Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No outbound traffic permitted except VPN

I hope someone can point me in the right direction as I have been staring at this problem for so long I think I may be completely overlooking the obvious. I have the router set up in a router-router VPN tunnel between 2 LANs. It works fine and all traffic passes along the tunnel and also I am able to access the Terminal Server on the network from the trusted host on the Internet. I am able to access the Internet with the internal clients. Then I enable access-list 112 and the problems start.

After solving most issues I ended up with the enclosed configuration and most things work except no internal hosts are able to pass the router and connect to any services on the Internet except using a ping. If I ping an external host I receive a reply but as soon as I try and use a different protocol everything is blocked. Tunnel traffic does work. Logging also neatly tells me that access-list is blocking the traffic, but I cannot seem to put my finger on where the config errors lie.

Can anyone advise?

Hall of Fame Super Silver

Re: No outbound traffic permitted except VPN


I have looked at the config that you posted. The first thing that I noticed is that access list 112 is applied inbound and you have this line:

access-list 112 permit ip

which identifies as the source. But if the access list is inbound then should be the destination since it is the locally connected network.

If you change the access list so that is the source and is the destination how does it work?



New Member

Re: No outbound traffic permitted except VPN

Hi Rick,

Thanks, this was indeed an oversight. However it was not THE problem unfortunately. After correcting I still have the same problem. After attempting to connect to a webserver on the internet the following is logged:

list 112 denied tcp (80)-> (1339), 1 packet



Re: No outbound traffic permitted except VPN

Please cross check your logic of whether the access list is inbound and outbound against the source and destination part of the access list

I noticed following line in the access list

access-list 112 permit ip

and also noticed that you have an interface with the ip address This implies that the subnet is local and should therefore be in the destination part of the access-list for an inbound access list.

Since you specified an "any" in the part of the access list permiting ICMPs, that might be the reason the pings are replying.

CreatePlease login to create content