- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 02:10 AM
Hi Guys,
I'm struggling with an issue connecting a Watchguard to a Cisco via IPSEC.
I've managed to establish the VPN - however i get no traffic through it.
I know I'm missing a route, like "ip route 10.33.0.0 255.255.255.0 10.0.0.253
but I get Invalid next hop address (it's the router) which makes sense as it is the router. except now I don't know what to put.
Details below;
Site 1: (Watchguard) internal IP 10.33.0.0/24
Site 2: (Cisco) internal IP 10.0.0.0/24
snippets from show run below;
Any info would be greatly appreciated.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 49.255.xx.xx
!
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map towatchguard 1 ipsec-isakmp
description tunnel_to_watchguard
set peer 49.255.xx.xx
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set vpn
match address 100
reverse-route
!
interface GigabitEthernet0/0
description *** WAN Interface ***
ip address 103.212.xxx.xx 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
no cdp enable
crypto map towatchguard
!
ip route 0.0.0.0 0.0.0.0 103.212.217.33
ip route 10.0.0.0 255.255.255.0 192.168.0.254
ip route 192.168.92.0 255.255.255.0 192.168.0.254
ip route 192.168.150.0 255.255.255.0 192.168.0.254
ip route 192.168.173.0 255.255.255.0 192.168.0.254
ip route 192.168.200.0 255.255.255.0 192.168.0.254
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.33.0.0 0.0.0.255
Thanks in Advance,
Matt
Solved! Go to Solution.
- Labels:
-
Routing Protocols
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2019 09:45 AM
Hello Matt,
I'm afraid there is some unexpected competition between NAT statements.
the show ip nat translations during the test from 10.0.0.27 to 10.33.0.254 tells us the following:
your outgoing traffic is not going over the VPN because it is NATTED using the public address of gi0/0.2 !!!
Here's the nat translations whilst running a ping from 10.0.0.27
icmp 103.212.217.42:96 10.0.0.27:1 10.33.0.254:1 10.33.0.254:96
Looking at configurations related to gi0/0.2 we see the following:
! exit interface hit by NAT from 10.0.0.27 ICMP to 10.33.0.254
interface GigabitEthernet0/0.2
description *PKF INTERFACE*
encapsulation dot1Q 41
ip address 103.212.217.42 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
!
! incoming interface for traffic originated from 10.0.0.27/24 is the following directly connected
! internal interface for PKF network notice 10.0.0.0/24 is a connected network
interface GigabitEthernet0/1.40
description *PKF VLAN*
encapsulation dot1Q 40
ip address 10.0.0.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map PKF_MAP
Here a PBR route-map is applied.
The route-map has the following configuration
route-map PKF_MAP permit 10
match ip address PKF_IP_ACL
set ip next-hop 103.212.217.41
!
The ACL used in the route-map is the following:
ip access-list extended PKF_IP_ACL
>>>deny ip 10.0.0.0 0.0.0.255 10.33.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
The ACL has been modified and the first deny statement for interesting traffic should allow the traffic destined to 10.33.0.254 to be not policy routed but to be subject to standard destination based routing.
Destination based routing would make the traffic to exit from gi0/0 main interface using the default route.
However, there are NAT statements using a standard ACL as I have noted in previous post. and NAT operation can take precedence over routing. It is a question of order of operations.
ip nat inside source list PKF_NAT interface GigabitEthernet0/0.2 overload
ip access-list standard PKF_NAT
permit 10.0.0.0 0.0.0.255
permit 192.168.150.0 0.0.0.255
This standard ACL does not allow to deny traffic originated from 10.0.0.0/24 to net 10.33.0.0./24.
We should use an extended ACL as I had proposed on my post.
We can also add a match interface as a security measure to make NAT to be triggered only if the outgoing interface is gi0/0.2 and not when it is gi0/0.
Looking at NAT static commands I cannot see any static NAT command related to host 10.0.0.27.
The only possible NAT triggered here is the one triggered by ACL PKF_NAT.
For your commodity I post again the proposed configuration with added check on exiting interface that should solve your issue (this time I am more confident thanks to Grant's help)
you must use an extended ACL that is then invoked by a route-map to perform NAT
ip access-list extended PKF_NAT2
deny ip 10.0.0.0 0.0.0.255 10.33.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
route-map PKF_NAT2 permit 10
match address PKF_NAT2
match interface gi0/0.2
!
no ip nat inside source list PKF_NAT interface GigabitEthernet0/0.2 overload
ip nat inside source route-map PKF_NAT2 interface gi0/0.2 overload.
The PBR on incoming interface gi0/1.40 is already fixed as we have seen above.
As noted by Grant and me you have a very complex NAT and PBR configuration and you need to be sure that no PBR is performed (this is already fixed) and no unwanted NAT can occur.
This is still to be fixed using the configuration proposed above.
When configuring so complex NAT scenarios all NAT statements should use route-maps in order to be able to use:
a) an extended ACL to decide what should be NATTED with deny statements if needed as in this case
b) using a match interface the NAT statement will be used only if the outgoing interface is the specified one avoiding unwanted unexpected translations to occur before standard destination based routing is taken in account.
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 02:16 AM
Hello Matt,
your configuration looks like fine you don't need an additional route.
ACL 100 is defining traffic to be encrypted and it is correct.
post
show crypto ipsec sa
to see if there are errors in encryption / decryption.
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 03:31 AM
Thanks for the help.
interface: GigabitEthernet0/0
Crypto map tag: towatchguard, local addr 103.212.217.34
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.33.0.0/255.255.255.0/0/0)
current_peer 49.255.243.114 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.212.217.34, remote crypto endpt.: 49.255.243.114
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xE040704D(3762319437)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2EBB72FF(784036607)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2017, flow_id: Onboard VPN:17, sibling_flags 80000040, crypto map: towatchguard
sa timing: remaining key lifetime (k/sec): (120548/18857)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE040704D(3762319437)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2018, flow_id: Onboard VPN:18, sibling_flags 80000040, crypto map: towatchguard
sa timing: remaining key lifetime (k/sec): (120548/18857)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 04:09 AM
Hello Matt,
to check the VPN you need to use a PC connected to source subnet
I see that the source subnet is not directly connected to your router
>> ip route 10.0.0.0 255.255.255.0 192.168.0.254
The counters say that traffic is coming from the remote site watchguard but no traffic is sent out
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.33.0.0/255.255.255.0/0/0)
current_peer 49.255.243.114 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
Verify that hosts in 10.0.0.0/24 have correct default gateway and that device with IP address 192.168.0.254 has either a default route pointing to the router or a specific static route for net 10.33.0.0/24 pointing to your router.
You cannot trigger the use of the VPN with any local interface on the router.
A device like a PC in net 10.0.0.0/24 has to be used or switch with IP address 192.168.0.254 can try to ping remote 10.33.0.x with a source address = Vlan to 10.0.0.0/24
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 05:41 AM
Thanks for looking.
I added a static route to the 10.0.0.253 ip but that did'nt work. It's a HP managed switch.
i added: ip route 10.33.0.0/24 10.0.0.254
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 192.168.0.204 1 static 1 1
10.0.0.0/24 PKF 40 connected 1 0
10.10.180.0/24 CARBONE 50 connected 1 0
10.33.0.0/24 10.0.0.253 40 static 1 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 05:48 AM
Hello Matt,
who is 192.168.0.204 the default route next-hop on the HP swich ?
if it is the router you are fine and you don't need the specific static route 10.33.0.0/24 to 10.0.0.254.
Can you provide the NAT configuration on the Cisco router as suggested by Grant the failure in sending packets over the VPN can be caused by NAT there was a recent thread with this exact issue.
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 06:31 AM
the 204 is the router as well (same as 10.0.0.253)
Nat configuration is here.
!
ip nat inside source static tcp 192.168.0.253 22 interface GigabitEthernet0/0 2222
ip nat inside source static udp 192.168.92.20 161 interface GigabitEthernet0/0 5225
ip nat inside source static tcp 192.168.92.20 82 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.0.17 22 interface GigabitEthernet0/0 2223
ip nat inside source static tcp 192.168.0.16 22 interface GigabitEthernet0/0 2224
ip nat inside source static tcp 192.168.0.13 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.0.254 22 interface GigabitEthernet0/0 2228
ip nat inside source static tcp 192.168.0.5 1723 interface GigabitEthernet0/0 1723
ip nat inside source list ARTISAN_NAT interface GigabitEthernet0/0.1 overload
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
ip nat inside source list NAT_ADDRESSES2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.20.1 1723 interface GigabitEthernet0/0.1 1723
ip nat inside source static tcp 192.168.20.1 443 interface GigabitEthernet0/0.1 443
ip nat inside source static tcp 192.168.20.1 3389 interface GigabitEthernet0/0.1 3389
ip nat inside source static tcp 192.168.20.1 25 interface GigabitEthernet0/0.1 25
ip nat inside source static tcp 192.168.20.2 443 interface GigabitEthernet0/0.1 444
ip nat inside source static tcp 192.168.20.2 4125 interface GigabitEthernet0/0.1 4125
ip nat inside source static tcp 192.168.20.20 4001 interface GigabitEthernet0/0.1 4001
ip nat inside source static tcp 10.0.0.30 25 interface GigabitEthernet0/0.2 25
ip nat inside source static tcp 10.0.0.30 443 interface GigabitEthernet0/0.2 443
ip nat inside source static tcp 10.0.0.30 80 interface GigabitEthernet0/0.2 80
ip nat inside source static tcp 10.0.0.30 587 interface GigabitEthernet0/0 587
ip nat inside source static tcp 10.0.0.30 465 interface GigabitEthernet0/0 465
ip nat inside source static tcp 10.0.0.26 1723 interface GigabitEthernet0/0.2 1723
ip nat inside source static tcp 10.0.0.55 8443 interface GigabitEthernet0/0.2 8443
ip nat inside source static udp 10.0.0.55 8443 interface GigabitEthernet0/0.2 8443
ip nat inside source static udp 10.0.0.26 500 interface GigabitEthernet0/0.2 500
ip nat inside source static udp 10.0.0.26 4500 interface GigabitEthernet0/0.2 4500
ip nat inside source static esp 10.0.0.26 interface GigabitEthernet0/0.2
ip nat inside source static tcp 192.168.80.2 443 interface GigabitEthernet0/0.3 443
ip nat inside source static tcp 192.168.80.2 1723 interface GigabitEthernet0/0.3 1723
ip nat inside source static tcp 192.168.80.2 587 interface GigabitEthernet0/0.3 587
ip nat inside source static tcp 10.0.0.101 443 interface GigabitEthernet0/0.4 443
ip nat inside source static tcp 192.168.80.2 3389 interface GigabitEthernet0/0.3 3391
ip nat inside source list PKF_NAT interface GigabitEthernet0/0.2 overload
ip nat inside source list Wolfstar_NAT interface GigabitEthernet0/0.3 overload
ip nat inside source static tcp 192.168.80.2 25 interface GigabitEthernet0/0.3 25
ip nat inside source static tcp 192.168.80.2 500 interface GigabitEthernet0/0.3 500
ip nat inside source static tcp 192.168.80.2 465 interface GigabitEthernet0/0.3 465
ip nat inside source static udp 192.168.80.2 500 interface GigabitEthernet0/0.3 500
ip nat inside source static udp 192.168.80.2 4500 interface GigabitEthernet0/0.3 4500
ip nat inside source static esp 192.168.80.2 interface GigabitEthernet0/0.3
ip nat inside source static tcp 10.0.0.8 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.0.0.101 781 interface GigabitEthernet0/0.2 781
ip nat inside source static tcp 10.0.0.101 80 interface GigabitEthernet0/0.4 80
ip nat inside source static tcp 10.0.0.28 25 interface GigabitEthernet0/0.4 25
ip route 0.0.0.0 0.0.0.0 103.212.217.33
ip route 10.0.0.0 255.255.255.0 192.168.0.254
ip route 192.168.92.0 255.255.255.0 192.168.0.254
ip route 192.168.150.0 255.255.255.0 192.168.0.254
ip route 192.168.173.0 255.255.255.0 192.168.0.254
ip route 192.168.200.0 255.255.255.0 192.168.0.254
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 04:17 AM
I notice your Outside Interface has a NAT config on it. Can you share the rest of the NAT config on the IOS device. It may be related to this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 05:38 AM
no problems.
ip nat inside source static tcp 192.168.0.253 22 interface GigabitEthernet0/0 2222
ip nat inside source static udp 192.168.92.20 161 interface GigabitEthernet0/0 5225
ip nat inside source static tcp 192.168.92.20 82 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.0.17 22 interface GigabitEthernet0/0 2223
ip nat inside source static tcp 192.168.0.16 22 interface GigabitEthernet0/0 2224
ip nat inside source static tcp 192.168.0.13 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.0.254 22 interface GigabitEthernet0/0 2228
ip nat inside source static tcp 192.168.0.5 1723 interface GigabitEthernet0/0 1723
ip nat inside source list ARTISAN_NAT interface GigabitEthernet0/0.1 overload
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
ip nat inside source list NAT_ADDRESSES2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.20.1 1723 interface GigabitEthernet0/0.1 1723
ip nat inside source static tcp 192.168.20.1 443 interface GigabitEthernet0/0.1 443
ip nat inside source static tcp 192.168.20.1 3389 interface GigabitEthernet0/0.1 3389
ip nat inside source static tcp 192.168.20.1 25 interface GigabitEthernet0/0.1 25
ip nat inside source static tcp 192.168.20.2 443 interface GigabitEthernet0/0.1 444
ip nat inside source static tcp 192.168.20.2 4125 interface GigabitEthernet0/0.1 4125
ip nat inside source static tcp 192.168.20.20 4001 interface GigabitEthernet0/0.1 4001
ip nat inside source static tcp 10.0.0.30 25 interface GigabitEthernet0/0.2 25
ip nat inside source static tcp 10.0.0.30 443 interface GigabitEthernet0/0.2 443
ip nat inside source static tcp 10.0.0.30 80 interface GigabitEthernet0/0.2 80
ip nat inside source static tcp 10.0.0.30 587 interface GigabitEthernet0/0 587
ip nat inside source static tcp 10.0.0.30 465 interface GigabitEthernet0/0 465
ip nat inside source static tcp 10.0.0.26 1723 interface GigabitEthernet0/0.2 1723
ip nat inside source static tcp 10.0.0.55 8443 interface GigabitEthernet0/0.2 8443
ip nat inside source static udp 10.0.0.55 8443 interface GigabitEthernet0/0.2 8443
ip nat inside source static udp 10.0.0.26 500 interface GigabitEthernet0/0.2 500
ip nat inside source static udp 10.0.0.26 4500 interface GigabitEthernet0/0.2 4500
ip nat inside source static esp 10.0.0.26 interface GigabitEthernet0/0.2
ip nat inside source static tcp 192.168.80.2 443 interface GigabitEthernet0/0.3 443
ip nat inside source static tcp 192.168.80.2 1723 interface GigabitEthernet0/0.3 1723
ip nat inside source static tcp 192.168.80.2 587 interface GigabitEthernet0/0.3 587
ip nat inside source static tcp 10.0.0.101 443 interface GigabitEthernet0/0.4 443
ip nat inside source static tcp 192.168.80.2 3389 interface GigabitEthernet0/0.3 3391
ip nat inside source list PKF_NAT interface GigabitEthernet0/0.2 overload
ip nat inside source list Wolfstar_NAT interface GigabitEthernet0/0.3 overload
ip nat inside source static tcp 192.168.80.2 25 interface GigabitEthernet0/0.3 25
ip nat inside source static tcp 192.168.80.2 500 interface GigabitEthernet0/0.3 500
ip nat inside source static tcp 192.168.80.2 465 interface GigabitEthernet0/0.3 465
ip nat inside source static udp 192.168.80.2 500 interface GigabitEthernet0/0.3 500
ip nat inside source static udp 192.168.80.2 4500 interface GigabitEthernet0/0.3 4500
ip nat inside source static esp 192.168.80.2 interface GigabitEthernet0/0.3
ip nat inside source static tcp 10.0.0.8 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.0.0.101 781 interface GigabitEthernet0/0.2 781
ip nat inside source static tcp 10.0.0.101 80 interface GigabitEthernet0/0.4 80
ip nat inside source static tcp 10.0.0.28 25 interface GigabitEthernet0/0.4 25
ip route 0.0.0.0 0.0.0.0 103.212.217.33
ip route 10.0.0.0 255.255.255.0 192.168.0.254
ip route 192.168.92.0 255.255.255.0 192.168.0.254
ip route 192.168.150.0 255.255.255.0 192.168.0.254
ip route 192.168.173.0 255.255.255.0 192.168.0.254
ip route 192.168.200.0 255.255.255.0 192.168.0.254
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 07:21 AM
What are the networks associated with the following ACLs mentioned below -
NAT_ACL
NAT_ADDRESSES2
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
ip nat inside source list NAT_ADDRESSES2 interface GigabitEthernet0/0 overload
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 07:28 AM
ip access-list extended LAN-WAN
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit tcp any any established
permit ip any 192.168.0.0 0.0.0.255
permit ip any 192.168.5.0 0.0.0.255
permit ip any 192.168.92.0 0.0.0.255
permit tcp host 192.168.0.7 host 10.0.0.1 eq smtp
permit tcp host 192.168.0.17 host 10.0.0.1 eq smtp
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
remark *** Permit all IP traffic ***
permit ip any any
ip access-list extended NAT_ACL
ip access-list extended NAT_ADDRESSES2
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.200.0 0.0.0.255 any
ip access-list extended NO_NAT
permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.92.0 0.0.0.255 192.168.5.0 0.0.0.255
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 07:29 AM
ip access-list extended PKF_IP_ACL
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
ip access-list extended WOFLSTAR_IPs
permit ip 192.168.80.0 0.0.0.255 any
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 08:02 AM - edited 06-27-2019 08:05 AM
Hello Matt,
the following ACL
ip access-list extended PKF_IP_ACL
permit ip 10.0.0.0 0.0.0.255 any
.
should be modified to
ip access-list extended PKF_IP_ACL
deny ip 10.0.0.0 0.0.0.255 10.33.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
Be also aware that all static NAT entries related to hosts in net 10.0.0.0/24 will override the ACL deny, so make tests using an IP address not object of static NAT statements
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 05:56 PM
Thanks - that makes sense.
I'm trying to update if but get this error;
per-msol-rtr-01#show ip access-list PKF_IP_ACL
Extended IP access list PKF_IP_ACL
10 permit ip 10.0.0.0 0.0.0.255 any (132181933 matches)
20 permit ip 192.168.150.0 0.0.0.255 any
per-msol-rtr-01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
per-msol-rtr-01(config)#ip access-list extended PKF_IP_ACL
per-msol-rtr-01(config-ext-nacl)#deny ip 10.0.0.0 0.0.0.255 10.33.0.255
% Incomplete command.
Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2019 07:43 PM
Seems like it got the rule applied.
Still no traffic though :(
remark *** Permit all IP traffic ***
permit ip any any
ip access-list extended NAT_ACL
ip access-list extended NAT_ADDRESSES2
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.200.0 0.0.0.255 any
ip access-list extended NO_NAT
permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.92.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended PKF_IP_ACL
deny ip 10.0.0.0 0.0.0.255 10.33.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
Any idea?
