I hope someone can point me in the right direction as I have been staring at this problem for so long I think I may be completely overlooking the obvious. I have the router set up in a router-router VPN tunnel between 2 LANs. It works fine and all traffic passes along the tunnel and also I am able to access the Terminal Server on the network from the trusted host on the Internet. I am able to access the Internet with the internal clients. Then I enable access-list 112 and the problems start.
After solving most issues I ended up with the enclosed configuration and most things work except no internal hosts are able to pass the router and connect to any services on the Internet except using a ping. If I ping an external host I receive a reply but as soon as I try and use a different protocol everything is blocked. Tunnel traffic does work. Logging also neatly tells me that access-list is blocking the traffic, but I cannot seem to put my finger on where the config errors lie.
Thanks, this was indeed an oversight. However it was not THE problem unfortunately. After correcting I still have the same problem. After attempting to connect to a webserver on the internet the following is logged:
Please cross check your logic of whether the access list is inbound and outbound against the source and destination part of the access list
I noticed following line in the access list
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
and also noticed that you have an interface with the ip address 192.168.2.254/24. This implies that the subnet 192.168.2.0/24 is local and should therefore be in the destination part of the access-list for an inbound access list.
Since you specified an "any" in the part of the access list permiting ICMPs, that might be the reason the pings are replying.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...