Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN tunnel does not allow all traffic to pass through

Hi,

I have setup a VPN tunnel between a 515E & an 857 router. The tunnel is established via the internet and hosts on both ends can ping each other. The 515E is the hub device. All sites connect to this firewall. The 857 router is placed at a remote site.

The problem i have is that although the tunnel is established, it seems that the connectivity is not as it should be. When I run a port scan from one of the servers at the central site to a device on the remote site, the scan results tell me that none of the ports are open. For example I scanned the 857 router. Although it has telnet and http enabled, The scan result was that the host was alive but no ports are open. Because of this, I am unable to remotely administer WinXP desktops and network printers at the remote site. The pix firewall has sysopt enabled. I have not enabled the firewall feature on the router neither have i added any access lists which would cause any traffic restrictions. Can you think of any reason why this behaviour would occur?

--------------------------------------------------------

1.The 515E configuration related to the remote site is as follows.

2.access-list outside_cryptomap_40 extended permit ip 10.112.1.0 255.255.255.0 10.112.60.0 255.255.255.0

3.crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac

4.crypto map outside_map 40 set transform-set 10.112.60.0

5.access-list inside_nat0_outbound extended permit ip 10.112.1.0 255.255.255.0 10.112.60.0 255.255.255.0

6.crypto map outside_map 40 set peer 165.228.x.x

7.crypto map outside_map 40 set transform-set 165.228.x.x

8.sysopt connection permit-ipsec

-------------------------------------------------------

The VPN config on the 857 router is:

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key tritest address 218.185.x.x

!

!

crypto ipsec transform-set tritest esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to218.185.x.x

set peer 218.185.x.x

set transform-set tritest

match address 100

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 10.112.60.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.112.60.0 0.0.0.255 10.112.1.0 0.0.0.255

access-list 101 remark SDM_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.112.60.0 0.0.0.255 10.112.1.0 0.0.0.255

access-list 101 permit ip 10.112.60.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1

match ip address 101

Thanks

1 REPLY
New Member

Re: VPN tunnel does not allow all traffic to pass through

Why do you have following command on the PIX?

crypto map outside_map 40 set transform-set 165.228.x.x

-------------------------------------------

Also you have this transform set on the PIX:

crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac

This does not match the transfor set on the router:

crypto ipsec transform-set tritest esp-3des esp-md5-hmac

---------------------------------------------

Where are you using the access-list/route-map

101 ?

319
Views
0
Helpful
1
Replies