also applied an Incoming Access List that only permits packets from y.y.y.y and denies everything else.
But with this configuration Tunnel is established but the Packets from 172.16.x.x network are blocked. If i add a "permit entry for 172.16.x.x network in the Access list then everything works.
However this would cause a problem that even if i get 172.16.x.x packets from outside the tunnel (i.e outside of our central office)they will also be allowed. I know that this is a remote possibility but there are some Networks that don't block outgoing packets destined for Private Address Space.
It seems to me that Router first decrypts the Packets and then Applies the Access List Rules ?
Is there a workaround for this ? OR Am I missing some configuration Step ?
10-25-2002 04:12 PM
What version of code are you running on the 1721?
Thanks
Nairi
10-25-2002 09:44 PM
Hi,
Thanx for the reply. Version is 12.2(11)T, which is pretty recent.
10-27-2002 07:06 PM
There is a bug open for this issue. The bug id is CSCdm01118. It is not fixed yet. You have the option of allowing the private networks in the ACL or to use GRE over IPSEC.
Hope this helps,
-Nairi
10-28-2002 09:13 AM
Thanx. This was very helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide