12-10-2013 01:11 PM - edited 03-04-2019 09:49 PM
hi hope someone can help.
I have a Cisco 887VA router with an active VPN tunnel configured both internet and VPN are up yet I cannot figure out why I am unable to ping an Internet address or a Lan address at the other end of the VPN tunnel from my vlan1 interface
I can ping 8.8.8.8 from the wan interface without any problem so internet is up
here is my config -shortened for ease
if anyone can see the obvious i would be grateful
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 52000
logging console critical
enable secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
enable password 7 08331D1F074D031A39
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication enable default enable
!
!
!
!
!
object-group service *ALL
description ALL traffic
icmp
tcp-udp gt 1
icmp echo-reply
!
!
controller VDSL 0
!
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
c!
zone security in-zone
zone security out-zone
zone security zx_1615428613
zone security zy_344297763
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security zx-zy_3087709136 source zx_1615428613 destination zy_344297763
service-policy type inspect-internal px-py
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect out-in-new
!
crypto logging ezvpn
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key *********************** address 85.x.x.x
crypto isakmp keepalive 10 5
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ADAPTVPN esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ADAPT_IPSEC_POLICY
set transform-set ADAPTVPN
!
!
!
crypto map ADAPTVPN 200 ipsec-isakmp
set peer 85.x.x.x
set transform-set ADAPTVPN
match address 120
!
!
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description TalkTalk VOIP
ip flow ingress
zone-member security out-zone
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 172.17.205.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname **********@*********co.uk
ppp chap password 7 133F403E5827530C7D1E7E
ppp pap sent-username *************@********* password 7 0129512808205129777618
no cdp enable
crypto map ADAPTVPN
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Adapt_VPN
remark CCP_ACL Category=128
permit ip host 85.x.x.x any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended VPN
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
ip access-list extended VPN_Traffic
remark CCP_ACL Category=128
permit ip any host 85.x.x.x
ip access-list extended Web_management
remark CCP_ACL Category=128
permit ip host 85.x.x.x host 212.x.x.x
permit ip host 85.x.x.x host 212.x.x.x
!
ip sla auto discovery
logging trap errors
logging facility local2
logging host 172.24.4.51
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
snmp-server community SNMP-Public RO
snmp-server community SNMP-public RO
snmp-server community SNMP-Private RW
snmp-server location SSM App Server
snmp-server contact ****
snmp-server host 172.24.4.57 P@ssw0rd
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit udp any any eq bootpc
access-list 101 remark CCP_ACL Category=18
access-list 101 deny ip 172.17.205.0 0.0.0.255 172.17.104.0 0.0.0.255
access-list 101 deny ip 172.17.205.0 0.0.0.255 172.17.112.0 0.0.0.255
access-list 101 permit ip 172.17.205.0 0.0.0.255 any
access-list 120 permit ip 172.17.205.0 0.0.0.255 172.17.104.0 0.0.0.255
access-list 120 permit ip 172.17.205.0 0.0.0.255 172.17.112.0 0.0.0.255
access-list 122 permit ip 172.17.104.0 0.0.0.255 172.17.205.0 0.0.0.255
access-list 122 permit ip 172.17.112.0 0.0.0.255 172.17.205.0 0.0.0.255
!
!
line con 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
password 7 09554B1A
login authentication local_auth
transport input telnet ssh
!
!
end
Solved! Go to Solution.
12-13-2013 03:13 AM
Hi,
for an ACL to have effect it must be used either:
as a traffic filter with ip access-group in or ip access-group out under one interface
as matching traffic for NAT with the list or route-map command under NAT statement
as matching interesting traffic in a cryptomap with match address command
as matching traffic for ZBF/QoS in a class-map with corresponding match command
.....
But here they are configured but not applied anywhere in the config.
Regards
Alain
Don't forget to rate helpful posts.
12-10-2013 05:12 PM
Do you see any nat translation for the traffic when you try to ping internet from behind vlan1?
Have you tried to do the test after removing zone security from both interfaces(if possible)?
12-11-2013 11:40 AM
hi I currently only have the option to ping from the LAN interface of the device as I am not on site and there are no LAn devices connected as of yet.
not sure how i could go about removing zone security from an interface?
12-11-2013 12:51 PM
Hi,
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
But you have no policy-map type inspect ccp-inspect so by default everything from in-zone to out-zone is dropped.
Either you configure class-maps and policy-maps for your firewall config or you remove the interfaces from zones:
int vlan1
no zone-member security in-zone
int dialer1
no zone-member security out-zone
Regards
Alain
Don't forget to rate helpful posts.
12-12-2013 08:16 AM
So I blew away all the security zone and zone pairs policy maps and class maps and removed every firewall rule that existed. (most I had created via the CCP wizard) the only thing that remained was the access-lists
and still i was unable to ping anything
I then decided to create an additional extended Access-list specifying the lan subnet 172.17.205.0 0.0.0.255 to any and specifed the IP protocol and hey presto now I can ping everything
it seems the firewall and security zones cant open anything unless you first create an access-list ...
I guess I now have an insecure Firewall so will need to add the firewall rules back in that I need and recreate my zone pairs
12-12-2013 08:58 AM
Hi,
The only ACLs that were used in previous config were the crypto ACL for VPN tunnel and the NAT ACL.
The other ones were not used and if you had removed your interfaces from zones then you don't need any ACL to let traffic go through the router.
Where did you apply this new ACL ? did you put back the Zone based firewall config ?
Regards
Alain
Don't forget to rate helpful posts.
12-12-2013 09:11 AM
hi
I intially tried removing the interfaces from the zones but I was still unable to ping anything from the VLAN1 interface.through the router.
i then removed the entire zone firewall and zones but was still not able to ping anything
I then added some new ACL's and hey presto... weird but true
my new config in its entirity now looks like this
Building configuration...
Current configuration : 10061 bytes
!
! Last configuration change at 17:47:40 PCTime Thu Dec 12 2013 by admin
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HSTCIS887VOIP1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 52000
logging console critical
enable secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
enable password 7 08331D1F074D031A39
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication enable default enable
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3612796534
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3612796534
revocation-check none
rsakeypair TP-self-signed-3612796534
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint TP-self-signed-1280197465
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1280197465
revocation-check none
rsakeypair TP-self-signed-1280197465
!
!
crypto pki certificate chain TP-self-signed-3612796534
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363132 37393635 3334301E 170D3133 31313036 32313131
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36313237
39363533 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E2B4 1AAC762C 3334A5A7 80774D28 79F460FE 4722621B AF0E4D66 A7E95B99
DCCA4BB1 79245905 F2A81499 A38EF6E0 6F2ABF6B 0D11965C 2FFE5E8B 727A49E6
AEDEF4EE 9DE8E459 05F8D143 1AE03B2D 74C704E4 8CB8EAF5 59B41B4B 4A208F29
6ADB6F04 613B8539 DD9ADF83 BEAD1B8A 1E7547EC ADED038D E2968880 DB97D32F
B0F50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 147229F4 88EC8C14 4B553D5B C12814C6 FDDF6810 C4301D06
03551D0E 04160414 7229F488 EC8C144B 553D5BC1 2814C6FD DF6810C4 300D0609
2A864886 F70D0101 05050003 81810040 DDA968C6 F002A2E0 E5A67BEE 67F455C5
DC4111F4 E09D06B6 921458BD 1242A007 1683A005 86700B7F 3C75BE0B A05D2304
93DC2C20 36CEE2A7 CC3F793D DFC28E5B 4FDAAF8F 70F8639A 5A6E3FEE C7F36E83
E0C887C7 DD6D3734 4181CEAF C306046B 87601EE6 C7C18A6F EB781459 E60FD070
4956887C 08DDB73D 88A92F58 F5CAB3
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-1280197465
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
no ip bootp server
ip domain name uk.access-accounts.com
ip name-server 8.8.8.8
ip name-server 172.24.4.13
ip inspect log drop-pkt
ip cef
login block-for 5 attempts 10 within 5
no ipv6 cef
vlan ifdescr detail
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
!
license udi pid CISCO887VA-SEC-K9 sn FCZ173691VC
license boot module c880-data level advsecurity
!
!
object-group service *ALL
description ALL traffic
icmp
tcp-udp gt 1
icmp echo-reply
!
object-group network net-local
172.17.205.0 255.255.255.0
!
object-group network net-remote
172.17.104.0 255.255.255.0
172.17.114.0 255.255.255.0
!
object-group service webtraffic
description http and https and dns
tcp eq domain
tcp eq 443
tcp eq www
!
username admin privilege 15 password 7 120B54461C5F0A0901
username Backup-admin privilege 15 view root secret 4 MHpke6/RnYLNL/fAD5EKDxml.aj8Sr4IJfubMQjIoB2
!
!
!
!
!
controller VDSL 0
!
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
crypto logging ezvpn
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key encryptionkey address 85.x.x.x
crypto isakmp keepalive 10 5
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ADAPTVPN esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ADAPT_IPSEC_POLICY
set transform-set ADAPTVPN
!
!
!
crypto map ADAPTVPN 200 ipsec-isakmp
set peer 85.x.x.x
set transform-set ADAPTVPN
match address 120
!
!
!
!
!
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description TalkTalk VOIP
ip flow ingress
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 172.17.205.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname my@username
ppp chap password 7 133F403E5827530C7D1E7E
ppp pap sent-username my@username password 7 0129512808205129777618
no cdp enable
crypto map ADAPTVPN
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Adapt_VPN
remark CCP_ACL Category=128
permit ip host 85.x.x.x any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended all_traffic-Out
permit icmp 172.17.205.0 0.0.0.255 any
permit ip 172.17.205.0 0.0.0.255 any
ip access-list extended all_traffic_in
remark CCP_ACL Category=16
permit ip 172.17.104.0 0.0.0.255 any log
permit ip 172.17.112.0 0.0.0.255 any log
permit ip 172.24.4.0 0.0.0.255 any log
!
ip sla auto discovery
logging trap errors
logging facility local2
logging host 172.24.4.51
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
snmp-server community SNMP-Public RO
snmp-server community SNMP-public RO
snmp-server community SNMP-Private RW
snmp-server location SSM App Server
snmp-server contact Maarten Westera
snmp-server host 172.24.4.57 P@ssw0rd
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit udp any any eq bootpc
access-list 101 remark CCP_ACL Category=18
access-list 101 deny ip 172.17.205.0 0.0.0.255 172.17.104.0 0.0.0.255
access-list 101 deny ip 172.17.205.0 0.0.0.255 172.17.112.0 0.0.0.255
access-list 101 deny ip 172.17.205.0 0.0.0.255 172.24.4.0 0.0.0.255
access-list 101 permit ip 172.17.205.0 0.0.0.255 any
access-list 120 remark CCP_ACL Category=20
access-list 120 permit ip 172.17.205.0 0.0.0.255 172.17.104.0 0.0.0.255
access-list 120 permit ip 172.17.205.0 0.0.0.255 172.17.112.0 0.0.0.255
access-list 120 permit ip 172.17.205.0 0.0.0.255 172.24.4.0 0.0.0.255
access-list 122 permit ip 172.17.104.0 0.0.0.255 172.17.205.0 0.0.0.255
access-list 122 permit ip 172.17.112.0 0.0.0.255 172.17.205.0 0.0.0.255
access-list 122 permit ip 172.24.104.0 0.0.0.252 172.17.105.0 0.0.0.255
!
!
!
banner login
#############################################
# This device is the property #
# #
# Unauthorised use is prohibited #
#############################################
banner motd
THis device is for sole use, Unauthorised sessions are being monitored
!
line con 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
password 7 09554B1A
login authentication local_auth
transport input telnet ssh
!
!
end
12-12-2013 11:39 AM
Hi,
ok so you've got no ZBF anymore, can you tel me which ACL you added.
Regards
Alain
Don't forget to rate helpful posts.
12-12-2013 03:52 PM
hi
no ZBF at the moment obviously I'm going to have to put it back and I probably will use the CCP wizard for that as its lots of lines of code but hopefully it wo't break anything and it will allow for the already active VPN tunnel which is in place.
( last time I created the ZBF before setting up the tunnel )
the added rules are:
ip access-list extended all_traffic-Out
permit icmp 172.17.205.0 0.0.0.255 any
permit ip 172.17.205.0 0.0.0.255 any
ip access-list extended all_traffic_in
permit ip 172.17.104.0 0.0.0.255 any log
permit ip 172.17.112.0 0.0.0.255 any log
permit ip 172.24.4.0 0.0.0.255 any log
12-13-2013 02:53 AM
Hi,
These ACLs have no effect as they are not applied anywhere.
Regards
Alain
Don't forget to rate helpful posts.
12-13-2013 03:01 AM
hmm
how can you tell they are not applied anywhere?
12-13-2013 03:13 AM
Hi,
for an ACL to have effect it must be used either:
as a traffic filter with ip access-group in or ip access-group out under one interface
as matching traffic for NAT with the list or route-map command under NAT statement
as matching interesting traffic in a cryptomap with match address command
as matching traffic for ZBF/QoS in a class-map with corresponding match command
.....
But here they are configured but not applied anywhere in the config.
Regards
Alain
Don't forget to rate helpful posts.
12-13-2013 03:23 AM
Thank you so much for your help in this. I will go ahead and figure out how to apply those and then re-enable the ZBF
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide