Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN access list and internet access list troubles.

Hi All,

I cant seem to find where i'm going wrong. I have a site to site VPN tunnel that works and passes traffic, as soon as a add another access list to allow internet bound  traffic out nothing then passes through the tunnel. What am i missing? 

 

ip nat pool _Int 217.10.175.100 217.10.175.100 prefix-length 24
ip nat inside source list 101 pool _Int overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 217.10.176.xxx permanent
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255
 permit ip 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255
 permit ip 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255
 permit ip 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255
 permit ip 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255
 permit ip 192.168.224.200 0.0.0.7 any
 permit ip 192.168.224.200 0.0.0.7 10.82.128.0 0.0.31.255
 permit ip 192.168.224.200 0.0.0.7 10.82.160.0 0.0.7.255
 permit ip 192.168.224.200 0.0.0.7 10.82.168.0 0.0.3.255
 permit ip 192.168.224.200 0.0.0.7 10.82.172.0 0.0.1.255
 permit ip 192.168.224.200 0.0.0.7 10.82.174.0 0.0.0.255
!
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq www
access-list 101 permit udp 10.82.175.0 0.0.0.255 any eq domain
access-list 101 permit icmp 10.82.175.0 0.0.0.255 any

Any help is appriecated,

Thanks,

Joel

1 REPLY
Community Member

try to deny tcp/udp/icmp

try to deny tcp/udp/icmp traffic to remote site in the acl 101 for the NAT. Put the deny rules at the top of acl 101

no access-list 101

access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.128.0 0.0.31.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.160.0 0.0.7.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.168.0 0.0.3.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.172.0 0.0.1.255 eq domain
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq 443
access-list 101 deny tcp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq www
access-list 101 deny udp 10.82.175.0 0.0.0.255 10.82.174.0 0.0.0.255 eq domain
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.82.175.0 0.0.0.255 any eq www
access-list 101 permit udp 10.82.175.0 0.0.0.255 any eq domain
access-list 101 permit icmp 10.82.175.0 0.0.0.255 any

148
Views
0
Helpful
1
Replies
CreatePlease to create content