Hi,
I have an issue, which I'm having trouble solving:
We have an internet facing webserver, which needs to be accessible to the world. Also hosted on this server (under a different domain name) is another website which carries sensitive data from an upstream provider; we have setup a VPN to tunnel this traffic safely over the internet (https isn't an option, unfortunately). The VPN terminates on the same subnet as the web server.
The tunnel comes up OK, and i can see traffic emerging on it: I have set up netflow on the VPN router, and can see packets destined for the webserver, coming from the encapsulated hosts. However the packets never make beyond the VPN endpoint - they just disappear.
I can telnet into the webserver on port 80 directly from the VPN box fine, so connectivity is there. It just doesn't route tunnelled data out.
The guts of it is this:
10.0.0.0/27 (origin servers) --> 10.0.1.1/32 (remote VPN endpoint) <-- INTERNET --> 10.10.1.2/29 (local VPN endpoint)--> 10.10.1.3/29 (destination host)
Does anyone have any ideas as to why my system isn't routing correctly? I have tried a number things, but haven't had any luck as yet.
Below is a fairly typical version my config (it's constantly changing while i try to fix the issue, but is always very similar to the below).
I started from scratch, so if there's a line that doesn't make sense, odds are I added it trying to solve this issue (Ie, it isn't the cause!)
I've modified the IPs (10.0 is remote, 10.10 is local) so if I've got inconsistencies or the wrong IP/netmask logic anywhere - that's the only reason.
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname <host>
!
boot-start-marker
boot system flash c2600-ik9s-mz.123-20.bin
boot system flash c2600-ipbase-mz.123-11.T3.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 <hash>
!
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name <domain>
!
ip accounting-list 0.0.0.0 255.255.255.255
rlogin trusted-remoteuser-source local
rlogin trusted-localuser-source local
!
!
username <secret>
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <PSK> address 10.0.1.1
crypto isakmp nat keepalive 3600
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 4000
!
crypto ipsec transform-set xform_esp-3des-sha esp-3des esp-sha-hmac
!
crypto map tunnel local-address FastEthernet0/0
crypto map tunnel 10 ipsec-isakmp
set peer 10.0.1.1
set transform-set xform_esp-3des-sha
match address 100
!
!
interface FastEthernet0/0
description EXT
ip address 10.10.1.2 255.255.255.224
ip broadcast-address 10.10.1.7
ip access-group 10 in
ip access-group 20 out
ip flow ingress
ip route-cache flow
duplex auto
speed 100
crypto map tmobile
!
no ip http server
no ip http secure-server
ip flow-export destination <host> <port>
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.1.1
!
!
access-list 10 permit 10.0.0.1
access-list 10 permit 10.10.1.0 0.0.0.31
access-list 20 permit any
access-list 100 permit ip host 10.0.0.20 host 10.10.1.3
access-list 100 permit ip host 10.0.0.21 host 10.10.1.3
access-list 100 permit ip host 10.0.0.27 host 10.10.1.3
access-list 100 permit ip host 10.0.0.28 host 10.10.1.3
access-list 100 permit ip host 10.10.1.3 host 10.0.0.20
access-list 100 permit ip host 10.10.1.3 host 10.0.0.21
access-list 100 permit ip host 10.10.1.3 host 10.0.0.27
access-list 100 permit ip host 10.10.1.3 host 10.0.0.28
!
!
line con 0
line aux 0
line vty 0 4
password 7 <hex>
transport input telnet ssh
!
ntp clock-period 17207934
ntp server 158.43.128.66
!
end
