12-21-2011 05:18 PM - edited 03-11-2019 03:05 PM
Hello all,
I have a working easyvpn setup. We need to change the HQ ip address (current it is i.e 85.146.110.101).
This is ACL is applied to Fastethenet conecting to ISP:
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address dhcp
ip access-group 101 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Acom
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) Acom
access-list 101 permit udp host 85.146.110.101 any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) Acom
access-list 101 permit udp host 85.146.110.101 any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) Acom
access-list 101 permit udp host 85.146.110.101 any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) Acom
access-list 101 permit esp host 85.146.110.101 any
access-list 101 remark Auto generated by SDM for EzVPN (esp) Acom
access-list 101 permit ahp host 85.146.110.101 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp host 85.146.110.101 any eq 22
access-list 101 permit tcp host 85.146.110.101 any eq www
access-list 101 permit tcp host 85.146.110.101 any eq 443
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
I do the following via CLI:
Remove access-group 101 in under FastEthernet 4
Remove ACL 101
Re-add ACL 101 with new ip address ( 85.146.110.101 become let say 212.31.31.2114)
(So I have exaclty the same ACL only ip address change)
As soon as I apply again the ACL to interface Fastethernet 4, access to internet is lost.
If I put original ACL 101 (with ip address 85.146.110.101) it works fine.
So I am wodering what wrong with may ACL? Should I make the change via SDM not CLI (to be honest I did not know/use SDM before today)?
Any one can help?
Thanks.
12-21-2011 08:49 PM
Hello Carlo,
Making the ACL via SDM is not the solution.
1-After making the changes to the ACL do you still apply it to the interface right (Access-group)?
2-Are you able to ping the HQ ip address from the router after the change, Are you able to ping 4.2.2.2?
At this moment as it is the same configuration you will need to confirm if you are getting replies from the HQ ip address 212.31.31.211.
Regards,
Julio
12-22-2011 12:38 AM
Hi Carlo,
Thanks for your reply.
Yes, I tried applying the ACL to the interface. But as soon as I loose the connection to the router (I am connected via the WAN).
We can connect over the IPsec but we loose internet access. we can not ping 8.8.8.8 (google).
I created an acl 102 with permit ip any any and again when I apply it to the interface. I loose the connection.
But when I put back the existing ACL the WAN connection is back.
Regards,
Carlo
12-22-2011 01:07 AM
Hi,
can you post full config.
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide