Extended ACL not working with NAT and VPN on IOS Router

saquib.tandel · ‎03-11-2013

HI All

I tested the following configuration with extended ACL but VPN and Internet browsing dont work, with standard ACL it works

can someone look into config and assist

no aaa new-model
!
!
no ipv6 cef
ip source-route
no ip cef
!

!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco address 44.44.44.44
crypto isakmp keepalive 300
!
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 44.44.44.44
set transform-set vpn
match address 115
!

!
interface GigabitEthernet0/0
description Connected_to_ISP
ip address 11.11.11.11 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn
!
interface GigabitEthernet0/1
description Connected_to_LAN
ip address 172.16.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 11.11.11.12
!

!
access-list 100 deny   ip 172.16.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 172.16.20.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny   ip 172.16.20.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny   ip 172.16.20.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 deny   ip 172.16.20.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 permit ip 172.16.20.0 0.0.0.255 any

access-list 115 permit ip 172.16.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 permit ip 172.16.20.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 115 permit ip 172.16.20.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 115 permit ip 172.16.20.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 115 permit ip 172.16.20.0 0.0.0.255 192.168.102.0 0.0.0.255
!
----------------------------end-0f-config---------------------------------------------------------------------------

Extended ACL which doesnt work ???

ip access-list extended NAT
deny   ip 172.16.20.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip 172.16.20.0 0.0.0.255 192.168.5.0 0.0.0.255
deny   ip 172.16.20.0 0.0.0.255 192.168.100.0 0.0.0.255
deny   ip 172.16.20.0 0.0.0.255 192.168.101.0 0.0.0.255
deny   ip 172.16.20.0 0.0.0.255 192.168.102.0 0.0.0.255
permit ip 172.16.20.0 0.0.0.255 any

ip access-list extended VPN
permit ip 172.16.20.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.16.20.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 172.16.20.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 172.16.20.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 172.16.20.0 0.0.0.255 192.168.102.0 0.0.0.255

# VPN Part#

crypto map vpn 10 ipsec-isakmp

set peer 44.44.44.44

set transform-set vpn

match address VPN

# NAT exempt#

ip nat inside source route-map NAT interface GigabitEthernet0/0 overload

route-map NAT permit 10

match ip address NAT

Giuseppe Larosa · ‎03-11-2013

Hello Saquib,

you have a working configuration when using numbered extended ACLs acl 100 and acl 115.

When you use named extended ACLs VPN and NAT it does not work.

It may be a question of IOS image in use. The IOS image that is running on your router might have issues with named ACLs when used for NAT or for VPN.

As a partial workaround you can add a comment to your numbered ACL using the command

access-list 115 remark acl for defining VPN traffic

In this way you can easily keep the working numbered ACLs, and you can have a line of comment that helps to identify the use of each ACL.

Hope to help

Giuseppe

saquib.tandel · ‎03-11-2013

Hi Giuseppe

Do you see any issues with the configuration for named ACL

Editing numbered ACL is issue , as connection is lost on accessing remotely

Router model 2921
iOS version 15.1

Thanks
ST

jawad-mukhtar · ‎03-11-2013

Kinldy Post

Show ip access-list Output..

Jawad