It is blocking all other traffic to internet after applying the route-map to the interface. It didn't work, Thank you.

Hi Abdu,

What does your acl PBR look like? The PBR should only match traffic from server to vpn user subnet, other traffic should route and NAT as it was before.

thanks,

Lei Tian

My VPN clients are getting ip range of 10.1.1.0/24 from the pool.

The server which have to bypass the NAT is 10.10.10.10, I have configured the PBR ACL as permit per ip 10.10.10.10(Server IP) 10.1.1.0 0.0.0.255.

Other ACL is same as before. It is passing through FWSM module. VLAN is communicating between FWSM and Switch and this VLAN is having ip nat inside command.

The same server (10.10.10.10)  is NATed and is accessible for Internet users but it is not reachable for VPN users. This NATing is to be bypassed for VPN users. Do you have idea about 'crypto ipsec nat-transparency udp-encapsulation' command? Did this command suitable for this situation?

Hi Abdu,

You said after you apply the PBR, it blocked all internet user access the server, was the VPN user working at that time?

Do you have any rule to block traffic source from 10.10.10.10 going out on your other ACL or FWSM?

NAT Transparency is the feature to allow encrypted traffic be natted without problem; if I understand correctly it should not help on your situation.

thanks
Lei Tian

To be frank I didn't check the VPN traffic after the ACL was blocking our services.Yes, There is some rules on the FWSM for the server but we have opened specific port for Public and VPN users.

Thanks

Samad

Please see the below mentioned sample configuration

firewall vlan-group 1  100,110,200,250,251,300,620,630,700
ip subnet-zero
no ip source-route

!
vlan 110
name FWSM
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 7200
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn-client
key 6 OQSPhFQ`iT_XbddbPA^E^dKN`Q^PGV\UaUdHAAB
dns 10.10.10.100
pool remote-vpn-clients
acl VPN_ACL
!
!
crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map vpn-client 100
set transform-set vpn-client
reverse-route
!
!
crypto map test local-address Loopback1
crypto map test client authentication list authen
crypto map test isakmp authorization list author
crypto map test client configuration address respond
crypto map test 10 ipsec-isakmp dynamic vpn-client
!
!
!interface Loopback1
ip address 20.20.20.20 255.255.255.248
!

!
!
interface Vlan100
description TO_ISP_LEASED_LINE
ip address 172.43.32.98 255.255.255.252
ip nat outside
no mop enabled
crypto map test
crypto engine subslot 11/0
!
!
interface Vlan110
description FWSM-to-SUP communication
ip address 192.16.16.2 255.255.255.224
ip nat inside
standby 110 ip 192.16.16.1
standby 110 priority 110
standby 110 preempt
!

ip local pool remote-vpn-clients 10.1.1.1 10.1.1.254

no ip nat service skinny tcp port 2000

no ip nat service H225

ip nat inside source static tcp 10.10.10.88 389 195.14.19.17 389 extendable
ip nat inside source static tcp 10.10.10.10 829 195.14.19.21 829 extendable no-alias
ip classless

!
ip access-list extended VPN_ACL

permit tcp host 10.10.10.10 10.1.1.0 0.0.0.255 eq 829
permit tcp host 10.10.10.88 10.1.1.0 0.0.0.255 eq 389

permit ip any any
!
!

NOW I HAVE FWSM CONFIGURATION OTHER THAN THIS

Hi,

I am still trying to understand how could the PBR  blocking all other traffic to internet.

So you create a route-map, only match the traffic from host 10.10.10.10 to 10.1.1.0/24, and set the next-hop to another interface; then you apply the route-map under vlan 110.

After you did that, the internet stop working?

Thanks,

Lei Tian

Actually it is not internet.I am sorry if I confused you. The server is not accessible for the public users which is comming through Internet. ie, our services got down. Please see the configuration I made.

interface loopback 2
ip address 172.16.1.1

route-map PBR
match ip address PBR
set ip next-hope 172.16.1.2

ip access-list extended PBR
permit ip host 10.10.10.10 10.1.1.0

interface vlan 110
ip policy route-map PBR

ip nat inside

is it correct?

Hi Abdu,

That is correct. So after you did the change, public users coming from vlan110 cannot access 195.14.19.21 anymore?

thanks,

Lei Tian

Hi, It is strange that after applying the configuration again, there is no problem with the normal traffic. It is passing through, I don't know what was the problem , but still the server is not accessible for the VPN users. I can ping the server but when try to reach the port 829 only is the problem.This port is NATed for the public actually.

Thanks,

Abdussamad

Hi Abdussamad,

So after you apply the configuration, the VPN user can ping 10.10.10.10 without problem, correct? But the the tcp port 829 doesnt work?

Can you turn on debug ip policy dynamic on the switch, and initial tcp connection from VPN client to server 10.10.10.10 829. I want see if that triggers the PBR.

thanks,

Lei Tian

Yes, Exactly. Please see the attached file for debug information

Hi,

Can you confirm the ACL PBR is configured like

ip access-list extended PBR
permit ip host 10.10.10.10 10.1.1.0 0.0.0.255

thanks

Lei Tian

Yes, it is configured like mentioned below

ip access-list extended PBR

20 permit tcp host 10.10.10.10 10.1.1.0 0.0.0.255 eq 829