Solved: Site-to-Site IPSec between SR520W-FE and SR520-FE

malough_j · ‎12-23-2010

I have a problem getting traffic to flow both ways through the S2S IPSec VPN I was getting help with in the VPN section; I was referred to the firewall section, as it was guessed to be a firewall issue https://supportforums.cisco.com/message/3255411#3255411

Router A (or the "office" SR520W-FE router) can ping from the subnet 10.15.0.0/24 to Router B (or the "pit" SR520-FE router) subnet 10.15.1.0/24.

but, cannot ping from Router B subnet to Router A subnet. Also, devices behind Router A loose the ability to get onto the internet; yet, VPN clients and port forwarded services can connect from the internet.

Kureli Sankar · ‎12-27-2010

login to the router with a priv. 15 account. Get into "conf t" mode and copy and paste what Prpanch provided.

router#conf t

class-map type inspect ICMP

match prot icmp

policy-map type inspect sdm-inspect-voip-in

class type inspect ICMP

inspect

end

-KS

View solution in original post

manasjai · ‎12-24-2010

Hi Jeffry,

1) Router A (or the "office" SR520W-FE router) can ping from the subnet 10.15.0.0/24 to Router B (or the "pit" SR520-FE router) subnet 10.15.1.0/24.

but, cannot ping from Router B subnet to Router A subnet.

we have zbf configured on both the routers which might be dropping the packets .

I request you to do the following on both the routers :

1. enable logging buffered at level 7

2. Now, put in the command ip inspect log drop-pkt on both the routers.

3. initiate the ping from 10.15.1.x to 10.15.0.y

4. Finally on both the routers, collect the outputs of :

sh log | in 10.15.1.x and sh log | in 10.15.0.y

The ip inspect log drop-pkt would log all the packets dropped by the firewall. If you could send these outputs, we should be able to figure if ZBF is dropping the packets.

2) Also, devices behind Router A loose the ability to get onto the internet; yet, VPN clients and port forwarded services can connect from the internet.

I request you to let me know when do internal users loose connectivity to the internet ??

Cheers,

Manasi!!

malough_j · ‎12-26-2010

i did what you asked, and see dropped ICMP packed from 10.15.1.254 when trying to ping 10.15.0.2

internet does not work once i change the access lists. but port forward and vpn clients can connect.

praprama · ‎12-27-2010

Hi Jeffry,

Based on the log it's being dropped by class-default on policy-map associated to zone-pair "sdm-zp-out-in".

Please create a new class-map for icmp as below and let us know how it goes!!

class-map type inspect ICMP

match prot icmp

policy-map type inspect sdm-inspect-voip-in

class type inspect ICMP

inspect

Cheers,

Prapanch

malough_j · ‎12-27-2010

Could someone point me a document on how to perform this? I am still learning how to configure via the CLI in IOS

Thanks

Kureli Sankar · ‎12-27-2010

login to the router with a priv. 15 account. Get into "conf t" mode and copy and paste what Prpanch provided.

router#conf t

class-map type inspect ICMP

match prot icmp

policy-map type inspect sdm-inspect-voip-in

class type inspect ICMP

inspect

end

-KS

malough_j · ‎12-27-2010

Thanks, I am able to ping devices each direction. But devices are unable to get on the internet. a ping command to the gateway from the ISP on the WAN connection (FastEthernet4) does not produce a reply.

also the computers on 10.15.1.0/24 are unable to connect to the RDP service on the servers 10.15.0.1 and 10.15.0.2. Firewall on these servers is disabled.

Is it something perhaps to do with the ACL?

malough_j · ‎01-05-2011

well i feel dumb. turns out that i had the access-list 104 reversed, ie what SHOULD have gone in at the Pit was entered into the OFFICE!