Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site IPsec VPN problem while access http traffic

Hi,

I cannot access the web traffic after established the site to site Ipsec VPN but can access HTTPS.  I have tried so many time ,  Site to Site  IPsec  VPN between Cisco 3825 and 1812 routers.  but cannot findout  the   exact problem. my Network topology is attached herewidth. BO and  HO are  Cisco Routers where i have tried to setup Site to Site Ipsec   VPN between Bo and Ho.at Ho Fortinet is used as Firewall and edge  router. The  DMZ (mail server, Active  Directory, Web Server etc..) are  connected via firewall . The VPN Phase 1 and Phase2  are Seems up and  working perfectly while debuging i cannot findout any  problem . I can  ping all the DMZ as well as internet with jumbo frames  and can access  https, Mail .But cannot  browse HTTP and AD(Active  Directory) while  using Site to Site Ipsec VPN between them. if i will remove the vpn   then it work perfectly. can you please advice me.

8 REPLIES
Hall of Fame Super Silver

Re: Site to Site IPsec VPN problem while access http traffic

Given the description of the symptoms I would guess that the most probable cause of the problem was something in the access list used on the routers to identify traffic which should be encrypted. Can you post the access list from each of the routers?

It might also be helpful if you could post the other parts of the configuration for the site to site VPN.

HTH

Rick

New Member

Re: Site to Site IPsec VPN problem while access http traffic

Hi Richard,

The configuration of IPsec between HO and Bo  are as following.

HO

--------

The Network 192.168.0.0/24 , 192.168.1.0/24 , 192.168.5.0/24 , 192.168.18.0/24 ,192.168.100/24 and 192.168.204.0/24 are my DMZ Network and 192.168.254.0/24 is my P2P network among BO and HO and 192.168.253.0/24 is my Bo Lan Network.

crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.2

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.2
set transform-set ESP-3DES-SHA
match address 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.204.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 deny ip any any

BO

-------

crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.1

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.1
set transform-set ESP-3DES-SHA
match address 100

access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.204.0 0.0.0.255

New Member

I think i have the same

I think i have the same problem. Can you remember your solution for this?

Thanks

Super Bronze

Re: Site to Site IPsec VPN problem while access http traffic

How are you trying to access those HTTP and AD? via DNS or IP Address?

You would also have to make sure that the ip address that you use to access those are part of your crypto ACL while trying to access it via VPN.

Also, you would also have to make sure that the return traffic from those HTTP and AD servers are back to the VPN routers.

New Member

Re: Site to Site IPsec VPN problem while access http traffic

Hi Jennifer,

I am testing to access web server and  AD via ip as well as DNS  but cannot success. as i know that the return traffice also via VPN. The HTTP and HTTPS both Services are hosted at the Same machine, I can access HTTPS but cannot HTTP and AD.

Super Bronze

Re: Site to Site IPsec VPN problem while access http traffic

Can you please share the router configuration? Do you have any ACL that might block other traffic except HTTPS? What about the server itself?

is there any personal/server firewall that might be blocking HTTP and AD access? Are you able to telnet on port 80 on the server's private ip address?

New Member

Re: Site to Site IPsec VPN problem while access http traffic

The configuration of IPsec between HO and Bo  are as following.

HO

--------

The  Network 192.168.0.0/24 , 192.168.1.0/24 , 192.168.5.0/24 ,  192.168.18.0/24 ,192.168.100/24 and 192.168.204.0/24 are my DMZ Network  and 192.168.254.0/24 is my P2P network among BO and HO and  192.168.253.0/24 is my Bo Lan Network.

crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.2

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.2
set transform-set ESP-3DES-SHA
match address 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.204.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 deny ip any any

BO

-------

crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.1

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.1
set transform-set ESP-3DES-SHA
match address 100

access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.204.0 0.0.0.255

I can telnet the port 80 of http Server. The Web Server is Windows 2003 Server.i have disabled the default firewall also. There is no any ACL policy except interesting traffic I can easy access http and AD also if by pass the VPN.Is there any paramater missing at my configuration ?.

Super Bronze

Re: Site to Site IPsec VPN problem while access http traffic

If you can telnet on port 80 to the web server through the VPN tunnel, that means as far as network connectivity is concern through the VPN tunnel, it is working just fine.

It is probably more an application layer issue with HTTP. I assume that you have no proxy server or anything that might be the issue, right?

What about checking the logs on the Windows 2003 server itself? It might give you some clue as to why HTTP via browser is not working.

1224
Views
0
Helpful
8
Replies