01-06-2012 10:14 AM - edited 03-11-2019 03:11 PM
Hello,
On a 2821 Router with 15.1(3)T1
I have an IPSec VPN and NAT configured. Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host? Note: As a test, removing the deny entry on the WAN ACL allows return traffic.
Below is config detail and a console log entry.
Thanks,
Dan
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.10.252 255.255.255.0
ip nat inside
!
!
interface GigabitEthernet0/1
description WAN$ETH-WAN$
ip address 207.xx.xx.02 255.255.255.240 secondary
ip address 207.xx.xx.xx 255.255.255.240
ip access-group WAN in
ip nat outside
crypto map 3377
!
!
ip nat pool Corp 207.xx.xx.02 207.xx.xx.02 netmask 255.255.255.240
ip nat inside source route-map SDM_RMAP_1 pool Corp overload
!
ip access-list extended WAN
permit ahp host 66.xx.xx.xx host 207.xx.xx.xx
permit esp host 66.xx.xx.xx host 207.xx.xx.xx
permit udp host 66.xx.xx.xx host 207.xx.xx.xx eq isakmp
permit udp host 66.xx.xx.xx host 207.xx.xx.xx eq non500-isakmp
permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip any any log
!
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
Console Log Entry:
SEC-6-IPACCESSLOGP: list WAN denied tcp 173.223.52.34(80) -> 207.xx.xx.xx.02(4974), 1 packet
Solved! Go to Solution.
01-06-2012 10:32 AM
Hello,
You can configure Reflexive ACLs, CBAC or ZBFW so the connections being innitiated on the inside can be inspected and allowed ( return traffic).
The easiest to configure is CBAC, but the most flexible is ZBFW.
CBAC:
http://docwiki.cisco.com/wiki/CBAC
ZBF:
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
Reflexive ACL:
http://www.orbit-computer-solutions.com/Reflexive-ACLs.php
Regards.
Julio
01-06-2012 10:32 AM
Hello,
You can configure Reflexive ACLs, CBAC or ZBFW so the connections being innitiated on the inside can be inspected and allowed ( return traffic).
The easiest to configure is CBAC, but the most flexible is ZBFW.
CBAC:
http://docwiki.cisco.com/wiki/CBAC
ZBF:
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
Reflexive ACL:
http://www.orbit-computer-solutions.com/Reflexive-ACLs.php
Regards.
Julio
01-06-2012 11:54 AM
Julio,
Thanks. I went with CBAC. Yes, it was more simple to configure. Traffic is now returning!
I see the VPN traffic is getting inpsected (I put the CBAC on the Outside Interface - Outbound). Is there a way to skip the inspecting of VPN traffic, assuming it is using CPU cycles unnessarily to inpsect this traffic?
Dan
01-06-2012 12:22 PM
Hello,
Great to hear that is working, CBAC is not going to inspect the VPN traffic due to encryption..
Regards,
01-06-2012 01:37 PM
Julio,
I see it is inspecting VPN traffic before it goes to the tunnel.
Dan
01-06-2012 02:18 PM
Hello,
Can you post your CBAC configuration?
The thing with CBAC is that its not flexible at all, so or you inpect x traffic or not.
So lets see the following example.
You have a VPN established, and on the remote site there is a HTTP server.
On your CBAC config you are inspecting HTTP, so that traffic will be inspected no matter what, there is such an option to avoid that, in fact that is the whole purpose of ZBFW ( Flexible).
Rate if this helps.
Julio
01-06-2012 02:28 PM
Julio,
Thanks. Looks as if it is functioning as expected then.
ip inspect log drop-pkt
ip inspect name Corp tcp
ip inspect name Corp udp
ip inspect name Corp ftp
ip inspect name Corp icmp
ip inspect Corp out
show ip inspect seession
(Result below is traffic before going through VPN)
Session 49F9DB08 (192.168.10.163:161)=>(192.168.7.108:1796) udp SIS_OPEN
Session 49F983E8 (192.168.10.3:161)=>(192.168.7.108:1825) udp SIS_OPEN
Session 4CCD35E4 (192.168.10.83:161)=>(192.168.7.108:2092) udp SIS_OPEN
Session 4CCD4084 (192.168.10.82:161)=>(192.168.7.108:2089) udp SIS_OPEN
Session 49F9C188 (192.168.10.106:58020)=>(192.168.7.61:5723) tcp SIS_OPEN
Session 4CCD2704 (192.168.10.163:161)=>(192.168.7.108:2118) udp SIS_OPEN
Session 49F961E8 (192.168.10.3:161)=>(192.168.7.108:1948) udp SIS_OPEN
Dan
01-06-2012 02:32 PM
Hello,
Yeap, that is the thing with CBAC, In fact is working as it should.
Hope this helps.
Have a great weekend, any other question just let me know.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide