05-25-2011 08:54 AM - edited 03-07-2019 12:40 AM
I have a site-to-site IPSEC VPN tunnel established to a client for transferring of files for our billing services. Within the ACL that I am applying to
the crypto map, I do not have HTTP traffic allowed; however, HTTP/HTTPS is allowed on my firewall obviously. We are unable to access one of the company's sites, and I am thinking this is the problem. We have another external backup ISP connection that is outside our firewall and I can access the site fine. Can anyone shed some light on this and tell me if this could be the issue? Since we have a tunnel connection to them, do I need to specify this allowed traffic to their website? This just doesn't make sense to me.
Please let me know if you need any additional details, etc.
Mike
05-25-2011 09:12 AM
mmcwethy1 wrote:
Within the ACL that I am applying to the crypto map, I do not have HTTP traffic allowed; however, HTTP/HTTPS is allowed on my firewall obviously. We are unable to access one of the company's sites, and I am thinking this is the problem.
I'm not sure I follow you here. Your crypto map does not allow HTTP over the tunnel, but HTTP/HTTPS is allowed by the firewall? Are you saying that HTTP/HTTPS is allowed outbound through the firewall (non-tunneled), but you cannot access an external website even though as previously stated you have configured access?
Just want to make sure I understand you issue
Message was edited by: Antonio Knox
05-25-2011 09:34 AM
Yes, HTTP/HTTPS is allowed outbound on the firewall, but it is not allowed on the tunnel for this client or any of my other client VPN tunnels for that matter. I cannot access this particular company's website. When I do a wireshark capture, I see my SYN packets going out, but I never see a SYN ACK. I THINK it is being blocked by my firewall, but I am not sure why. Is the fact that we have a VPN tunnel to this client the problem since I don't have HTTP/HTTPS traffic allowed for their tunnel? I can access their website if I am on my home computer for example at home so the problem is definitely not their site.
05-25-2011 09:42 AM
You may need to implement split tunneling.
For more info
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide