Solved: 2911 + VPN Client + Acl

Sergey Gureev · ‎08-22-2011

Hello.

I have cisco 2911 15.0 IOS Users connecting to it with VPN CLient. But i have trouble with configuring ACLs.

Lets see config.

aaa authentication login userauthen local

aaa authentication ppp default local

aaa authorization network groupauthor local

!

username user password 0 cisco

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group vpnclient

key cisco123

dns 10.0.0.10

wins 10.0.0.20

domain igok.com

pool ippool

acl SPLIT_TUNNEL

!

crypto ipsec transform-set DMVPN-TR esp-3des

mode transport

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface GigabitEthernet0/0

description -== Inet ==-

ip address xx.xx.xx.xx 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface GigabitEthernet0/2

ip address 10.0.0.1 255.255.255.0

ip access-group FromLAN in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip local pool ippool 192.168.130.1 192.168.130.200

ip nat inside source list 130 interface GigabitEthernet0/0 overload

ip access-list extended FromLAN

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq ftp

permit tcp any any eq 22

permit udp any any eq ntp

permit udp any any eq domain

if I put there permit without LOG all packets to vpn users is denied. If i add LOG packets should permit.

permit ip any 192.168.130.0 0.0.0.255 log

permit ip any any log

Why I should add LOG???

If i remove this access list from interface - packest not going!

ip access-list extended SPLIT_TUNNEL

permit ip 10.0.0.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

!

access-list 30 permit 10.0.0.0 0.0.0.255

access-list 130 deny ip 10.0.0.0 0.0.0.255 192.168.130.0 0.0.0.0255

access-list 130 permit ip 10.0.0.0 0.0.0.255 any

varrao · ‎08-22-2011

Hi Segey,

Just a feeler, I woudl first try and disable cef and then try again.

Let me know if it works.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-23-2011

I would say an upgrade should resolve your issue, but I would fisrt suggest getting in touch with routing experts on this, may be open a TAC case or move this discussion to Routing thread, because even if you upgrade you need to be sure that this is the correct resolution.

Hope this helps,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-22-2011

Hi Segey,

Just a feeler, I woudl first try and disable cef and then try again.

Let me know if it works.

Thanks,

Varun

Thanks,
Varun Rao

Sergey Gureev · ‎08-22-2011

Thank a lot!

You're right.

But as i understand ip cef is very effective function. What I need to do to make it work together.

Sergey Gureev · ‎08-23-2011

Dear experts in routing area.

May be you can help me with this issue.

Sergey Gureev · ‎08-23-2011

May be I need to upgrade IOS? Because i don't understant why ip cef is not work correct.

varrao · ‎08-23-2011

I would say an upgrade should resolve your issue, but I would fisrt suggest getting in touch with routing experts on this, may be open a TAC case or move this discussion to Routing thread, because even if you upgrade you need to be sure that this is the correct resolution.

Hope this helps,

Varun

Thanks,
Varun Rao

Sergey Gureev · ‎08-23-2011

Thanks a lot. I'll try it.

Sergey Gureev · ‎08-23-2011

Nobody know why this configuration with ip cef dont working?

Peter Paluch · ‎08-23-2011

Sergey,

Let me verify that I understand you correctly: If you remove the FromLAN ACL from your Gi0/2 entirely while your ip cef is configured and active, are there any communication issues?

Best regards,

Peter

Marwan ALshawi · ‎08-23-2011

also can you try to remove this entry from the ACL

permit ip any 192.168.130.0 0.0.0.255 log

and then remove the ACL from the LAN interface after the update and re apply it and see if there is any differe

Marwan ALshawi · ‎08-23-2011

th eother option is to ttry use the bellow entry

permit ip 10.0.0.0 0.0.0.255 192.168.130.0 0.0.0.255 assuing the 10.0.0.0 is your LAN range

instead of permit ip any 192.168.130.0 0.0.0.255

Sergey Gureev · ‎08-23-2011

permit ip 10.0.0.0 0.0.0.255 192.168.130.0 0.0.0.255 - don't work

permit ip 10.0.0.0 0.0.0.255 192.168.130.0 0.0.0.255 log - WORK

Sergey Gureev · ‎08-23-2011

Nothing changed.

Sergey Gureev · ‎08-23-2011

If I remove this acl all packets will denied.

Peter Paluch · ‎08-23-2011

Sergey,

According to the provided configuration, this does not make sense - without any ACL on your Gi0/2 interface, all traffic should be allowed, not denied.

I have a feeling you have not posted the entire configuration, and some crucial information is missing. For example, I do not see any default route configured. Would you please be so kind to post

Your entire configuration (just replace sensitive information with xxx)
Your show ip route command output
Your show ip cef command output

Thanks!

Best regards,

Peter