09-11-2012 02:58 PM - edited 03-04-2019 05:32 PM
Normally I'd have a rough idea of where to start, but I'm not sure if this is a NAT/ZBF or IPSEC issue at this stage.
Without the crypto map map1 assigned to the outside interface, everything works fine. Internal hosts can access the internet, I can ping the router externally. So the ZBF is allowing the required traffic.
As soon as I assign crypto map map1 to GigabitEthernet0 (WAN), the inside hosts can no longer access the internet. They can however ping/access hosts across the VPN tunnel. So basically, as soon as the tunnel comes up, access to anything outside that cryptomap ceases to function.
As far as I can tell everything is correct, so I'm a bit baffled. Hoping someone can take a look over the config.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.11 15:38:47 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 7711 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTR1
!
boot-start-marker
boot system flash c890-universalk9-mz.151-4.M2.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
!
aaa new-model
!
!
aaa authentication login NetworkAdmins group radius local
aaa authorization console
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.4.1.1 10.4.1.99
ip dhcp excluded-address 10.4.1.201 10.4.1.254
ip dhcp excluded-address 10.4.2.1 10.4.2.99
ip dhcp excluded-address 10.4.2.201 10.4.2.254
!
ip dhcp pool lv-data
network 10.4.1.0 255.255.255.0
domain-name XXXXX.com
dns-server 10.1.10.1 8.8.8.8
default-router 10.4.1.254
lease 7
!
ip dhcp pool lv-voice
network 10.4.2.0 255.255.255.0
domain-name XXXXX.com
default-router 10.4.2.254
dns-server 10.1.10.1
lease 7
!
!
ip cef
no ip bootp server
ip domain name XXXX.com
ip name-server 10.1.10.1
ip name-server 8.8.8.8
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
!
!
object-group network locationB-networks
10.4.1.0 255.255.255.0
10.4.2.0 255.255.255.0
!
object-group network locationA-networks
10.1.10.0 255.255.255.0
10.1.11.0 255.255.255.0
10.1.12.0 255.255.255.0
10.1.13.0 255.255.255.0
!
username admin privilege 15 secret
crypto ikev2 proposal ESP-AES-SHA
encryption aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy policy1
proposal ESP-AES-SHA
!
crypto ikev2 keyring keyring1
peer locationA
address 209.XX.XX.130
pre-shared-key XXXXXXX
!
!
!
crypto ikev2 profile locationA
match identity remote address 209.XX.XX.130 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring keyring1
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
!
class-map type inspect match-all management
match access-group name manage-ports
match access-group name manage-hosts
match protocol tcp
class-map type inspect match-all icmp
match protocol icmp
class-map type inspect match-all vpn-traffic
match access-group name vpn-protocols
class-map type inspect match-any all-protocols
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect inside-to-inside
class class-default
pass
policy-map type inspect inside-to-self
class class-default
pass
policy-map type inspect self-to-any
class class-default
pass
policy-map type inspect inside-to-outside
class type inspect all-protocols
inspect
class class-default
drop
policy-map type inspect outside-to-self
class class-default
pass
!
zone security inside
zone security outside
zone-pair security inside-to-inside source inside destination inside
service-policy type inspect inside-to-inside
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside
zone-pair security inside-to-self source inside destination self
service-policy type inspect inside-to-self
zone-pair security outside-to-self source outside destination self
service-policy type inspect outside-to-self
!
!
!
!
crypto map map1 10 ipsec-isakmp
set peer 209.XX.XX.130
set ikev2-profile locationA
match address locationA-cryptomap
!
!
!
!
!
interface FastEthernet0
switchport voice vlan 6
no ip address
!
interface FastEthernet1
switchport voice vlan 6
no ip address
!
interface FastEthernet2
switchport voice vlan 6
no ip address
!
interface FastEthernet3
switchport voice vlan 6
no ip address
!
interface FastEthernet4
switchport voice vlan 6
no ip address
!
interface FastEthernet5
switchport voice vlan 6
no ip address
!
interface FastEthernet6
switchport voice vlan 6
no ip address
!
interface FastEthernet7
switchport voice vlan 6
no ip address
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 24.120.XXX.10X 255.255.255.224
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security outside
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description Data$FW_INSIDE$
ip address 10.4.1.254 255.255.255.0
no ip redirects
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security inside
ip tcp adjust-mss 1452
!
interface Vlan6
description Voice$FW_INSIDE$
ip address 10.4.2.254 255.255.255.0
no ip redirects
no ip proxy-arp
zone-member security inside
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map nat-default interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 24.XXX.135.XX
!
ip access-list extended manage-hosts
permit ip 209.XX.XX.128 0.0.0.15 any
ip access-list extended manage-protocols
permit tcp any any eq 443
permit tcp any any eq 22
ip access-list extended nat-default
deny ip object-group locationB object-group locationA
permit ip 10.4.1.0 0.0.0.255 any
permit ip 10.4.2.0 0.0.0.255 any
ip access-list extended locationA-cryptomap
permit ip object-group locationB-networks object-group locationA-networks
ip access-list extended vpn-protocols
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit ahp any any
ip access-list extended vty-access
permit tcp 10.4.1.0 0.0.0.255 any eq 22 log
permit tcp 10.1.10.0 0.0.0.255 any eq 22 log
permit tcp 10.1.5.0 0.0.0.255 any eq 22 log
!
logging trap debugging
no cdp run
!
!
!
!
route-map nat-default permit 10
match ip address nat-default
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
banner login ^C
*************** >>> AUTHORIZED ACCESS ONLY! <<< ***************
Disconnect IMMEDIATELY if you are not an authorized user!!!
All actions are monitored and recorded.
*************** >>> AUTHORIZED ACCESS ONLY! <<< ***************
^C
banner motd ^C
*************** >>> AUTHORIZED ACCESS ONLY! <<< ***************
Disconnect IMMEDIATELY if you are not an authorized user!!!
All actions are monitored and recorded.
*************** >>> AUTHORIZED ACCESS ONLY! <<< ***************
^C
!
line con 0
exec-timeout 30 0
logging synchronous
transport output telnet ssh
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet ssh
line vty 0 4
access-class vty-access in
privilege level 15
logging synchronous
login authentication NetworkAdmins
transport input ssh
transport output telnet ssh
line vty 5 15
access-class vty-access in
privilege level 15
logging synchronous
login authentication NetworkAdmins
transport input ssh
transport output telnet ssh
!
scheduler interval 500
ntp update-calendar
ntp server 208.73.56.29 prefer source GigabitEthernet0
end
09-11-2012 04:11 PM
hello,
I just checked the Nat configuration and its perfect as you suggested.
The crypto ACL is also fine.
I just review the ZBFW setup and it looks perfect, any logs from the time you attemtp to connect to the internet with the crypto map on?
Regards,
Julio
09-11-2012 06:40 PM
NAT appears to be working correctly. I took the ZBF completely out so the router was free for all. Confirmed traffic was working. Applied the crypto map again. Once again tunnel traffic worked but everything else ceased to pass.
I'm completely baffled.
debug ip nat detailed
000074: Sep 11 18:12:15.223 PDT: NAT*: s=10.4.1.124->24.XXX.XXX.104, d=10.1.6.249 [31251]
000075: Sep 11 18:12:15.595 PDT: NAT*: i: tcp (10.4.1.107, 58031) -> (10.1.6.249, 135) [10195]
000076: Sep 11 18:12:15.595 PDT: NAT*: s=10.4.1.107->24.XXX.XXX.104, d=10.1.6.249 [10195]
000077: Sep 11 18:12:15.611 PDT: NAT: expiring 24.XXX.XXX.104 (10.4.1.117) tcp 54027 (54027)
000078: Sep 11 18:12:15.611 PDT: NAT-SymDB: DB is either not enabled or not initiated.
000079: Sep 11 18:12:15.719 PDT: NAT*: i: tcp (10.4.1.107, 58030) -> (10.1.6.249, 5440) [10196]
000080: Sep 11 18:12:15.719 PDT: NAT*: s=10.4.1.107->24.XXX.XXX.104, d=10.1.6.249 [10196]
000081: Sep 11 18:12:16.567 PDT: NAT*: i: tcp (10.4.1.110, 3882) -> (50.18.50.50, 443) [6311]
000082: Sep 11 18:12:16.567 PDT: NAT*: s=10.4.1.110->24.XXX.XXX.104, d=50.18.50.50 [6311]
000083: Sep 11 18:12:17.147 PDT: NAT: expiring 24.XXX.XXX.104 (10.4.1.104) tcp 56051 (56051)
09-11-2012 09:49 PM
Hello,
Pretty weird issue, have not seen it before, looks like the router is not being able to route properly or to Nat properly
Can you check the IP routing table while you have the crypto map enabled please?
Also post the configuration with the crypto map applied
I will check my database to see if I found something,
I will keep you posted.
09-12-2012 08:25 AM
Hello,
ip access-list extended nat-default
deny ip object-group locationB object-group locationA
permit ip 10.4.1.0 0.0.0.255 any
permit ip 10.4.2.0 0.0.0.255 any
object-group network locationB-networks
10.4.1.0 255.255.255.0
10.4.2.0 255.255.255.0
!
object-group network locationA-networks
10.1.10.0 255.255.255.0
10.1.11.0 255.255.255.0
10.1.12.0 255.255.255.0
10.1.13.0 255.255.255.0
ip nat inside source route-map nat-default interface GigabitEthernet0 overload
On the ACL you are using the objects locationB and localtionA and I do not see them on the config.
Can you change them to locationB-networks and locationA-networks
Regards,
Julio
09-12-2012 09:02 AM
Thanks for following up. That is just a typo on my part. The dumped config was missing that deny ACE so I typed it in manually when I posted the running-config. It is correct on the device itself.
Going to take another stab at this later today. Unfortunately it's a production router so my time windows are limited. I'm also going to upgrade to IOS 15.2 on the off chance that what I'm experiencing is a bug. This is the first time I've used IKEv2 so I'm wondering if I'm missing something on that front.
09-12-2012 10:15 AM
Hello,
Okey, please attached the updated configuration with the crypto map applied.
Also can you do a show crypto ipsec sa and placed it in here as well
Regards
Julio
09-14-2012 10:46 PM
Ok update. I had to wait for some down time.
With the tunnel up I'm seeing the following. From what I can tell that indicates to is seeing packets it thinks should be going over the tunnel but aren't encrypted so it drops them, which would indicate an access-list problem.. I don't see a problem with the ACL's though.
debug ip icmp
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
sh crypto ipsec sa
interface: GigabitEthernet0
Crypto map tag: map1, local addr 24.XXX.XXX.104
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 209.XX.XX.130 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 411, #recv errors 0
local crypto endpt.: 24.XXX.XXX.104, remote crypto endpt.: 209.XX.XX.130
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.4.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.10.0/255.255.255.0/0/0)
current_peer 209.XX.XX.130 port 500
PERMIT, flags={}
#pkts encaps: 422, #pkts encrypt: 422, #pkts digest: 422
#pkts decaps: 389, #pkts decrypt: 389, #pkts verify: 389
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 24.XXX.XXX.104, remote crypto endpt.: 209.XX.XX.130
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x4ABEC199(1254015385)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x62C01C4E(1656757326)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: map1
sa timing: remaining key lifetime (k/sec): (4519480/3519)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4ABEC199(1254015385)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: map1
sa timing: remaining key lifetime (k/sec): (4519472/3519)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
09-15-2012 10:53 AM
Hello,
Here is the issue:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
Based on this looks like all traffic is going over the VPN tunnel.
The question is why as the configuration is the right one.
Is there a way you could reboot your router?
Julio
09-15-2012 04:58 PM
It has been rebooted a few times now. I'm dumbfounded myself. I've gone over the config 1000+ times an I just don't see anything wrong.
Currently waiting on my service contract for entitlement to download the latest IOS. See if's a bug. Other than that I'm stumped.
09-15-2012 11:28 PM
Agree with you.
I run a lab just to make sure the IKEV2 setup was correct and mine work with no problem.
Please upgrade and let us know the result,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide