ACL - VPN Issue

reginaldjohnson · ‎08-15-2020

I am stuck on an internet border router issue. Recently, installed a cisco 1920 router with IOS version 15.0 for new mobile in the field project. I have Cox as my ISP and Verizon (VPN) as service provided for my mobile devices in the field. I have a server on-premise that will be collecting the data sent from the mobile devices to the server sitting behind the inside interface on the internet border router. It took about a week for me to realize the mobile devices in the field could not send data to the internal server because the VPN ACL, had to be modified to permit the private IP addresses of the mobile devices over the VPN tunnel.
My mobile devices are able to send data to the on-premise server and access the internet.
When I attempt to apply an ACL on the outside interface on my router the mobile devices on the VPN communication is dropped. Cisco best practices suggest applying an ACL to the outside internet on the border router. How can I apply an ACL(in) to the outside interface of my border router without stopping communication from drops on the VPN tunnel?

crypto map VZW_VPNTUNNEL 1 ipsec-isakmp
description Verizon Wireless Tunnel
set peer 198.200.200.1
!
interface Tunnel1
description GRE Tunnel to Verizon Wireless
ip address 10.5.71.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
tunnel source 198.200.200.1
tunnel destination 179.40.100.100
!
interface GigabitEthernet0/0
description outside link to VZW VPN
ip address 198.200.200.1 255.255.255.240
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map VZW_VPNTUNNEL
!
interface GigabitEthernet0/1
ip address 192.168.18.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
!
router bgp 85505
bgp log-neighbor-changes
neighbor 10.5.71.1 remote-as 86167
neighbor 10.5.71.1 default-originate
neighbor 10.5.71.5 remote-as 86167
neighbor 10.5.71.5 default-originate route-map prepend
!
ip default-gateway 198.200.200.2

ip dns server
ip nat inside source list 25 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 198.200.200.2
ip route 192.168.18.1 255.255.255.0 GigabitEthernet0/1

ip access-list extended PAT_ACL
permit ip 172.16.16.0 0.0.0.255 any
permit ip 172.16.20.0 0.0.0.255 any
ip access-list extended VZW_VPN
permit gre host 198.200.200.1 host 179.40.100.100
permit icmp host 198.200.200.1 host 179.40.100.100
permit udp host 198.200.200.1 host 179.40.100.100 eq isakmp
permit esp host 198.200.200.1 host 179.40.100.100
permit tcp host 201.101.83.243 eq 20500 172.16.16.0 0.0.0.255
permit tcp 172.16.16.0 0.0.0.255 eq 20500 host 201.101.83.243
permit icmp 172.16.16.0 0.0.0.255 host 192.168.18.12
permit tcp host 201.101.83.243 eq 20500 172.16.20.0 0.0.0.255
permit tcp 172.16.20.0 0.0.0.255 eq www host 192.168.18.12
permit tcp 172.16.20.0 0.0.0.255 eq 6080 host 192.168.18.12
permit tcp 172.16.20.0 0.0.0.255 eq 443 host 198.200.200.1
permit udp 172.16.20.0 0.0.0.255 eq domain host 8.8.8.8
permit udp 172.16.20.0 0.0.0.255 eq domain host 198.200.200.2
permit udp 172.16.20.0 0.0.0.255 eq domain host 198.200.200.1
permit icmp 172.16.20.0 0.0.0.255 host 8.8.8.8
permit udp 172.16.20.0 0.0.0.255 eq domain host 8.8.4.4
permit icmp 172.16.20.0 0.0.0.255 host 192.168.18.12
permit icmp 172.16.20.0 0.0.0.255 host 198.200.200.2
deny ip any any
!
!access-list 10 permit 192.168.87.0 0.0.0.255
access-list 10 permit 192.168.18.0 0.0.0.255
access-list 10 permit 172.16.16.0 0.0.0.255
access-list 10 permit 172.16.20.0 0.0.0.255 log
access-list 10 deny any
access-list 25 permit 172.16.20.0 0.0.0.255
access-list 25 permit 172.16.16.0 0.0.0.255 log
access-list 120 deny tcp any any eq 22 log
!
!
!