03-19-2014 12:16 PM
Hey everyone,
Recently i've set up (or attempted to set up) a VPN tunnel between a 800 series router running 15.1 and an Fortigate router. Below is a sanitized config of my router. I've made tunnels between routers before, but this time when i applied the "Crypto Map AlgerMap" to the WAN interface, the connection instantly dropped out. From previous setups i've never had this happen before, does anyone see anything wrong with my config below?
Thanks.
object-group network AlgerNetwork
description Internal Network at Alger Location
192.168.1.0 255.255.255.0
!
object-group network DataCenter
description Data Center
192.168.2.0 255.255.255.0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXX address XXXXXXXXXX
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map AlgerMap 1 ipsec-isakmp
set peer (PEER IP)
set transform-set 3des-sha
match address AlgertoDC
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description Network Inside
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0
description *** WAN connection to ISP ***
ip address (WAN IP) 255.255.255.240
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
!
ip nat inside source list nat interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 (NEXT HOP)
!
ip access-list extended AlgertoDC
permit ip object-group AlgerNetwork object-group DataCenter
ip access-list extended nat
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 100 permit tcp X.X.X.X 0.0.1.255 host X.X.X.X eq 3389 log
access-list 100 deny tcp any any eq 3389 log
access-list 100 permit ip any any
03-20-2014 04:11 AM
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/15_1/sec_data_plane_15_1_book/sec_object_group_acl.html#wp1132617
Object group-based ACLs are not supported with IPsec.
Anything else, hard to say, you provided no details :-(
03-20-2014 05:17 AM
Didnt IOS 12 support groups? Why wouldnt 15? Also unfortunently this is all i have. This is the config i have on my 800 series, and when i applied the crypto map AlgerMap on the interface it dropped the locations connection. This has never been an issue for me before on routers. Im sorry its not very detailed.
03-20-2014 05:20 AM
03-20-2014 08:22 AM
Perhaps im used to the ASA IOS. Maybe it didnt support it, i will make those changes. Also yes the traffic is being natted. Here are my lines of command. By the way thank you for offering your time to help me!
ip nat inside source list nat interface GigabitEthernet0 overloadip
access-list extended nat
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
The deny statement is the nat exemption for the tunnel, the permit ip is for the internal.
03-21-2014 01:27 AM
03-21-2014 05:05 AM
Ahh, i see what your getting at now. I'll have to try those debugs.
03-24-2014 07:39 AM
For anyone who might be reading this in the future. I found this article.
http://candidatedefault.wordpress.com/2010/11/26/beware-ios-object-groups-for-acls-are-bad/
I have not tried changing to traditional lists, but i will report back when i do.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: