Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WAN connection drops when applying Crypto Map

Hey everyone,

Recently i've set up (or attempted to set up) a VPN tunnel between a 800 series router running 15.1 and an Fortigate router. Below is a sanitized config of my router. I've made tunnels between routers before, but this time when i applied the "Crypto Map AlgerMap" to the WAN interface, the connection instantly dropped out. From previous setups i've never had this happen before, does anyone see anything wrong with my config below?

 

Thanks.

 


object-group network AlgerNetwork
 description Internal Network at Alger Location
 192.168.1.0 255.255.255.0
!
object-group network DataCenter
 description Data Center
 192.168.2.0 255.255.255.0
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXX address XXXXXXXXXX
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map AlgerMap 1 ipsec-isakmp
 set peer (PEER IP)
 set transform-set 3des-sha
 match address AlgertoDC
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 description Network Inside
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description *** WAN connection to ISP ***
 ip address (WAN IP) 255.255.255.240
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
!
ip nat inside source list nat interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 (NEXT HOP)
!
ip access-list extended AlgertoDC
 permit ip object-group AlgerNetwork object-group DataCenter

ip access-list extended nat
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
!

access-list 100 permit tcp X.X.X.X 0.0.1.255 host X.X.X.X eq 3389 log
access-list 100 deny   tcp any any eq 3389 log
access-list 100 permit ip any any

 

7 REPLIES
Cisco Employee

http://www.cisco.com/c/en/us

http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/15_1/sec_data_plane_15_1_book/sec_object_group_acl.html#wp1132617

Object group-based ACLs are not supported with IPsec.

 

Anything else, hard to say, you provided no details :-(

Community Member

Didnt IOS 12 support groups?

Didnt IOS 12 support groups? Why wouldnt 15? Also unfortunently this is all i have. This is the config i have on my 800 series, and when i applied the crypto map AlgerMap on the interface it dropped the locations connection. This has never been an issue for me before on routers. Im sorry its not very detailed.

Cisco Employee

It was never supported that I

It was never supported that I'm aware of. Fix the config and let's have a look at what's going on. When you say "dropped" does it mean that line is going down? Is traffic being NATed? Are you able to get proper ARP etc etc.
Community Member

Perhaps im used to the ASA

Perhaps im used to the ASA IOS. Maybe it didnt support it, i will make those changes. Also yes the traffic is being natted. Here are my lines of command. By the way thank you for offering your time to help me!

 

ip nat inside source list nat interface GigabitEthernet0 overloadip

access-list extended nat
deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

 

The deny statement is the nat exemption for the tunnel, the permit ip is for the internal.

Cisco Employee

I saw the config. What I was

I saw the config. What I was asking is if the traffic was actually being NATed during the problem. Debug NAT & debug ip packet (for control plane or traffic originating from router) will tell you what's going on with the packets. My suspicion is that (all?) traffic was put for encryption, essentially causing breakage.
Community Member

Ahh, i see what your getting

Ahh, i see what your getting at now. I'll have to try those debugs.

Community Member

For anyone who might be

For anyone who might be reading this in the future. I found this article.

http://candidatedefault.wordpress.com/2010/11/26/beware-ios-object-groups-for-acls-are-bad/

I have not tried changing to traditional lists, but i will report back when i do.

163
Views
0
Helpful
7
Replies
CreatePlease to create content