01-17-2013 07:11 AM - edited 03-07-2019 11:08 AM
Have someting strange happening. Have a VLAN, we will call this subnet 1 VLAN1. Have a remote network that a device on subnet 1 needs to get to.
The device on subnet 1 is a NAT'd VPN box. On one side is a private network, we will say 192.168.x.x. So the public side of the NATd VPN box has an IP address on VLAN1 Subnet 1. It tunnels the traffic to the remote network via EIGRP published routes. Lets call the remote network 10.1.1.0/24
So on the port that the NATd VPN box plugs into on VLAN1 Subnet 1 (the entire swith is configured at VLAN1 Subnet1) which has a trunk port to a Layer 3 switch that handles the routing) I add an extended IP ACL that Allows the static IP address assigned to the NATd VPN box to ping the far side VPN box on the 10.1.1.0/24 network and allow any packet it sends to go to there also (so host VLAN1 IP address host remote network IP address ANY)
Inherint block on all other traffic.
The issue is the VPN tunnel between the VLAN1 box and the 10.1.1.0 network VPN box comes up for about 20 seconds, then dies. I remove the ACL and it works fine. I put it back on, same 20 seconds, then dies.
So, in the ACL I put a permit from host VLAN 1 IP address (the NATd VPN box) to host IP address of VLAN1 default gateway ANY and the tunnel comes up for good, no issues.
The funny thing is, that the original setup was up and working for days, then decided to stop and nothing was changed. I had to add the default gateway of the VLAN1 IP to the ACL to get it working again and it has been up for a few days.
Does not make sense to me so any insight? I don't know why as the arp for the remote IP address would return the layer 2 mac of the default gateway, whihc is layer 2 and the acl should not affect this traffic. Can't see it being a proxy arp issue either.
Any insight??
So bottom line, does the default gateway need to be allowed in an ACL or the clients on the subnet can't route out???
Thanks
Gene
01-17-2013 07:18 AM
Hello Gene,
Could you post topolgy for this and if applicable some config.
res
Paul.
01-17-2013 09:03 AM
Sure, give me some time to collect...appreciate the reply!!!!
01-17-2013 12:12 PM
In the accompaynying picture some of the vlans/subnets changed from previous post, so I will restate. Laptop connects to WiFI which is on the private side of the VPN device. This traffic is tunneled via the VPN device on the 10.x network to go to the VPN Concentrator (10.1.3.1) which then dumps the traffic on the ISP network so they can get to the Internet. This is a simplified diagram.
I set up an Extended ACL on port 24 of the L2 switch that looked like this:
Extended IP access list WIFI_FILTER
10 permit icmp any host 10.1.3.1
20 permit ip host 10.1.1.1 host 10.1.3.1
30 permit ip host 10.1.3.1 host 10.1.1.1
40 deny ip any any (14 matches)
on port 24 it has this:
ip access-group WIFI_FILTER in
I figured line 30 in the acl is useless but put it in anyway as the acl only works on traffic IN for the port.
As I stated, this worked and the laptop got to the Interner for weeks, then it stopped. I took the ACL off, and it worked fine. When I turned the ACL on again, it works for about 20 seconds, then stops.
I then added to the extended acl:
35 permit ip host 10.1.1.1 host 10.1.1.254
and it started working again with no issues. Don't understand why?
Do you always need to add the gateway address to the ACL?
Is it because I defined my acl on the port that is L2 and I should move the ACL to the L3 switch trunk port or add it to the L3 Vlan on the L3 switch?
I am trying to make sure that the 192.168.1.x traffic that is encapsulated in the VPN device and tunneled to the VPN concentrator will ONLY go there and no where else on the internal network. So traffic coming from 10.1.1.1 will only be allowed to go to 10.1.3.1 and vice-versa.
Thanks
Gene
02-28-2013 01:35 PM
Posted Topology as requested.....
01-22-2013 06:05 AM
Posted toplogy as you requested.
Thanks
Gene
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide