Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn access-list problem

i have setup a small home network to practice filtering vpn traffic

(see attachment for network layout) below are the configurations for

the routers (cisco 1720's) at each end of the tunnel,i have configured

an access list (access-list 110) which is placed on the HQ router

what i was aiming for was for computers behind the branch router

to be able to access the web server but be unable to access the file

server behind the HQ router

and

for the remote access client to be able to access the file server

but be unable to access the web server behind the HQ router

I am not sure what the problem is but with the access-list in place

the client computer behind the branch router and the remote access client

are each able to access both the file and web servers behind the HQ router

i would appreciate it if somebody could take a look at the configuration below

and advise me as to what the problem might be as i have drawn a blank.

regards

Melvyn Brown

HQ CONFIGURATION

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 103 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit udp any host 192.168.2.2 eq 500

access-list 110 permit udp any host 192.168.2.2 eq 4500

access-list 110 permit esp any host 192.168.2.2

access-list 110 permit tcp 192.168.3.0 0.0.0.255 host 192.168.1.2 eq 80

access-list 110 permit ip 192.168.5.0 0.0.0.255 host 192.168.1.3

access-list 110 deny ip any any

crypto isakmp key cisco123 address 192.168.2.1 no-xauth

crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac

crypto isakmp enable

crypto isakmp identity address

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto map VPN 10 ipsec-isakmp

set peer 192.168.2.1

set transform-set BOSTON

match address 101

ip local pool remote-pool 192.168.5.1 192.168.5.10

aaa new-model

aaa authentication login user1 local

aaa authorization network group1 local

username fred password flintstone

crypto isakmp client configuration group remote

key cisco321

dns 192.168.1.4

domain cisco.com

pool remote-pool

acl 102

crypto dynamic-map dynmap 10

set transform-set BOSTON

reverse-route

crypto map VPN client authentication list user1

crypto map VPN isakmp authorization list group1

crypto map VPN client configuration address respond

crypto map VPN 15 ipsec-isakmp dynamic dynmap

interface FastEthernet0

ip address 192.168.2.2 255.255.255.0

ip nat outside

crypto map VPN

ip access-group 110 in

no shut

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no shut

route-map nonat permit 10

match ip address 103

ip nat inside source route-map nonat interface FastEthernet0 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet0

BRANCH CONFIGURATION

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.3.0 0.0.0.255 any

crypto isakmp enable

crypto isakmp identity address

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp key cisco123 address 192.168.2.2 no-xauth

crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac

crypto map VPN 10 ipsec-isakmp

set peer 192.168.2.2

set transform-set BOSTON

match address 101

interface FastEthernet0

ip address 192.168.2.1 255.255.255.0

ip nat outside

crypto map VPN

no shut

interface Ethernet0

ip address 192.168.3.1 255.255.255.0

ip nat inside

no shut

route-map nonat permit 10

match ip address 102

ip nat inside source route-map nonat interface FastEthernet0 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet0

2 REPLIES
New Member

Re: vpn access-list problem

just change your access-list to reflect your goal.

Change your encryption domain to the hosts instead of the full subnet.

New Member

Re: vpn access-list problem

Hi,

If your able to ping from HQ to Branch Office file server then problem with the server.

If not remove 110 acl from HQ router and check the same. Why means once you permit the VPN IP traffic,

almost all protocols will flow in IP traffic only.Still if your facing the problem please let me know the what

error it is showing and when your replying send me file of "show crypto engine conn active" result.

124
Views
0
Helpful
2
Replies
CreatePlease to create content