cisco 1841 ipsec vpn with loopback NAT not passing traffic

refinedit · ‎04-23-2014

Hi i have a cisco 1841 running LAN on FA0/0 and internet on FA0/1. I run a loopback 1 interface to NAT local traffic via a VPN (VPN will only accept incoming traffic from the paticular loopback IP address.)

My problem is that 172.27.0.0 traffic routes over the VPN fine but any traffic to 10.125.0.0 traffic seems to fall in a heap. Below is my config file and ip access-list print out.

config:

-=-=-=-=-=-=-

Building configuration...

Current configuration : 6544 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname apollo-router
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
ip cef
!
!
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW pptp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-2465355294
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2465355294
revocation-check none
rsakeypair TP-self-signed-2465355294
!
!
crypto pki certificate chain TP-self-signed-2465355294
certificate self-signed 01
quit
username admin privilege 15 secret 5
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <password> address 202.12.184.237
!
!
crypto ipsec transform-set SunriseExchangetrans esp-3des esp-md5-hmac
!
crypto ipsec profile sunriseexchangevpn
set transform-set SunriseExchangetrans
!
!
crypto map sunriseexchange 10 ipsec-isakmp
set peer 202.12.184.237
set transform-set SunriseExchangetrans
match address sunriserule
!
!
!
interface Loopback1
ip address 172.29.40.10 255.255.255.255
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
hold-queue 100 out
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address 115.70.183.94 255.255.255.252
ip access-group services in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map sunriseexchange
hold-queue 224 in
!
ip forward-protocol nd
ip forward-protocol udp netbios-ss
ip route 0.0.0.0 0.0.0.0 115.70.183.93
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.1.2 1723 interface FastEthernet0/1 1723
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload
ip nat inside source route-map sunriserule interface Loopback1 overload
ip nat inside source static tcp 192.168.1.2 25 115.70.183.94 25 extendable
ip nat inside source static tcp 192.168.1.2 80 115.70.183.94 80 extendable
ip nat inside source static tcp 192.168.1.2 443 115.70.183.94 443 extendable
ip nat inside source static tcp 192.168.1.2 636 115.70.183.94 636 extendable
ip nat inside source static tcp 192.168.1.2 987 115.70.183.94 987 extendable
ip nat inside source static tcp 192.168.1.2 3389 115.70.183.94 3389 extendable
!
ip access-list extended SDM-LOW
permit gre any any
ip access-list extended services
remark SDM_ACL Category=17
permit udp host 202.12.184.237 any eq non500-isakmp
permit udp host 202.12.184.237 any eq isakmp
permit esp host 202.12.184.237 any
permit ahp host 202.12.184.237 any
permit udp any host 115.70.183.94 eq non500-isakmp
permit udp any host 115.70.183.94 eq isakmp
permit esp any host 115.70.183.94
permit ahp any host 115.70.183.94
permit udp host 202.12.184.237 host 115.70.183.94 eq non500-isakmp
permit udp host 202.12.184.237 host 115.70.183.94 eq isakmp
permit esp host 202.12.184.237 host 115.70.183.94
permit ahp host 202.12.184.237 host 115.70.183.94
permit tcp any any eq smtp
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 987
permit tcp any any eq 3389
permit tcp any any eq 636
permit tcp any any eq 1723
permit gre any any
deny ip 192.168.1.0 0.0.0.255 10.125.0.0 0.0.255.255
deny ip 192.168.1.0 0.0.0.255 172.27.1.0 0.0.0.255
permit ip any any
permit icmp any any echo-reply
ip access-list extended sunriserule
permit ip host 127.29.40.10 10.125.0.0 0.0.255.255
remark sunriserule
remark SDM_ACL Category=6
permit ip 192.168.1.0 0.0.0.255 172.27.1.0 0.0.0.255
permit ip host 172.29.40.10 172.27.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.125.0.0 0.0.255.255
permit icmp any any echo-reply
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=16
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.1.0 0.0.0.255
!
route-map SDM_RMAP_2 permit 20
match ip address services
!
route-map sunriserule permit 10
match ip address sunriserule
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
line con 0
password
login
line aux 0
line vty 0 4
password
login
line vty 5 15
password
login
!
scheduler allocate 20000 1000
end

-=-=-=-=-=-=-

Ip access-list

apollo-router#sh ip access-list
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard IP access list 2
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard IP access list 3
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
Extended IP access list SDM-LOW
    10 permit gre any any
Extended IP access list services
    10 permit udp host 202.12.184.237 any eq non500-isakmp
    20 permit udp host 202.12.184.237 any eq isakmp (118 matches)
    30 permit esp host 202.12.184.237 any (3 matches)
    40 permit ahp host 202.12.184.237 any
    50 permit udp any host 115.70.183.94 eq non500-isakmp
    60 permit udp any host 115.70.183.94 eq isakmp
    70 permit esp any host 115.70.183.94
    80 permit ahp any host 115.70.183.94
    90 permit udp host 202.12.184.237 host 115.70.183.94 eq non500-isakmp
    100 permit udp host 202.12.184.237 host 115.70.183.94 eq isakmp
    110 permit esp host 202.12.184.237 host 115.70.183.94
    120 permit ahp host 202.12.184.237 host 115.70.183.94
    130 permit tcp any any eq smtp (107 matches)
    140 permit tcp any any eq www (55 matches)
    150 permit tcp any any eq 443 (345 matches)
    160 permit tcp any any eq 987
    170 permit tcp any any eq 3389 (2036 matches)
    180 permit tcp any any eq 636
    190 permit tcp any any eq 1723 (81 matches)
    200 permit gre any any (164 matches)
    210 deny ip 192.168.1.0 0.0.0.255 10.125.0.0 0.0.255.255 (1 match)
    220 deny ip 192.168.1.0 0.0.0.255 172.27.1.0 0.0.0.255 (1 match)
    230 permit ip any any (2231 matches)
    240 permit icmp any any echo-reply
Extended IP access list sunriserule
    10 permit ip host 127.29.40.10 10.125.0.0 0.0.255.255
    20 permit ip 192.168.1.0 0.0.0.255 172.27.1.0 0.0.0.255 (1 match)
    30 permit ip host 172.29.40.10 172.27.1.0 0.0.0.255 (7 matches)
    40 permit ip 192.168.1.0 0.0.0.255 10.125.0.0 0.0.255.255 (1 match)
    50 permit icmp any any echo-reply (360 matches)

You can see everything is getting hit except for 10.125.0.0 in the 'sunriserule' access list. Any susgestions would be great, i've been pulling my hair out. I'd upgrade to the new version of the IOS but the 1841 im using only has the built in 128mb ram so it wont run the new IOS. :(

rbpl65 · ‎12-04-2017

Hi,

I realize that is to late, but I noticed that you probably mismatched ACL config. IP addr should be rather 172.29.x.x then 127.29.x.x

Regards

Robert

juan-ruiz · ‎12-04-2017

it looks like your acl permit 10 the first octet might be wrong. I think it should be 172

10 permit ip host 127.29.40.10 10.125.0.0 0.0.255.255