Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
3
Replies

No outbound traffic permitted except VPN

g.dirkzwager
Level 1
Level 1

‎01-12-2006 08:30 AM - edited ‎03-03-2019 11:26 AM

I hope someone can point me in the right direction as I have been staring at this problem for so long I think I may be completely overlooking the obvious. I have the router set up in a router-router VPN tunnel between 2 LANs. It works fine and all traffic passes along the tunnel and also I am able to access the Terminal Server on the network from the trusted host on the Internet. I am able to access the Internet with the internal clients. Then I enable access-list 112 and the problems start.

After solving most issues I ended up with the enclosed configuration and most things work except no internal hosts are able to pass the router and connect to any services on the Internet except using a ping. If I ping an external host I receive a reply but as soon as I try and use a different protocol everything is blocked. Tunnel traffic does work. Logging also neatly tells me that access-list is blocking the traffic, but I cannot seem to put my finger on where the config errors lie.

Can anyone advise?

Labels:
Preview file
4 KB
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎01-12-2006 08:55 AM

Gerwin

I have looked at the config that you posted. The first thing that I noticed is that access list 112 is applied inbound and you have this line:

access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

which identifies 192.168.2.0 as the source. But if the access list is inbound then 192.168.2.0 should be the destination since it is the locally connected network.

If you change the access list so that 192.168.1.0 is the source and 192.168.2.0 is the destination how does it work?

HTH

Rick

HTH

Rick
0 Helpful

g.dirkzwager
Level 1
Level 1
In response to Richard Burts

‎01-12-2006 10:27 AM

Hi Rick,

Thanks, this was indeed an oversight. However it was not THE problem unfortunately. After correcting I still have the same problem. After attempting to connect to a webserver on the internet the following is logged:

list 112 denied tcp (80)-> (1339), 1 packet

Gerwin

0 Helpful

olorunloba
Level 5
Level 5

‎01-12-2006 09:02 AM

Please cross check your logic of whether the access list is inbound and outbound against the source and destination part of the access list

I noticed following line in the access list

access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

and also noticed that you have an interface with the ip address 192.168.2.254/24. This implies that the subnet 192.168.2.0/24 is local and should therefore be in the destination part of the access-list for an inbound access list.

Since you specified an "any" in the part of the access list permiting ICMPs, that might be the reason the pings are replying.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card