01-30-2007 01:24 AM - edited 03-05-2019 02:03 PM
Hi Guys,
My issues is this:
I have a home office router and a core router. The following is the config. I'm using crypto maps to create it. But there seems to be an issue with the ACLS. I can ping both public IP address but after that, nothing. Any help is great. Any good ACL troubleshooting methods?
Main Router to Home office Router:
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
crypto isakmp key RODONOHU-VPN address 213.94.219.249
crypto ipsec transform-set 60GMAC esp-3des esp-md5-hmac
crypto map COGENT_VPN 60 ipsec-isakmp
description RODONOHU-HOME-TEST
set peer 213.94.219.249
set transform-set 60GMAC
match address RODONOHUE_HOME
ip route 172.17.25.16 255.255.255.240 66.28.244.17 name RobODonohueHomeTest
ip route 213.94.219.249 255.255.255.255 66.28.244.17 name RODONOHU-TUNNEL
ip access-list extended RODONOHUE_HOME
permit ip host 66.28.244.18 host 213.94.219.249
permit ip 172.16.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 172.17.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 192.168.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 192.206.209.0 0.0.0.255 172.17.25.16 0.0.0.15
deny ip any any log
Home Office Router
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key RODONOHU-VPN address 66.28.244.18
crypto ipsec transform-set 60GMAC esp-3des esp-md5-hmac
!
crypto map COGENT_VPN 60 ipsec-isakmp
set peer 66.28.244.18
set transform-set 60GMAC
match address Crypto_ACL
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended Crypto_ACL
permit ip host 213.94.219.249 host 66.28.244.18
permit ip 172.17.25.16 0.0.0.15 172.16.0.0 0.0.255.255
permit ip 172.17.25.16 0.0.0.15 172.17.0.0 0.0.255.255
permit ip 172.17.25.16 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 172.17.25.16 0.0.0.15 192.206.209.0 0.0.0.255
permit ip host 213.94.219.249 host 66.28.244.17
02-06-2007 04:43 AM
Thanks - i'll give it a go with the static route on the 7206. will let you know later in the day how i get on.
Cheers,
Rob.
02-06-2007 07:40 AM
Hi,
I've applied the static ip address on the 7206 route. I set up debugging on the home router and tried to ping the following address from my desktop 192.169.176.132. The following is the debugging that came out of this. Before when i tried this, it didnt produce any output.
Anything from that?
02-06-2007 07:52 AM
Rob
Is that a typo - should the IP address be 192.168.176.132 ?
Anyway, looks from the debugging like you now are creating an IPSEC tunnel. What does the output of "sh crypto ipsec sa" on your router show.
I'm assuming the ping didn't work though. Is that correct ?
Jon
02-06-2007 08:04 AM
Yes - it was a typo. fat fingers! And correct, i tried the ping but no response. I did a sh crypto ipsec sa and the result didn't seem different to the one before but foolishly i didn't take a print of it and i'm now away from the set up. I can do it tonight and send it over then. Anything I can check on the 7206side?
The ACL on the home router is now:
access-list 160 permit ip 172.17.25.16 0.0.0.15 172.16.0.0 0.0.255.255
access-list 160 permit ip 172.17.25.16 0.0.0.15 172.17.0.0 0.0.255.255
access-list 160 permit ip 172.17.25.16 0.0.0.15 192.168.0.0 0.0.255.255
access-list 160 permit ip 172.17.25.16 0.0.0.15 192.206.209.0 0.0.0.255
dialer-list 1 protocol ip permit
Should i include a line to permit the public ip traffic back? I'm guessing its covered in the map peers.
02-06-2007 01:21 PM
Hi Jon,
to be honest I did not read through the whole story just the beginning and the and, so I am sorry if I say something you already had known.
I have the same scenario but with a 831 SOHO router at the BO and a 1841 at HQ.
What I guess, is that the acl in the crypto-map which should initiate tunnel setup does not get hit. You have to configure it so that your remote LAN destination address range get a match on it. Here is a short exceprt of my config :
!
crypto ipsec transform-set tset esp-3des
!
crypto map cmap 100 ipsec-isakmp
set peer public_ip_of_the_peer
set transform-set tset
match address vpnacl
!
..
!
ip access-list extended vpnacl
permit ip local_subnet remote_subnet
!
When you ping a host in the remote subnet, it will match the ACL which will in turn bring up the tunnel with the remote peer.
And one more thing, if it applies : you will have to set up NAT by using route-maps, otherwise it will not work.
I hope it helps.
Laszlo
02-06-2007 01:30 PM
Hi Laszlo
No problem with joining in, the more the merrier :-).
There was a problem getting the remote router to recognise the interesting traffic but i think we are past that now.
Could you explain what you mean about having to setup NAT or it won't work. I don't think Rob is actually Natting the traffic at all from his home PC.
Jon
02-06-2007 01:31 PM
Hi Laszlo.
it does look like you have a similar set up. Can you give me an example of the NAT to be used?
and is it only to be appiled at the HQ router?
02-06-2007 02:18 PM
Hi,
my network setup is :
BO LAN : 10.1.10.0/24 - BO Router(831) -- ADSL -----INet-----LL-HQ Router(1841)--HQ LAN 10.1.1.0/24 and 10.1.18.0/24
This is the relevant config of the BO router :
!
crypto key pubkey-chain rsa
named-key vpn_router_hostname encryption
address HQRouterPublicIP
key-string
xxx
quit
identity profile default
template Virtual-Template1
!
crypto isakmp policy 100
encr 3des
authentication rsa-encr
group 2
crypto isakmp identity hostname
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set tset esp-3des
!
crypto map cmap 100 ipsec-isakmp
set peer HQRouterPublicIP
set transform-set tset
match address vpnacl
!
!
interface Ethernet0
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.1.9
ip helper-address 10.1.1.20
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
dot1x port-control auto
dot1x reauthentication
dot1x max-req 10
no cdp enable
!
interface Ethernet1
no ip address
no ip unreachables
no ip proxy-arp
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback0
ip access-group inetonly in
ip access-group inetonly out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Dialer1
mtu 1400
ip address negotiated
ip access-group incoming_traffic in
ip access-group outgoing_traffic out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect firewall out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx
ppp ipcp dns request
crypto map cmap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip nat inside source route-map dontnatlocal interface Dialer1 overload
!
!
ip access-list extended incoming_traffic
permit tcp any host BORouterPublicIP eq 22
permit udp host HQRouterPublicIP host BORouterPublicIP eq isakmp
permit esp host HQRouterPublicIP host BORouterPublicIP
ip access-list extended inetonly
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
ip access-list extended outgoing_traffic
permit udp host BORouterPublicIP host HQRouterPublicIP eq isakmp
permit esp host BORouterPublicIP host HQRouterPublicIP
ip access-list extended vpnacl
permit ip 10.1.10.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 10.1.18.0 0.0.0.255
ip access-list extended what_to_nat
deny ip 10.1.10.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.255 10.1.18.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
route-map dontnatlocal permit 10
match ip address what_to_nat
!
Hope it helps,
Laszlo
02-07-2007 01:21 AM
Thanks Laszlo. I'll be sure to see if i can config mine the same. do you have the patching config on the HQ router? is that natted as well? Interesting stuff. I appreciate it.
02-07-2007 01:43 AM
Hello,
yes, the HQ router is also Natted, here is its crypto config :
!
ip host BORouterHostName BORouterPublicIP
!
!
crypto key pubkey-chain rsa
named-key BORouterHostName encryption
address BORouterPublicIP
key-string
xxxxxxx
quit
!
!
crypto isakmp policy 80
encr 3des
authentication rsa-encr
group 2
crypto isakmp identity hostname
crypto isakmp keepalive 30
!
crypto ipsec transform-set vpntransform esp-3des
!
crypto map vpnmap 150 ipsec-isakmp
set peer BORouterPublicIP
set transform-set vpntransform
match address vpnacl010
!
!
interface Serial0/0/0
ip address xxx
ip access-group 101 in
ip access-group 102 out
ip nat outside
crypto map vpnmap
!
ip route 0.0.0.0 0.0.0.0 ISP_Gateway_address
ip route 10.1.1.0 255.255.255.0 Internal_Router
ip route 10.1.18.0 255.255.255.0 Internal_Router
!
ip nat inside source route-map what_to_nat interface Serial0/0/0 overload
!
ip access-list extended natlocal
deny ip 10.1.1.0 0.0.0.255 10.1.8.0 0.0.7.255
deny ip 10.1.18.0 0.0.0.255 10.1.8.0 0.0.7.255
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.18.0 0.0.0.255 any
ip access-list extended vpnacl010
permit ip 10.1.1.0 0.0.0.255 10.1.10.0 0.0.0.255
permit ip 10.1.18.0 0.0.0.255 10.1.10.0 0.0.0.255
!
access-list 101 permit udp host BORouterPublicIP host HQRouterPublicIP eq isakmp
access-list 101 permit esp host BORouterPublicIP host HQRouterPublicIP
!
route-map what_to_nat permit 10
match ip address natlocal
!
Regards,
Laszlo
02-07-2007 12:53 AM
Hello,
I could not find one of my posts from yesterday, so I try again :
You should not both route a specific traffic and mask it with the crypto-acl at the same time. I think this :
ip route 172.17.25.16 255.255.255.240 66.28.244.17 name RobODonohueHomeTest
and
ip access-list extended RODONOHUE_HOME
permit ip host 66.28.244.18 host 213.94.219.249
permit ip 172.16.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 172.17.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 192.168.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 192.206.209.0 0.0.0.255 172.17.25.16 0.0.0.15
deny ip any any log
If you try to ping a host located in the remote subnet 172.17.25.16/28 then this traffic gets routed instead of beeing put into the tunnel, because the router first checks the routing table. Look at this article : http://www.cisco.com/warp/public/556/5.html
Laszlo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide