08-22-2011 05:57 AM - edited 03-04-2019 01:21 PM
Hello.
I have cisco 2911 15.0 IOS Users connecting to it with VPN CLient. But i have trouble with configuring ACLs.
Lets see config.
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authorization network groupauthor local
!
username user password 0 cisco
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.0.0.10
wins 10.0.0.20
domain igok.com
pool ippool
acl SPLIT_TUNNEL
!
crypto ipsec transform-set DMVPN-TR esp-3des
mode transport
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface GigabitEthernet0/0
description -== Inet ==-
ip address xx.xx.xx.xx 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface GigabitEthernet0/2
ip address 10.0.0.1 255.255.255.0
ip access-group FromLAN in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool 192.168.130.1 192.168.130.200
ip nat inside source list 130 interface GigabitEthernet0/0 overload
ip access-list extended FromLAN
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
permit tcp any any eq 22
permit udp any any eq ntp
permit udp any any eq domain
if I put there permit without LOG all packets to vpn users is denied. If i add LOG packets should permit.
permit ip any 192.168.130.0 0.0.0.255 log
permit ip any any log
Why I should add LOG???
If i remove this access list from interface - packest not going!
ip access-list extended SPLIT_TUNNEL
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
access-list 30 permit 10.0.0.0 0.0.0.255
access-list 130 deny ip 10.0.0.0 0.0.0.255 192.168.130.0 0.0.0.0255
access-list 130 permit ip 10.0.0.0 0.0.0.255 any
Solved! Go to Solution.
08-22-2011 06:50 AM
Hi Segey,
Just a feeler, I woudl first try and disable cef and then try again.
Let me know if it works.
Thanks,
Varun
08-23-2011 12:29 AM
I would say an upgrade should resolve your issue, but I would fisrt suggest getting in touch with routing experts on this, may be open a TAC case or move this discussion to Routing thread, because even if you upgrade you need to be sure that this is the correct resolution.
Hope this helps,
Varun
08-22-2011 06:50 AM
Hi Segey,
Just a feeler, I woudl first try and disable cef and then try again.
Let me know if it works.
Thanks,
Varun
08-22-2011 07:58 AM
Thank a lot!
You're right.
But as i understand ip cef is very effective function. What I need to do to make it work together.
08-23-2011 12:39 AM
Dear experts in routing area.
May be you can help me with this issue.
08-23-2011 12:23 AM
May be I need to upgrade IOS? Because i don't understant why ip cef is not work correct.
08-23-2011 12:29 AM
I would say an upgrade should resolve your issue, but I would fisrt suggest getting in touch with routing experts on this, may be open a TAC case or move this discussion to Routing thread, because even if you upgrade you need to be sure that this is the correct resolution.
Hope this helps,
Varun
08-23-2011 12:34 AM
Thanks a lot. I'll try it.
08-23-2011 05:08 AM
Nobody know why this configuration with ip cef dont working?
08-23-2011 05:16 AM
Sergey,
Let me verify that I understand you correctly: If you remove the FromLAN ACL from your Gi0/2 entirely while your ip cef is configured and active, are there any communication issues?
Best regards,
Peter
08-23-2011 05:29 AM
also can you try to remove this entry from the ACL
permit ip any 192.168.130.0 0.0.0.255 log
and then remove the ACL from the LAN interface after the update and re apply it and see if there is any differe
08-23-2011 05:34 AM
th eother option is to ttry use the bellow entry
permit ip 10.0.0.0 0.0.0.255 192.168.130.0 0.0.0.255 assuing the 10.0.0.0 is your LAN range
instead of permit ip any 192.168.130.0 0.0.0.255
08-23-2011 06:12 AM
permit ip 10.0.0.0 0.0.0.255 192.168.130.0 0.0.0.255 - don't work
permit ip 10.0.0.0 0.0.0.255 192.168.130.0 0.0.0.255 log - WORK
08-23-2011 06:11 AM
Nothing changed.
08-23-2011 05:49 AM
If I remove this acl all packets will denied.
08-23-2011 05:55 AM
Sergey,
According to the provided configuration, this does not make sense - without any ACL on your Gi0/2 interface, all traffic should be allowed, not denied.
I have a feeling you have not posted the entire configuration, and some crucial information is missing. For example, I do not see any default route configured. Would you please be so kind to post
Thanks!
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide