12-23-2010 12:56 PM - edited 03-11-2019 12:27 PM
I have a problem getting traffic to flow both ways through the S2S IPSec VPN I was getting help with in the VPN section; I was referred to the firewall section, as it was guessed to be a firewall issue https://supportforums.cisco.com/message/3255411#3255411
Router A (or the "office" SR520W-FE router) can ping from the subnet 10.15.0.0/24 to Router B (or the "pit" SR520-FE router) subnet 10.15.1.0/24.
but, cannot ping from Router B subnet to Router A subnet. Also, devices behind Router A loose the ability to get onto the internet; yet, VPN clients and port forwarded services can connect from the internet.
Solved! Go to Solution.
12-27-2010 10:20 AM
login to the router with a priv. 15 account. Get into "conf t" mode and copy and paste what Prpanch provided.
router#conf t
class-map type inspect ICMP
match prot icmp
policy-map type inspect sdm-inspect-voip-in
class type inspect ICMP
inspect
end
-KS
12-24-2010 12:14 AM
Hi Jeffry,
1) Router A (or the "office" SR520W-FE router) can ping from the subnet 10.15.0.0/24 to Router B (or the "pit" SR520-FE router) subnet 10.15.1.0/24.
but, cannot ping from Router B subnet to Router A subnet.
we have zbf configured on both the routers which might be dropping the packets .
I request you to do the following on both the routers :
1. enable logging buffered at level 7
2. Now, put in the command ip inspect log drop-pkt on both the routers.
3. initiate the ping from 10.15.1.x to 10.15.0.y
4. Finally on both the routers, collect the outputs of :
sh log | in 10.15.1.x and sh log | in 10.15.0.y
The ip inspect log drop-pkt would log all the packets dropped by the firewall. If you could send these outputs, we should be able to figure if ZBF is dropping the packets.
2) Also, devices behind Router A loose the ability to get onto the internet; yet, VPN clients and port forwarded services can connect from the internet.
I request you to let me know when do internal users loose connectivity to the internet ??
Cheers,
Manasi!!
12-26-2010 02:52 PM
12-27-2010 05:16 AM
Hi Jeffry,
Based on the log it's being dropped by class-default on policy-map associated to zone-pair "sdm-zp-out-in".
Please create a new class-map for icmp as below and let us know how it goes!!
class-map type inspect ICMP
match prot icmp
policy-map type inspect sdm-inspect-voip-in
class type inspect ICMP
inspect
Cheers,
Prapanch
12-27-2010 09:57 AM
Could someone point me a document on how to perform this? I am still learning how to configure via the CLI in IOS
Thanks
12-27-2010 10:20 AM
login to the router with a priv. 15 account. Get into "conf t" mode and copy and paste what Prpanch provided.
router#conf t
class-map type inspect ICMP
match prot icmp
policy-map type inspect sdm-inspect-voip-in
class type inspect ICMP
inspect
end
-KS
12-27-2010 10:55 AM
Thanks, I am able to ping devices each direction. But devices are unable to get on the internet. a ping command to the gateway from the ISP on the WAN connection (FastEthernet4) does not produce a reply.
also the computers on 10.15.1.0/24 are unable to connect to the RDP service on the servers 10.15.0.1 and 10.15.0.2. Firewall on these servers is disabled.
Is it something perhaps to do with the ACL?
01-05-2011 05:58 PM
well i feel dumb. turns out that i had the access-list 104 reversed, ie what SHOULD have gone in at the Pit was entered into the OFFICE!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide