Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No outbound traffic permitted except VPN

I hope someone can point me in the right direction as I have been staring at this problem for so long I think I may be completely overlooking the obvious. I have the router set up in a router-router VPN tunnel between 2 LANs. It works fine and all traffic passes along the tunnel and also I am able to access the Terminal Server on the network from the trusted host on the Internet. I am able to access the Internet with the internal clients. Then I enable access-list 112 and the problems start.

After solving most issues I ended up with the enclosed configuration and most things work except no internal hosts are able to pass the router and connect to any services on the Internet except using a ping. If I ping an external host I receive a reply but as soon as I try and use a different protocol everything is blocked. Tunnel traffic does work. Logging also neatly tells me that access-list is blocking the traffic, but I cannot seem to put my finger on where the config errors lie.

Can anyone advise?

3 REPLIES
Hall of Fame Super Silver

Re: No outbound traffic permitted except VPN

Gerwin

I have looked at the config that you posted. The first thing that I noticed is that access list 112 is applied inbound and you have this line:

access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

which identifies 192.168.2.0 as the source. But if the access list is inbound then 192.168.2.0 should be the destination since it is the locally connected network.

If you change the access list so that 192.168.1.0 is the source and 192.168.2.0 is the destination how does it work?

HTH

Rick

New Member

Re: No outbound traffic permitted except VPN

Hi Rick,

Thanks, this was indeed an oversight. However it was not THE problem unfortunately. After correcting I still have the same problem. After attempting to connect to a webserver on the internet the following is logged:

list 112 denied tcp (80)-> (1339), 1 packet

Gerwin

Silver

Re: No outbound traffic permitted except VPN

Please cross check your logic of whether the access list is inbound and outbound against the source and destination part of the access list

I noticed following line in the access list

access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

and also noticed that you have an interface with the ip address 192.168.2.254/24. This implies that the subnet 192.168.2.0/24 is local and should therefore be in the destination part of the access-list for an inbound access list.

Since you specified an "any" in the part of the access list permiting ICMPs, that might be the reason the pings are replying.

125
Views
0
Helpful
3
Replies
CreatePlease login to create content